--- /dev/null
+--- PHP_5_3/ext/zip/lib/zip_name_locate.c 2011/01/30 22:16:39 307866
++++ PHP_5_3/ext/zip/lib/zip_name_locate.c 2011/01/30 22:28:57 307867
+@@ -60,6 +60,10 @@
+ return -1;
+ }
+
++ if((flags & ZIP_FL_UNCHANGED) && !za->cdir) {
++ return -1;
++ }
++
+ cmp = (flags & ZIP_FL_NOCASE) ? strcmpi : strcmp;
+
+ n = (flags & ZIP_FL_UNCHANGED) ? za->cdir->nentry : za->nentry;
--- /dev/null
+diff -up php-5.2.17/ext/exif/exif.c.CVE-2011-4566 php-5.2.17/ext/exif/exif.c
+--- php-5.2.17/ext/exif/exif.c.CVE-2011-4566 2012-01-11 15:00:23.000000000 +0700
++++ php-5.2.17/ext/exif/exif.c 2012-01-11 15:02:25.000000000 +0700
+@@ -2873,11 +2873,11 @@ static int exif_process_IFD_TAG(image_in
+ offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
+ /* If its bigger than 4 bytes, the dir entry contains an offset. */
+ value_ptr = offset_base+offset_val;
+- if (offset_val+byte_count > IFDlength || value_ptr < dir_entry) {
++ if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry) {
+ /* It is important to check for IMAGE_FILETYPE_TIFF
+ * JPEG does not use absolute pointers instead its pointers are
+ * relative to the start of the TIFF header in APP1 section. */
+- if (offset_val+byte_count>ImageInfo->FileSize || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) {
++ if (byte_count > ImageInfo->FileSize || offset_val>ImageInfo->FileSize-byte_count || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) {
+ if (value_ptr < dir_entry) {
+ /* we can read this if offset_val > 0 */
+ /* some files have their values in other parts of the file */
--- /dev/null
+diff -up php-5.2.17/main/php_variables.c.bug-323007 php-5.2.17/main/php_variables.c
+--- php-5.2.17/main/php_variables.c.bug-323007 2012-02-03 12:12:09.000000000 +0700
++++ php-5.2.17/main/php_variables.c 2012-02-03 13:17:16.000000000 +0700
+@@ -187,12 +187,17 @@ PHPAPI void php_register_variable_ex(cha
+ }
+ if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE
+ || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) {
+- if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) {
+- php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+- }
++ if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
++ if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
++ }
+ MAKE_STD_ZVAL(gpc_element);
+ array_init(gpc_element);
+ zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
++ } else {
++ efree(var_orig);
++ return;
++ }
+ }
+ if (index != escaped_index) {
+ efree(escaped_index);
--- /dev/null
+diff -up php-5.2.17/Zend/zend_compile.c.bug-43200 php-5.2.17/Zend/zend_compile.c
+--- php-5.2.17/Zend/zend_compile.c.bug-43200 2012-01-12 11:26:42.000000000 +0700
++++ php-5.2.17/Zend/zend_compile.c 2012-01-12 11:26:51.000000000 +0700
+@@ -2080,7 +2080,8 @@ static zend_bool do_inherit_method_check
+ return 1; /* method doesn't exist in child, copy from parent */
+ }
+
+- if (parent->common.fn_flags & ZEND_ACC_ABSTRACT
++ if ((parent->common.scope->ce_flags & ZEND_ACC_INTERFACE) == 0
++ && parent->common.fn_flags & ZEND_ACC_ABSTRACT
+ && parent->common.scope != (child->common.prototype ? child->common.prototype->common.scope : child->common.scope)
+ && child->common.fn_flags & (ZEND_ACC_ABSTRACT|ZEND_ACC_IMPLEMENTED_ABSTRACT)) {
+ zend_error(E_COMPILE_ERROR, "Can't inherit abstract function %s::%s() (previously declared abstract in %s)",
--- /dev/null
+diff -up php-5.2.17/ext/standard/info.c.bug-52461 php-5.2.17/ext/standard/info.c
+--- php-5.2.17/ext/standard/info.c.bug-52461 2012-01-12 10:23:00.000000000 +0700
++++ php-5.2.17/ext/standard/info.c 2012-01-12 10:23:27.000000000 +0700
+@@ -415,7 +415,7 @@ PHPAPI void php_print_info_htmlhead(TSRM
+
+
+ PUTS("<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"DTD/xhtml1-transitional.dtd\">\n");
+- PUTS("<html>");
++ PUTS("<html xmlns=\"http://www.w3.org/1999/xhtml\">>");
+ PUTS("<head>\n");
+ php_info_print_style(TSRMLS_C);
+ PUTS("<title>phpinfo()</title>");
--- /dev/null
+diff -up php-5.2.17/ext/standard/file.c.bug-52624 php-5.2.17/ext/standard/file.c
+--- php-5.2.17/ext/standard/file.c.bug-52624 2012-01-12 11:20:05.000000000 +0700
++++ php-5.2.17/ext/standard/file.c 2012-01-12 11:21:32.000000000 +0700
+@@ -842,7 +842,7 @@ PHP_FUNCTION(tempnam)
+ p[63] = '\0';
+ }
+
+- if ((fd = php_open_temporary_fd(d, p, &opened_path TSRMLS_CC)) >= 0) {
++ if ((fd = php_open_temporary_fd_ex(d, p, &opened_path,1 TSRMLS_CC)) >= 0) {
+ close(fd);
+ RETVAL_STRING(opened_path, 0);
+ } else {
--- /dev/null
+diff -up php-5.2.17/ext/tidy/tidy.c.bug-54682 php-5.2.17/ext/tidy/tidy.c
+--- php-5.2.17/ext/tidy/tidy.c.bug-54682 2012-01-12 11:42:01.000000000 +0700
++++ php-5.2.17/ext/tidy/tidy.c 2012-01-12 11:42:17.000000000 +0700
+@@ -1178,7 +1178,7 @@ static PHP_FUNCTION(tidy_diagnose)
+ {
+ TIDY_FETCH_OBJECT;
+
+- if (tidyRunDiagnostics(obj->ptdoc->doc) >= 0) {
++ if (tidyStatus(obj->ptdoc->doc) != 0 && tidyRunDiagnostics(obj->ptdoc->doc) >= 0) {
+ tidy_doc_update_properties(obj TSRMLS_CC);
+ RETURN_TRUE;
+ }
--- /dev/null
+diff -up php-5.2.17/ext/standard/base64.c.bug-55273 php-5.2.17/ext/standard/base64.c
+--- php-5.2.17/ext/standard/base64.c.bug-55273 2012-01-12 10:45:40.000000000 +0700
++++ php-5.2.17/ext/standard/base64.c 2012-01-12 10:47:32.000000000 +0700
+@@ -154,7 +154,15 @@ PHPAPI unsigned char *php_base64_decode_
+ /* run through the whole string, converting as we go */
+ while ((ch = *current++) != '\0' && length-- > 0) {
+ if (ch == base64_pad) {
+- if (*current != '=' && (i % 4) == 1) {
++ if (*current != '=' && ((i % 4) == 1 || (strict && length > 0))) {
++ if ((i % 4) != 1) {
++ while (isspace(*(++current))) {
++ continue;
++ }
++ if (*current == '\0') {
++ continue;
++ }
++ }
+ efree(result);
+ return NULL;
+ }
--- /dev/null
+diff -up php-5.2.17/ext/standard/string.c.bug-55366 php-5.2.17/ext/standard/string.c
+--- php-5.2.17/ext/standard/string.c.bug-55366 2012-01-12 10:35:09.000000000 +0700
++++ php-5.2.17/ext/standard/string.c 2012-01-12 10:36:38.000000000 +0700
+@@ -2462,6 +2462,10 @@ PHP_FUNCTION(substr_replace)
+ RETURN_STRINGL(Z_STRVAL_PP(str), Z_STRLEN_PP(str), 1);
+ }
+ } else { /* str is array of strings */
++ char *str_index = NULL;
++ uint str_index_len;
++ ulong num_index;
++
+ array_init(return_value);
+
+ if (Z_TYPE_PP(from) == IS_ARRAY) {
+@@ -2599,7 +2603,13 @@ PHP_FUNCTION(substr_replace)
+ }
+
+ result[result_len] = '\0';
+- add_next_index_stringl(return_value, result, result_len, 0);
++
++ if (zend_hash_get_current_key_ex(Z_ARRVAL_PP(str), &str_index, &str_index_len, &num_index, 0, &pos_str) == HASH_KEY_IS_STRING) {
++ add_assoc_stringl_ex(return_value, str_index, str_index_len, result, result_len, 0);
++ } else {
++ add_index_stringl(return_value, num_index, result, result_len, 0);
++ }
++
+ if(Z_TYPE_PP(tmp_str) != IS_STRING) {
+ zval_dtor(orig_str);
+ }
--- /dev/null
+diff -up php-5.2.17/ext/filter/logical_filters.c.bug-55478 php-5.2.17/ext/filter/logical_filters.c
+--- php-5.2.17/ext/filter/logical_filters.c.bug-55478 2012-01-12 12:35:32.000000000 +0700
++++ php-5.2.17/ext/filter/logical_filters.c 2012-01-12 12:36:11.000000000 +0700
+@@ -522,7 +522,7 @@ void php_filter_validate_email(PHP_INPUT
+ * Feel free to use and redistribute this code. But please keep this copyright notice.
+ *
+ */
+- const char regexp[] = "/^(?!(?:(?:\\x22?\\x5C[\\x00-\\x7E]\\x22?)|(?:\\x22?[^\\x5C\\x22]\\x22?)){255,})(?!(?:(?:\\x22?\\x5C[\\x00-\\x7E]\\x22?)|(?:\\x22?[^\\x5C\\x22]\\x22?)){65,}@)(?:(?:[\\x21\\x23-\\x27\\x2A\\x2B\\x2D\\x2F-\\x39\\x3D\\x3F\\x5E-\\x7E]+)|(?:\\x22(?:[\\x01-\\x08\\x0B\\x0C\\x0E-\\x1F\\x21\\x23-\\x5B\\x5D-\\x7F]|(?:\\x5C[\\x00-\\x7F]))*\\x22))(?:\\.(?:(?:[\\x21\\x23-\\x27\\x2A\\x2B\\x2D\\x2F-\\x39\\x3D\\x3F\\x5E-\\x7E]+)|(?:\\x22(?:[\\x01-\\x08\\x0B\\x0C\\x0E-\\x1F\\x21\\x23-\\x5B\\x5D-\\x7F]|(?:\\x5C[\\x00-\\x7F]))*\\x22)))*@(?:(?:(?!.*[^.]{64,})(?:(?:(?:xn--)?[a-z0-9]+(?:-[a-z0-9]+)*\\.){1,126}){1,}(?:(?:[a-z][a-z0-9]*)|(?:(?:xn--)[a-z0-9]+))(?:-[a-z0-9]+)*)|(?:\\[(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){7})|(?:(?!(?:.*[a-f0-9][:\\]]){7,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?::(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?)))|(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){5}:)|(?:(?!(?:.*[a-f0-9]:){5,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3})?::(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3}:)?)))?(?:(?:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))(?:\\.(?:(?:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))){3}))\\]))$/iD";
++ const char regexp[] = "/^(?!(?:(?:\\x22?\\x5C[\\x00-\\x7E]\\x22?)|(?:\\x22?[^\\x5C\\x22]\\x22?)){255,})(?!(?:(?:\\x22?\\x5C[\\x00-\\x7E]\\x22?)|(?:\\x22?[^\\x5C\\x22]\\x22?)){65,}@)(?:(?:[\\x21\\x23-\\x27\\x2A\\x2B\\x2D\\x2F-\\x39\\x3D\\x3F\\x5E-\\x7E]+)|(?:\\x22(?:[\\x01-\\x08\\x0B\\x0C\\x0E-\\x1F\\x21\\x23-\\x5B\\x5D-\\x7F]|(?:\\x5C[\\x00-\\x7F]))*\\x22))(?:\\.(?:(?:[\\x21\\x23-\\x27\\x2A\\x2B\\x2D\\x2F-\\x39\\x3D\\x3F\\x5E-\\x7E]+)|(?:\\x22(?:[\\x01-\\x08\\x0B\\x0C\\x0E-\\x1F\\x21\\x23-\\x5B\\x5D-\\x7F]|(?:\\x5C[\\x00-\\x7F]))*\\x22)))*@(?:(?:(?!.*[^.]{64,})(?:(?:(?:xn--)?[a-z0-9]+(?:-+[a-z0-9]+)*\\.){1,126}){1,}(?:(?:[a-z][a-z0-9]*)|(?:(?:xn--)[a-z0-9]+))(?:-+[a-z0-9]+)*)|(?:\\[(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){7})|(?:(?!(?:.*[a-f0-9][:\\]]){7,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?::(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?)))|(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){5}:)|(?:(?!(?:.*[a-f0-9]:){5,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3})?::(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3}:)?)))?(?:(?:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))(?:\\.(?:(?:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))){3}))\\]))$/iD";
+
+ pcre *re = NULL;
+ pcre_extra *pcre_extra = NULL;
--- /dev/null
+diff -up php-5.2.17/main/rfc1867.c.bug-55504 php-5.2.17/main/rfc1867.c
+--- php-5.2.17/main/rfc1867.c.bug-55504 2012-01-12 10:13:38.000000000 +0700
++++ php-5.2.17/main/rfc1867.c 2012-01-12 10:14:14.000000000 +0700
+@@ -817,7 +817,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_
+ }
+ } else {
+ /* search for the end of the boundary */
+- boundary_end = strchr(boundary, ',');
++ boundary_end = strpbrk(boundary, ",;");
+ }
+ if (boundary_end) {
+ boundary_end[0] = '\0';
--- /dev/null
+diff -up php-5.2.17/Zend/zend_alloc.c.bug-55509 php-5.2.17/Zend/zend_alloc.c
+--- php-5.2.17/Zend/zend_alloc.c.bug-55509 2012-01-12 09:58:25.000000000 +0700
++++ php-5.2.17/Zend/zend_alloc.c 2012-01-12 09:59:26.000000000 +0700
+@@ -491,7 +491,7 @@ static unsigned int _zend_mm_cookie = 0;
+ #define ZEND_MM_IS_GUARD_BLOCK(b) (((b)->info._size & ZEND_MM_TYPE_MASK) == ZEND_MM_GUARD_BLOCK)
+
+ #define ZEND_MM_NEXT_BLOCK(b) ZEND_MM_BLOCK_AT(b, ZEND_MM_BLOCK_SIZE(b))
+-#define ZEND_MM_PREV_BLOCK(b) ZEND_MM_BLOCK_AT(b, -(int)((b)->info._prev & ~ZEND_MM_TYPE_MASK))
++#define ZEND_MM_PREV_BLOCK(b) ZEND_MM_BLOCK_AT(b, -(ssize_t)((b)->info._prev & ~ZEND_MM_TYPE_MASK))
+
+ #define ZEND_MM_PREV_BLOCK_IS_FREE(b) (!((b)->info._prev & ZEND_MM_USED_BLOCK))
+
--- /dev/null
+diff -up php-5.2.17/ext/standard/file.c.bug-55674 php-5.2.17/ext/standard/file.c
+--- php-5.2.17/ext/standard/file.c.bug-55674 2012-01-12 09:39:13.000000000 +0700
++++ php-5.2.17/ext/standard/file.c 2012-01-12 09:39:28.000000000 +0700
+@@ -2156,7 +2156,7 @@ PHPAPI void php_fgetcsv(php_stream *stre
+ inc_len = (bptr < limit ? (*bptr == '\0' ? 1: php_mblen(bptr, limit - bptr)): 0);
+ if (inc_len == 1) {
+ char *tmp = bptr;
+- while (isspace((int)*(unsigned char *)tmp)) {
++ while ((*tmp != delimiter) && isspace((int)*(unsigned char *)tmp)) {
+ tmp++;
+ }
+ if (*tmp == enclosure) {
--- /dev/null
+diff -up php-5.2.17/ext/standard/proc_open.c.bug-60120 php-5.2.17/ext/standard/proc_open.c
+--- php-5.2.17/ext/standard/proc_open.c.bug-60120 2012-01-12 09:22:27.000000000 +0700
++++ php-5.2.17/ext/standard/proc_open.c 2012-01-12 09:22:47.000000000 +0700
+@@ -453,7 +453,7 @@ PHP_FUNCTION(proc_get_status)
+
+ /* {{{ handy definitions for portability/readability */
+ #ifdef PHP_WIN32
+-# define pipe(pair) (CreatePipe(&pair[0], &pair[1], &security, 2048L) ? 0 : -1)
++# define pipe(pair) (CreatePipe(&pair[0], &pair[1], &security, 0) ? 0 : -1)
+
+ # define COMSPEC_NT "cmd.exe"
+ # define COMSPEC_9X "command.com"
--- /dev/null
+diff -up php-5.2.17/Zend/zend_execute_API.c.bug-60138 php-5.2.17/Zend/zend_execute_API.c
+--- php-5.2.17/Zend/zend_execute_API.c.bug-60138 2012-01-12 09:18:41.000000000 +0700
++++ php-5.2.17/Zend/zend_execute_API.c 2012-01-12 09:19:13.000000000 +0700
+@@ -935,10 +935,11 @@ int zend_call_function(zend_fcall_info *
+ && (EX(function_state).function->common.fn_flags & ZEND_ACC_CALL_VIA_HANDLER) == 0
+ && !ARG_SHOULD_BE_SENT_BY_REF(EX(function_state).function, i + 1)
+ && PZVAL_IS_REF(*fci->params[i])) {
+- SEPARATE_ZVAL(fci->params[i]);
+- }
+-
+- if (ARG_SHOULD_BE_SENT_BY_REF(EX(function_state).function, i+1)
++ ALLOC_ZVAL(param);
++ *param = **(fci->params[i]);
++ INIT_PZVAL(param);
++ zval_copy_ctor(param);
++ } else if (ARG_SHOULD_BE_SENT_BY_REF(EX(function_state).function, i + 1)
+ && !PZVAL_IS_REF(*fci->params[i])) {
+ if ((*fci->params[i])->refcount>1) {
+ zval *new_zval;
--- /dev/null
+diff -up php-5.2.17/ext/ftp/ftp.c.bug-60183 php-5.2.17/ext/ftp/ftp.c
+--- php-5.2.17/ext/ftp/ftp.c.bug-60183 2012-01-12 12:04:18.000000000 +0700
++++ php-5.2.17/ext/ftp/ftp.c 2012-01-12 12:04:40.000000000 +0700
+@@ -1122,6 +1122,9 @@ ftp_putcmd(ftpbuf_t *ftp, const char *cm
+
+ data = ftp->outbuf;
+
++ /* Clear the extra-lines buffer */
++ ftp->extra = NULL;
++
+ if (my_send(ftp, ftp->fd, data, size) != size) {
+ return 0;
+ }
--- /dev/null
+diff -up php-5.2.17/sapi/apache2filter/sapi_apache2.c.bug-60206 php-5.2.17/sapi/apache2filter/sapi_apache2.c
+--- php-5.2.17/sapi/apache2filter/sapi_apache2.c.bug-60206 2012-01-12 09:06:47.000000000 +0700
++++ php-5.2.17/sapi/apache2filter/sapi_apache2.c 2012-01-12 09:06:59.000000000 +0700
+@@ -404,7 +404,7 @@ static void php_apache_request_ctor(ap_f
+ efree(content_type);
+
+ content_length = (char *) apr_table_get(f->r->headers_in, "Content-Length");
+- SG(request_info).content_length = (content_length ? atoi(content_length) : 0);
++ SG(request_info).content_length = (content_length ? atol(content_length) : 0);
+
+ apr_table_unset(f->r->headers_out, "Content-Length");
+ apr_table_unset(f->r->headers_out, "Last-Modified");
+diff -up php-5.2.17/sapi/apache2handler/sapi_apache2.c.bug-60206 php-5.2.17/sapi/apache2handler/sapi_apache2.c
+--- php-5.2.17/sapi/apache2handler/sapi_apache2.c.bug-60206 2012-01-12 09:07:37.000000000 +0700
++++ php-5.2.17/sapi/apache2handler/sapi_apache2.c 2012-01-12 09:07:46.000000000 +0700
+@@ -454,7 +454,7 @@ static int php_apache_request_ctor(reque
+ r->no_local_copy = 1;
+
+ content_length = (char *) apr_table_get(r->headers_in, "Content-Length");
+- SG(request_info).content_length = (content_length ? atoi(content_length) : 0);
++ SG(request_info).content_length = (content_length ? atol(content_length) : 0);
+
+ apr_table_unset(r->headers_out, "Content-Length");
+ apr_table_unset(r->headers_out, "Last-Modified");
+diff -up php-5.2.17/sapi/apache_hooks/mod_php5.c.bug-60206 php-5.2.17/sapi/apache_hooks/mod_php5.c
+--- php-5.2.17/sapi/apache_hooks/mod_php5.c.bug-60206 2012-01-12 09:08:19.000000000 +0700
++++ php-5.2.17/sapi/apache_hooks/mod_php5.c 2012-01-12 09:08:26.000000000 +0700
+@@ -571,7 +571,7 @@ static void init_request_info(TSRMLS_D)
+ SG(request_info).request_method = (char *)r->method;
+ SG(request_info).proto_num = r->proto_num;
+ SG(request_info).content_type = (char *) table_get(r->subprocess_env, "CONTENT_TYPE");
+- SG(request_info).content_length = (content_length ? atoi(content_length) : 0);
++ SG(request_info).content_length = (content_length ? atol(content_length) : 0);
+ SG(sapi_headers).http_response_code = r->status;
+
+ if (r->headers_in) {
+diff -up php-5.2.17/sapi/apache/mod_php5.c.bug-60206 php-5.2.17/sapi/apache/mod_php5.c
+--- php-5.2.17/sapi/apache/mod_php5.c.bug-60206 2012-01-12 09:05:59.000000000 +0700
++++ php-5.2.17/sapi/apache/mod_php5.c 2012-01-12 09:06:19.000000000 +0700
+@@ -513,7 +513,7 @@ static void init_request_info(TSRMLS_D)
+ SG(request_info).request_uri = r->uri;
+ SG(request_info).request_method = (char *)r->method;
+ SG(request_info).content_type = (char *) table_get(r->subprocess_env, "CONTENT_TYPE");
+- SG(request_info).content_length = (content_length ? atoi(content_length) : 0);
++ SG(request_info).content_length = (content_length ? atol(content_length) : 0);
+ SG(sapi_headers).http_response_code = r->status;
+ SG(request_info).proto_num = r->proto_num;
+
--- /dev/null
+diff -up php-5.2.17/main/streams/streams.c.bug-60455 php-5.2.17/main/streams/streams.c
+--- php-5.2.17/main/streams/streams.c.bug-60455 2012-01-12 11:50:11.000000000 +0700
++++ php-5.2.17/main/streams/streams.c 2012-01-12 11:50:55.000000000 +0700
+@@ -879,7 +879,7 @@ PHPAPI char *php_stream_get_record(php_s
+ just_read = (stream->writepos - stream->readpos) - len;
+ len += just_read;
+
+- if (just_read < toread) {
++ if (just_read == 0) {
+ break;
+ }
+ }
--- /dev/null
+diff -u -r php-5.2.17/main/main.c php-5.2.17-patched/main/main.c
+--- php-5.2.17/main/main.c 2010-06-20 04:47:24.000000000 +0800
++++ php-5.2.17-patched/main/main.c 2011-12-31 09:59:05.000000000 +0800
+@@ -457,6 +457,7 @@
+
+ STD_PHP_INI_BOOLEAN("allow_url_fopen", "1", PHP_INI_SYSTEM, OnUpdateBool, allow_url_fopen, php_core_globals, core_globals)
+ STD_PHP_INI_BOOLEAN("allow_url_include", "0", PHP_INI_SYSTEM, OnUpdateBool, allow_url_include, php_core_globals, core_globals)
++ STD_PHP_INI_ENTRY("max_input_vars", "1000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_vars, php_core_globals, core_globals)
+ STD_PHP_INI_BOOLEAN("always_populate_raw_post_data", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateBool, always_populate_raw_post_data, php_core_globals, core_globals)
+
+ STD_PHP_INI_ENTRY("realpath_cache_size", "16K", PHP_INI_SYSTEM, OnUpdateLong, realpath_cache_size_limit, virtual_cwd_globals, cwd_globals)
+diff -u -r php-5.2.17/main/php_globals.h php-5.2.17-patched/main/php_globals.h
+--- php-5.2.17/main/php_globals.h 2010-01-03 17:23:27.000000000 +0800
++++ php-5.2.17-patched/main/php_globals.h 2011-12-31 09:59:05.000000000 +0800
+@@ -160,6 +160,7 @@
+ zend_bool com_initialized;
+ #endif
+ long max_input_nesting_level;
++ long max_input_vars;
+ zend_bool in_user_include;
+ zend_bool in_error_log;
+ };
+diff -u -r php-5.2.17/main/php_variables.c php-5.2.17-patched/main/php_variables.c
+--- php-5.2.17/main/php_variables.c 2010-01-03 17:23:27.000000000 +0800
++++ php-5.2.17-patched/main/php_variables.c 2011-12-31 09:59:05.000000000 +0800
+@@ -187,6 +187,9 @@
+ }
+ if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE
+ || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) {
++ if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) {
++ php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
++ }
+ MAKE_STD_ZVAL(gpc_element);
+ array_init(gpc_element);
+ zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+@@ -232,6 +235,9 @@
+ zend_symtable_exists(symtable1, escaped_index, index_len + 1)) {
+ zval_ptr_dtor(&gpc_element);
+ } else {
++ if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) {
++ php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
++ }
+ zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+ }
+ if (escaped_index != index) {
Summary(uk.UTF-8): PHP Версії 5 - мова препроцесування HTML-файлів, виконувана на сервері
Name: php
Version: 5.2.17
-Release: 9
+Release: 10
Epoch: 4
License: PHP
Group: Libraries
Patch203: php-5.2.17-CVE-2011-1148.patch
Patch204: php-5.2.17-CVE-2011-0708.patch
Patch205: php-5.2.17-CVE-2011-1092.patch
+Patch206: php-5.2.17-CVE-2011-0421.patch
+
# Backport from 5.3.6
Patch301: php-5.3.6-bug-54055.patch
Patch302: php-5.3.6-bug-53577.patch
Patch356: php-5.3.7-bug-54312.patch
Patch357: php-5.3.7-bug-51958.patch
Patch358: php-5.3.7-bug-54946.patch
+# 5.3.9 backport
+Patch359: php-5.2.17-CVE-2011-4566.patch
+Patch360: php-5.2.17-bug-60206.patch
+Patch361: php-5.2.17-bug-60138.patch
+Patch362: php-5.2.17-bug-60120.patch
+Patch363: php-5.2.17-bug-55674.patch
+Patch364: php-5.2.17-bug-55509.patch
+Patch365: php-5.2.17-bug-55504.patch
+Patch366: php-5.2.17-bug-52461.patch
+Patch367: php-5.2.17-bug-55366.patch
+Patch368: php-5.2.17-bug-55273.patch
+Patch369: php-5.2.17-bug-52624.patch
+Patch370: php-5.2.17-bug-43200.patch
+Patch371: php-5.2.17-bug-54682.patch
+Patch372: php-5.2.17-bug-60455.patch
+Patch373: php-5.2.17-bug-60183.patch
+Patch374: php-5.2.17-bug-55478.patch
+
+#php-5.2-max-input-vars patch
+Patch400: php-5.2.17-max-input-vars.patch
+Patch401: php-5.2.17-bug-323007-2.patch
URL: http://www.php.net/
%{?with_interbase:%{!?with_interbase_inst:BuildRequires: Firebird-devel >= 1.0.2.908-2}}
%{?with_pspell:BuildRequires: aspell-devel >= 2:0.50.0}
%patch203 -p1 -b .CVE-2011-1148
%patch204 -p1 -b .CVE-2011-0708
%patch205 -p1 -b .CVE-2011-1092
+%patch206 -p1 -b .CVE-2011-0421
# Bugfix backport from 5.3.6
%patch301 -p1 -b .bug-54055
%patch356 -p1 -b .bug-54312
%patch357 -p1 -b .bug-51958
%patch358 -p1 -b .bug-54946
+%patch359 -p1 -b .CVE-2011-4566
+%patch360 -p1 -b .bug-60206
+%patch361 -p1 -b .bug-60138
+%patch362 -p1 -b .bug-60120
+%patch363 -p1 -b .bug-55674
+%patch364 -p1 -b .bug-55509
+%patch365 -p1 -b .bug-55504
+%patch366 -p1 -b .bug-52461
+%patch367 -p1 -b .bug-55366
+%patch368 -p1 -b .bug-55273
+%patch369 -p1 -b .bug-52624
+%patch370 -p1 -b .bug-43200
+%patch371 -p1 -b .bug-54682
+%patch372 -p1 -b .bug-60455
+%patch373 -p1 -b .bug-60183
+%patch374 -p1 -b .bug-55478
+
+%patch400 -p1 -b .php-5.2-max-input-vars
+%patch401 -p1 -b .bug-323007
# conflict seems to be resolved by recode patches
rm -f ext/recode/config9.m4
%{php_data_dir}/tests/php/quicktester.inc
%attr(755,root,root) %{php_data_dir}/tests/php/run-tests.php
+# random junk, didn't check, maybe can be just removed
+%{php_data_dir}/tests/php/bin-info.inc
+%{php_data_dir}/tests/php/foo*
+%{php_data_dir}/tests/php/odbc*.php
+%{php_data_dir}/tests/php/recurse
+%{php_data_dir}/tests/php/run.*
+%{php_data_dir}/tests/php/scan_cases
+%{php_data_dir}/tests/php/test*
+
%if %{with tidy}
%files tidy
%defattr(644,root,root,755)
projects / packages / php.git / commitdiff