[pull] master from php:master

ext/phar/phar_object.c

@@ -703,11 +703,6 @@ PHP_METHOD(Phar, webPhar)
 			goto cleanup_fail;
 		}
 
-		if (Z_TYPE_P(rewrite_fci.retval) == IS_UNDEF || Z_TYPE(retval) == IS_UNDEF) {
-			zend_throw_exception_ex(phar_ce_PharException, 0, "phar error: rewrite callback must return a string or false");
-			goto cleanup_fail;
-		}
-
 		switch (Z_TYPE(retval)) {
 			case IS_STRING:
 				efree(entry);
@@ -3174,12 +3169,14 @@ static int phar_test_compression(zval *zv, void *argument) /* {{{ */
 	if (!PHAR_G(has_bz2)) {
 		if (entry->flags & PHAR_ENT_COMPRESSED_BZ2) {
 			*(int *) argument = 0;
+			return ZEND_HASH_APPLY_STOP;
 		}
 	}
 
 	if (!PHAR_G(has_zlib)) {
 		if (entry->flags & PHAR_ENT_COMPRESSED_GZ) {
 			*(int *) argument = 0;
+			return ZEND_HASH_APPLY_STOP;
 		}
 	}
 
@@ -4518,28 +4515,27 @@ PHP_METHOD(PharFileInfo, __construct)
 }
 /* }}} */
 
-#define PHAR_ENTRY_OBJECT() \
+#define PHAR_ENTRY_OBJECT_EX(throw) \
 	zval *zobj = ZEND_THIS; \
 	phar_entry_object *entry_obj = (phar_entry_object*)((char*)Z_OBJ_P(zobj) - Z_OBJ_P(zobj)->handlers->offset); \
 	if (!entry_obj->entry) { \
-		zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, \
-			"Cannot call method on an uninitialized PharFileInfo object"); \
-		RETURN_THROWS(); \
+		if (throw) { \
+			zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, \
+				"Cannot call method on an uninitialized PharFileInfo object"); \
+		} \
+		return; \
 	}
 
+#define PHAR_ENTRY_OBJECT() PHAR_ENTRY_OBJECT_EX(true)
+
 /* {{{ clean up directory-based entry objects */
 PHP_METHOD(PharFileInfo, __destruct)
 {
-	zval *zobj = ZEND_THIS;
-	phar_entry_object *entry_obj = (phar_entry_object*)((char*)Z_OBJ_P(zobj) - Z_OBJ_P(zobj)->handlers->offset);
-
 	if (zend_parse_parameters_none() == FAILURE) {
 		RETURN_THROWS();
 	}
 
-	if (!entry_obj->entry) {
-		return;
-	}
+	PHAR_ENTRY_OBJECT_EX(false);
 
 	if (entry_obj->entry->is_temp_dir) {
 		if (entry_obj->entry->filename) {

ext/phar/zip.c

@@ -641,13 +641,6 @@ int phar_parse_zipfile(php_stream *fp, char *fname, size_t fname_len, char *alia
 
 			zend_off_t restore_pos = php_stream_tell(fp);
 			php_stream_seek(fp, entry.offset, SEEK_SET);
-			/* these next lines should be for php < 5.2.6 after 5.3 filters are fixed */
-			fp->writepos = 0;
-			fp->readpos = 0;
-			php_stream_seek(fp, entry.offset, SEEK_SET);
-			fp->writepos = 0;
-			fp->readpos = 0;
-			/* the above lines should be for php < 5.2.6 after 5.3 filters are fixed */
 
 			mydata->alias_len = entry.uncompressed_filesize;
 			if (entry.flags & PHAR_ENT_COMPRESSED_GZ) {

ext/spl/spl_heap.c

@@ -1257,6 +1257,10 @@ PHP_METHOD(SplHeap, __unserialize)
 		Z_PARAM_ARRAY_HT(data)
 	ZEND_PARSE_PARAMETERS_END();
 
+	if (UNEXPECTED(spl_heap_consistency_validations(intern, true) != SUCCESS)) {
+		RETURN_THROWS();
+	}
+
 	if (zend_hash_num_elements(data) != 2) {
 		zend_throw_exception_ex(NULL, 0, "Invalid serialization data for %s object", ZSTR_VAL(intern->std.ce->name));
 		RETURN_THROWS();
@@ -1285,10 +1289,6 @@ PHP_METHOD(SplHeap, __unserialize)
 		RETURN_THROWS();
 	}
 
-	if (EG(exception)) {
-		RETURN_THROWS();
-	}
-
 	if (UNEXPECTED(spl_heap_consistency_validations(intern, false) != SUCCESS)) {
 		RETURN_THROWS();
 	}

ext/spl/tests/heap_unserialize_under_corruption_or_modification.phpt

@@ -0,0 +1,30 @@
+--TEST--
+SplHeap should not accept unserialize data when it is corrupted or under modification
+--FILE--
+<?php
+
+class MyHeap extends SplMaxHeap {
+    public function compare($a, $b): int {
+        global $array;
+        static $counter = 0;
+        if ($counter++ === 0)
+            $this->__unserialize($array);
+        return $a < $b ? -1 : ($a == $b ? 0 : 1);
+    }
+}
+
+$heap = new SplMaxHeap;
+$heap->insert(1);
+$array = $heap->__serialize();
+
+$heap = new MyHeap;
+$heap->insert(0);
+try {
+    $heap->insert(2);
+} catch (RuntimeException $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+Heap cannot be changed when it is already being modified.