PHP 7 ChangeLog
Version 7.0.15
19 Jan 2017
Core:
Fixed bug #73792 (invalid foreach loop hangs script).
Fixed bug #73663 ("Invalid opcode 65/16/8" occurs with a variable created with list()).
Fixed bug #73585 (Logging of "Internal Zend error - Missing class information" missing class name).
Fixed bug #73753 (unserialized array pointer not advancing).
Fixed bug #73825 (Heap out of bounds read on unserialize in finish_nested_data()). (CVE-2016-10161)
Fixed bug #73831 (NULL Pointer Dereference while unserialize php object). (CVE-2016-10162)
Fixed bug #73832 (Use of uninitialized memory in unserialize()). (CVE-2017-5340)
Fixed bug #73092 (Unserialize use-after-free when resizing object's properties hash table). (CVE-2016-7479)
Fixed bug #69425 (Use After Free in unserialize()).
Fixed bug #72731 (Type Confusion in Object Deserialization).
COM:
Fixed bug #73679 (DOTNET read access violation using invalid codepage).
DOM:
Fixed bug #67474 (getElementsByTagNameNS filter on default ns).
EXIF:
Fixed bug #73737 (FPE when parsing a tag format). (CVE-2016-10158)
GD:
Fixed bug #73869 (Signed Integer Overflow gd_io.c). (CVE-2016-10168)
Fixed bug #73868 (DOS vulnerability in gdImageCreateFromGd2Ctx()). (CVE-2016-10167)
GMP:
Fixed bug #70513 (GMP Deserialization Type Confusion Vulnerability).
Mysqli:
Fixed bug #73462 (Persistent connections don't set $connect_errno).
Mysqlnd:
Fixed issue with decoding BIT columns when having more than one rows in the result set. 7.0+ problem.
Fixed bug #73800 (sporadic segfault with MYSQLI_OPT_INT_AND_FLOAT_NATIVE).
PCRE:
Fixed bug #73612 (preg_*() may leak memory).
PDO_Firebird:
Fixed bug #72931 (PDO_FIREBIRD with Firebird 3.0 not work on returning statement).
Phar:
Fixed bug #73773 (Seg fault when loading hostile phar).
Fixed bug #73768 (Memory corruption when loading hostile phar). (CVE-2016-10160)
Fixed bug #73764 (Crash while loading hostile phar archive). (CVE-2016-10159)
Phpdbg:
Fixed bug #73615 (phpdbg without option never load .phpdbginit at startup).
Fixed issue getting executable lines from custom wrappers.
Fixed bug #73704 (phpdbg shows the wrong line in files with shebang).
Reflection:
Fixed bug #46103 (ReflectionObject memory leak).
Streams:
Fixed bug #73586 (php_user_filter::$stream is not set to the stream the filter is working on).
SQLite3:
Reverted fix for #73530 (Unsetting result set may reset other result set).
Standard:
Fixed bug #73594 (dns_get_record does not populate $additional out parameter).
Fixed bug #70213 (Unserialize context shared on double class lookup).
Fixed bug #73154 (serialize object with __sleep function crash).
Fixed bug #70490 (get_browser function is very slow).
Fixed bug #73265 (Loading browscap.ini at startup causes high memory usage).
Fixed bug #31875 (get_defined_functions additional param to exclude disabled functions).
Zlib:
Fixed bug #73373 (deflate_add does not verify that output was not truncated).
Version 7.1.1
19 Jan 2017
Core
Fixed bug #73792 (invalid foreach loop hangs script).
Fixed bug #73686 (Adding settype()ed values to ArrayObject results in references).
Fixed bug #73663 ("Invalid opcode 65/16/8" occurs with a variable created with list()).
Fixed bug #73727 (ZEND_MM_BITSET_LEN is "undefined symbol" in zend_bitset.h).
Fixed bug #73753 (unserialized array pointer not advancing).
Fixed bug #73783 (SIG_IGN doesn't work when Zend Signals is enabled).
Fixed bug #73825 (Heap out of bounds read on unserialize in finish_nested_data()). (CVE-2016-10161)
Fixed bug #73831 (NULL Pointer Dereference while unserialize php object). (CVE-2016-10162)
Fixed bug #73832 (Use of uninitialized memory in unserialize()). (CVE-2017-5340)
CLI
Fixed bug #72555 (CLI output(japanese) on Windows).
COM
Fixed bug #73679 (DOTNET read access violation using invalid codepage).
DOM
Fixed bug #67474 (getElementsByTagNameNS filter on default ns).
EXIF
Fixed bug #73737 (FPE when parsing a tag format). (CVE-2016-10158)
GD
Fixed bug #73869 (Signed Integer Overflow gd_io.c). (CVE-2016-10168)
Fixed bug #73868 (DOS vulnerability in gdImageCreateFromGd2Ctx()). (CVE-2016-10167)
mbstring
Fixed bug #73646 (mb_ereg_search_init null pointer dereference).
MySQLi
Fixed bug #73462 (Persistent connections don't set $connect_errno).
mysqlnd
Optimized handling of BIT fields - less memory copies and lower memory usage.
Fixed bug #73800 (sporadic segfault with MYSQLI_OPT_INT_AND_FLOAT_NATIVE).
opcache
Fixed bug #73789 (Strange behavior of class constants in switch/case block).
Fixed bug #73746 (Method that returns string returns UNKNOWN:0 instead).
Fixed bug #73654 (Segmentation fault in zend_call_function).
Fixed bug #73668 ("SIGFPE Arithmetic exception" in opcache when divide by minus 1).
Fixed bug #73847 (Recursion when a variable is redefined as array).
PDO Firebird
Fixed bug #72931 (PDO_FIREBIRD with Firebird 3.0 not work on returning statement).
Phar:
Fixed bug #73773 (Seg fault when loading hostile phar).
Fixed bug #73768 (Memory corruption when loading hostile phar). (CVE-2016-10160)
Fixed bug #73764 (Crash while loading hostile phar archive). (CVE-2016-10159)
phpdbg
Fixed bug #73794 (Crash (out of memory) when using run and # command separator).
Fixed bug #73704 (phpdbg shows the wrong line in files with shebang).
SQLite3
Reverted fix for Fixed bug #73530 (Unsetting result set may reset other result set).
Standard
Fixed bug #73594 (dns_get_record does not populate $additional out parameter).
Fixed bug #70213 (Unserialize context shared on double class lookup).
Fixed bug #73154 (serialize object with __sleep function crash).
Fixed bug #70490 (get_browser function is very slow).
Fixed bug #73265 (Loading browscap.ini at startup causes high memory usage).
(add subject to mail log).
Fixed bug #31875 (get_defined_functions additional param to exclude disabled functions).
zlib
Fixed bug #73373 (deflate_add does not verify that output was not truncated).
Version 7.0.14
08 Dec 2016
Core:
Fixed memory leak(null coalescing operator with Spl hash).
Fixed bug #72736 (Slow performance when fetching large dataset with mysqli / PDO).
Fixed bug #72978 (Use After Free Vulnerability in unserialize()). (CVE-2016-9936)
Calendar:
Date:
Fixed bug #69587 (DateInterval properties and isset).
DTrace:
Disabled PHP call tracing by default (it makes significant overhead). This may be enabled again using envirionment variable USE_ZEND_DTRACE=1.
JSON:
Fixed bug #73526 (php_json_encode depth issue).
Mysqlnd:
Fixed bug #64526 (Add missing mysqlnd.* parameters to php.ini-*).
ODBC:
Fixed bug #73448 (odbc_errormsg returns trash, always 513 bytes).
Opcache:
Fixed bug #69090 (check cached files permissions).
Fixed bug #73546 (Logging for opcache has an empty file name).
PCRE:
Fixed bug #73483 (Segmentation fault on pcre_replace_callback).
Fixed bug #73392 (A use-after-free in zend allocator management).
PDO_Firebird:
Phar:
Fixed bug #73580 (Phar::isValidPharFilename illegal memory access).
Postgres:
Fixed bug #73498 (Incorrect SQL generated for pg_copy_to()).
Soap:
Fixed bug #73538 (SoapClient::__setSoapHeaders doesn't overwrite SOAP headers).
Fixed bug #73452 (Segfault (Regression for #69152 )).
SPL:
Fixed bug #73423 (Reproducible crash with GDB backtrace).
SQLite3:
Fixed bug #73530 (Unsetting result set may reset other result set).
Standard:
Fixed bug #73297 (HTTP stream wrapper should ignore HTTP 100 Continue).
Fixed bug #73645 (version_compare illegal write access).
Wddx:
Fixed bug #73631 (Invalid read when wddx decodes empty boolean element). (CVE-2016-9935)
XML:
Fixed bug #72135 (malformed XML causes fault).
Version 7.1.0
01 Dec 2016
Core:
Added nullable types.
Added DFA optimization framework based on e-SSA form.
Added specialized opcode handlers (e.g. ZEND_ADD_LONG_NO_OVERFLOW).
Added [] = as alternative construct to list() =.
Added void return type.
Added support for negative string offsets in string offset syntax and various string functions.
Added a form of the list() construct where keys can be specified.
Implemented safe execution timeout handling, that prevents random crashes after "Maximum execution time exceeded" error.
Implemented the RFC `Support Class Constant Visibility`.
Implemented the RFC `Catching multiple exception types`.
Implemented logging to syslog with dynamic error levels.
Implemented FR #72614 (Support "nmake test" on building extensions by phpize).
Implemented RFC: Iterable.
Implemented RFC: Closure::fromCallable (Danack)
Implemented RFC: Replace "Missing argument" warning with "\ArgumentCountError" exception.
Implemented RFC: Fix inconsistent behavior of $this variable.
Fixed bug #73585 (Logging of "Internal Zend error - Missing class information" missing class name).
Fixed memory leak(null coalescing operator with Spl hash).
Fixed bug #72736 (Slow performance when fetching large dataset with mysqli / PDO).
Fixed bug #72978 (Use After Free Vulnerability in unserialize()). (CVE-2016-9936)
Fixed bug #72482 (Ilegal write/read access caused by gdImageAALine overflow).
Fixed bug #72696 (imagefilltoborder stackoverflow on truecolor images). (CVE-2016-9933)
Fixed bug #73350 (Exception::__toString() cause circular references).
Fixed bug #73329 ((Float)"Nano" == NAN).
Fixed bug #73288 (Segfault in __clone > Exception.toString > __get).
Fixed for #73240 (Write out of bounds at number_format).
Fix pthreads detection when cross-compiling (ffontaine)
Fixed bug #73337 (try/catch not working with two exceptions inside a same operation).
Fixed bug #73156 (segfault on undefined function).
Fixed bug #73163 (PHP hangs if error handler throws while accessing undef const in default value).
Fixed bug #73172 (parse error: Invalid numeric literal).
Fixed bug #73181 (parse_str() without a second argument leads to crash).
Fixed bug #73025 (Heap Buffer Overflow in virtual_popen of zend_virtual_cwd.c).
Fixed bug #73058 (crypt broken when salt is 'too' long).
Fixed bug #72944 (Null pointer deref in zval_delref_p).
Fixed bug #72943 (assign_dim on string doesn't reset hval).
Fixed bug #72598 (Reference is lost after array_slice()).
Fixed bug #72703 (Out of bounds global memory read in BF_crypt triggered by password_verify).
Fixed bug #72813 (Segfault with __get returned by ref).
Fixed bug #72767 (PHP Segfaults when trying to expand an infinite operator).
TypeError messages for arg_info type checks will now say "must be ... or null" where the parameter or return type accepts null.
Fixed bug #72857 (stream_socket_recvfrom read access violation).
Fixed bug #72663 (Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization).
Fixed bug #72681 (PHP Session Data Injection Vulnerability).
Fixed bug #72742 (memory allocator fails to realloc small block to large one).
Fixed URL rewriter. It would not rewrite '//example.com/' URL unconditionally. URL rewrite target hosts whitelist is implemented.
Fixed bug #72641 (phpize (on Windows) ignores PHP_PREFIX).
Fixed bug #72683 (getmxrr broken).
Fixed bug #72629 (Caught exception assignment to variables ignores references).
Fixed bug #72594 (Calling an earlier instance of an included anonymous class fatals).
Fixed bug #72581 (previous property undefined in Exception after deserialization).
Fixed bug #72543 (Different references behavior comparing to PHP 5).
Fixed bug #72347 (VERIFY_RETURN type casts visible in finally).
Fixed bug #72216 (Return by reference with finally is not memory safe).
Fixed bug #72215 (Wrong return value if var modified in finally).
Fixed bug #71818 (Memory leak when array altered in destructor).
Fixed bug #71539 (Memory error on $arr[$a] =& $arr[$b] if RHS rehashes).
Added new constant PHP_FD_SETSIZE.
Added optind parameter to getopt().
Added PHP to SAPI error severity mapping for logs.
Fixed bug #71911 (Unable to set --enable-debug on building extensions by phpize on Windows).
Fixed bug #29368 (The destructor is called when an exception is thrown from the constructor).
Implemented RFC: RNG Fixes.
Implemented email validation as per RFC 6531.
Fixed bug #72513 (Stack-based buffer overflow vulnerability in virtual_file_ex).
Fixed bug #72573 (HTTP_PROXY is improperly trusted by some PHP libraries and applications).
Fixed bug #72523 (dtrace issue with reflection (failed test)).
Fixed bug #72508 (strange references after recursive function call and "switch" statement).
Fixed bug #72441 (Segmentation fault: RFC list_keys).
Fixed bug #72395 (list() regression).
Fixed bug #72373 (TypeError after Generator function w/declared return type finishes).
Fixed bug #69489 (tempnam() should raise notice if falling back to temp dir).
Fixed UTF-8 and long path support on Windows.
Fixed bug #53432 (Assignment via string index access on an empty string converts to array).
Fixed bug #62210 (Exceptions can leak temporary variables).
Fixed bug #62814 (It is possible to stiffen child class members visibility).
Fixed bug #69989 (Generators don't participate in cycle GC).
Fixed bug #70228 (Memleak if return in finally block).
Fixed bug #71266 (Missing separation of properties HT in foreach etc).
Fixed bug #71604 (Aborted Generators continue after nested finally).
Fixed bug #71572 (String offset assignment from an empty string inserts null byte).
Fixed bug #71897 (ASCII 0x7F Delete control character permitted in identifiers).
Fixed bug #72188 (Nested try/finally blocks losing return value).
Fixed bug #72213 (Finally leaks on nested exceptions).
Fixed bug #47517 (php-cgi.exe missing UAC manifest).
Change statement and fcall extension handlers to accept frame.
Number operators taking numeric strings now emit E_NOTICEs or E_WARNINGs when given malformed numeric strings.
(int), intval() where $base is 10 or unspecified, settype(), decbin(), decoct(), dechex(), integer operators and other conversions now always respect scientific notation in numeric strings.
Raise a compile-time warning on octal escape sequence overflow.
Apache2handler:
Enable per-module logging in Apache 2.4+.
BCmath:
Fix bug #73190 (memcpy negative parameter _bc_new_num_ex).
Bz2:
Fixed bug #72837 (integer overflow in bzdecompress caused heap corruption).
Fixed bug #72613 (Inadequate error handling in bzread()).
Calendar:
Fix integer overflows (Joshua Rogers)
Fixed bug #67976 (cal_days_month() fails for final month of the French calendar).
Fixed bug #71894 (AddressSanitizer: global-buffer-overflow in zif_cal_from_jd).
CLI Server:
Fixed bug #73360 (Unable to work in root with unicode chars).
Fixed bug #71276 (Built-in webserver does not send Date header).
COM:
Fixed bug #73126 (Cannot pass parameter 1 by reference).
Fixed bug #69579 (Invalid free in extension trait).
Fixed bug #72922 (COM called from PHP does not return out parameters).
Fixed bug #72569 (DOTNET/COM array parameters broke in PHP7).
Fixed bug #72498 (variant_date_from_timestamp null dereference).
Curl:
Implement support for handling HTTP/2 Server Push.
Add curl_multi_errno(), curl_share_errno() and curl_share_strerror() functions.
Fixed bug #72674 (Heap overflow in curl_escape).
Fixed bug #72541 (size_t overflow lead to heap corruption). (Stas).
Fixed bug #71709 (curl_setopt segfault with empty CURLOPT_HTTPHEADER).
Fixed bug #71929 (CURLINFO_CERTINFO data parsing error).
Date:
Fixed bug #69587 (DateInterval properties and isset).
Fixed bug #73426 (createFromFormat with 'z' format char results in incorrect time).
Fixed bug #45554 (Inconsistent behavior of the u format char).
Fixed bug #48225 (DateTime parser doesn't set microseconds for "now").
Fixed bug #52514 (microseconds are missing in DateTime class).
Fixed bug #52519 (microseconds in DateInterval are missing).
Fixed bug #60089 (DateTime::createFromFormat() U after u nukes microtime).
Fixed bug #64887 (Allow DateTime modification with subsecond items).
Fixed bug #68506 (General DateTime improvments needed for microseconds to become useful).
Fixed bug #73109 (timelib_meridian doesn't parse dots correctly).
Fixed bug #73247 (DateTime constructor does not initialise microseconds property).
Fixed bug #73147 (Use After Free in PHP7 unserialize()).
Fixed bug #73189 (Memcpy negative size parameter php_resolve_path).
Fixed bug #66836 (DateTime::createFromFormat 'U' with pre 1970 dates fails parsing).
Invalid serialization data for a DateTime or DatePeriod object will now throw an instance of Error from __wakeup() or __set_state() instead of resulting in a fatal error.
Timezone initialization failure from serialized data will now throw an instance of Error from __wakeup() or __set_state() instead of resulting in a fatal error.
Export date_get_interface_ce() for extension use.
Fixed bug #63740 (strtotime seems to use both sunday and monday as start of week).
Dba:
Fixed bug #70825 (Cannot fetch multiple values with group in ini file).
Data modification functions (e.g.: dba_insert()) now throw an instance of Error instead of triggering a catchable fatal error if the key is does not contain exactly two elements.
DOM:
Fixed bug #73150 (missing NULL check in dom_document_save_html).
Fixed bug #66502 (DOM document dangling reference).
Invalid schema or RelaxNG validation contexts will throw an instance of Error instead of resulting in a fatal error.
Attempting to register a node class that does not extend the appropriate base class will now throw an instance of Error instead of resulting in a fatal error.
Attempting to read an invalid or write to a readonly property will throw an instance of Error instead of resulting in a fatal error.
DTrace:
Disabled PHP call tracing by default (it makes significant overhead). This may be enabled again using envirionment variable USE_ZEND_DTRACE=1.
EXIF:
Fixed bug #72735 (Samsung picture thumb not read (zero size)).
Fixed bug #72627 (Memory Leakage In exif_process_IFD_in_TIFF).
Fixed bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE).
Fixed bug #72618 (NULL Pointer Dereference in exif_process_user_comment).
Filter:
Fixed bug #72972 (Bad filter for the flags FILTER_FLAG_NO_RES_RANGE and FILTER_FLAG_NO_PRIV_RANGE).
Fixed bug #73054 (default option ignored when object passed to int filter).
Fixed bug #71745 (FILTER_FLAG_NO_RES_RANGE does not cover whole 127.0.0.0/8 range).
FPM:
Fixed bug #72575 (using --allow-to-run-as-root should ignore missing user).
FTP:
Fixed bug #70195 (Cannot upload file using ftp_put to FTPES with require_ssl_reuse).
Implemented FR #55651 (Option to ignore the returned FTP PASV address).
GD:
Fixed bug #73213 (Integer overflow in imageline() with antialiasing).
Fixed bug #73272 (imagescale() is not affected by, but affects imagesetinterpolation()).
Fixed bug #73279 (Integer overflow in gdImageScaleBilinearPalette()).
Fixed bug #73280 (Stack Buffer Overflow in GD dynamicGetbuf).
Fixed bug #50194 (imagettftext broken on transparent background w/o alphablending).
Fixed bug #73003 (Integer Overflow in gdImageWebpCtx of gd_webp.c).
Fixed bug #53504 (imagettfbbox gives incorrect values for bounding box).
Fixed bug #73157 (imagegd2() ignores 3rd param if 4 are given).
Fixed bug #73155 (imagegd2() writes wrong chunk sizes on boundaries).
Fixed bug #73159 (imagegd2(): unrecognized formats may result in corrupted files).
Fixed bug #73161 (imagecreatefromgd2() may leak memory).
Fixed bug #67325 (imagetruecolortopalette: white is duplicated in palette).
Fixed bug #66005 (imagecopy does not support 1bit transparency on truecolor images).
Fixed bug #72913 (imagecopy() loses single-color transparency on palette images).
Fixed bug #68716 (possible resource leaks in _php_image_convert()).
Fixed bug #72709 (imagesetstyle() causes OOB read for empty $styles).
Fixed bug #72697 (select_colors write out-of-bounds).
Fixed bug #72730 (imagegammacorrect allows arbitrary write access).
Fixed bug #72596 (imagetypes function won't advertise WEBP support).
Fixed bug #72604 (imagearc() ignores thickness for full arcs).
Fixed bug #70315 (500 Server Error but page is fully rendered).
Fixed bug #43828 (broken transparency of imagearc for truecolor in blendingmode).
Fixed bug #72512 (gdImageTrueColorToPaletteBody allows arbitrary write/read access).
Fixed bug #72519 (imagegif/output out-of-bounds access).
Fixed bug #72558 (Integer overflow error within _gdContributionsAlloc()).
Fixed bug #72482 (Ilegal write/read access caused by gdImageAALine overflow).
Fixed bug #72494 (imagecropauto out-of-bounds access).
Fixed bug #72404 (imagecreatefromjpeg fails on selfie).
Fixed bug #43475 (Thick styled lines have scrambled patterns).
Fixed bug #53640 (XBM images require width to be multiple of 8).
Fixed bug #64641 (imagefilledpolygon doesn't draw horizontal line).
Hash:
Added SHA3 fixed mode algorithms (224, 256, 384, and 512 bit).
Added SHA512/256 and SHA512/224 algorithms.
iconv:
Fixed bug #72320 (iconv_substr returns false for empty strings).
IMAP:
Fixed bug #73418 (Integer Overflow in "_php_imap_mail" leads to crash).
An email address longer than 16385 bytes will throw an instance of Error instead of resulting in a fatal error.
Interbase:
Fixed bug #73512 (Fails to find firebird headers as don't use fb_config output).
Intl:
Fixed bug #73007 (add locale length check).
Fixed bug #73218 (add mitigation for ICU int overflow).
Fixed bug #65732 (grapheme_*() is not Unicode compliant on CR LF sequence).
Fixed bug #73007 (add locale length check).
Fixed bug #72639 (Segfault when instantiating class that extends IntlCalendar and adds a property).
Fixed bug #72658 (Locale::lookup() / locale_lookup() hangs if no match found).
Partially fixed #72506 (idn_to_ascii for UTS #46 incorrect for long domain names).
Fixed bug #72533 (locale_accept_from_http out-of-bounds access).
Failure to call the parent constructor in a class extending Collator before invoking the parent methods will throw an instance of Error instead of resulting in a recoverable fatal error.
Cloning a Transliterator object may will now throw an instance of Error instead of resulting in a fatal error if cloning the internal transliterator fails.
Added IntlTimeZone::getWindowsID() and IntlTimeZone::getIDForWindowsID().
Fixed bug #69374 (IntlDateFormatter formatObject returns wrong utf8 value).
Fixed bug #69398 (IntlDateFormatter formatObject returns wrong value when time style is NONE).
JSON:
Introduced encoder struct instead of global which fixes bugs #66025 and #73254 related to pretty print indentation.
Fixed bug #73113 (Segfault with throwing JsonSerializable).
Implemented earlier return when json_encode fails, fixes bugs #68992 (Stacking exceptions thrown by JsonSerializable) and #70275 (On recursion error, json_encode can eat up all system memory).
Implemented FR #46600 ("_empty_" key in objects).
Exported JSON parser API including json_parser_method that can be used for implementing custom logic when parsing JSON.
Escaped U+2028 and U+2029 when JSON_UNESCAPED_UNICODE is supplied as json_encode options and added JSON_UNESCAPED_LINE_TERMINATORS to restore the previous behaviour.
LDAP:
Providing an unknown modification type to ldap_batch_modify() will now throw an instance of Error instead of resulting in a fatal error.
Mbstring:
Fixed bug #73532 (Null pointer dereference in mb_eregi).
Fixed bug #66964 (mb_convert_variables() cannot detect recursion).
Fixed bug #72992 (mbstring.internal_encoding doesn't inherit default_charset).
Fixed bug #66797 (mb_substr only takes 32-bit signed integer).
Fixed bug #72711 (`mb_ereg` does not clear the `$regs` parameter on failure).
Fixed bug #72691 (mb_ereg_search raises a warning if a match zero-width).
Fixed bug #72693 (mb_ereg_search increments search position when a match zero-width).
Fixed bug #72694 (mb_ereg_search_setpos does not accept a string's last position).
Fixed bug #72710 (`mb_ereg` causes buffer overflow on regexp compile error).
Deprecated mb_ereg_replace() eval option.
Fixed bug #69151 (mb_ereg should reject ill-formed byte sequence).
Fixed bug #72405 (mb_ereg_replace - mbc_to_code (oniguruma) - oob read access).
Fixed bug #72399 (Use-After-Free in MBString (search_re)).
mb_ereg() and mb_eregi() will now throw an instance of ParseError if an invalid PHP expression is provided and the 'e' option is used.
Mcrypt:
Deprecated ext/mcrypt.
Fixed bug #72782 (Heap Overflow due to integer overflows).
Fixed bug #72551 , bug #72552 (In correct casting from size_t to int lead to heap overflow in mdecrypt_generic).
mcrypt_encrypt() and mcrypt_decrypt() will throw an instance of Error instead of resulting in a fatal error if mcrypt cannot be initialized.
Mysqli:
Attempting to read an invalid or write to a readonly property will throw an instance of Error instead of resulting in a fatal error.
Mysqlnd:
Fixed bug #64526 (Add missing mysqlnd.* parameters to php.ini-*).
Fixed bug #71863 (Segfault when EXPLAIN with "Unknown column" error when using MariaDB).
Fixed bug #72701 (mysqli_get_host_info() wrong output).
OCI8:
Fixed bug #71148 (Bind reference overwritten on PHP 7).
Fixed invalid handle error with Implicit Result Sets.
Fixed bug #72524 (Binding null values triggers ORA-24816 error).
ODBC:
Fixed bug #73448 (odbc_errormsg returns trash, always 513 bytes).
Opcache:
Fixed bug #73583 (Segfaults when conditionally declared class and function have the same name).
Fixed bug #69090 (check cached files permissions)
Fixed bug #72982 (Memory leak in zend_accel_blacklist_update_regexp() function).
Fixed bug #72949 (Typo in opcache error message).
Fixed bug #72762 (Infinite loop while parsing a file with opcache enabled).
Fixed bug #72590 (Opcache restart with kill_all_lockers does not work).
OpenSSL:
Fixed bug #73478 (openssl_pkey_new() generates wrong pub/priv keys with Diffie Hellman).
Fixed bug #73276 (crash in openssl_random_pseudo_bytes function).
Fixed bug #73072 (Invalid path SNI_server_certs causes segfault).
Fixed bug #72360 (ext/openssl build failure with OpenSSL 1.1.0).
Bumped a minimal version to 1.0.1.
Dropped support for SSL2.
Implemented FR #61204 (Add elliptic curve support for OpenSSL).
Implemented FR #67304 (Added AEAD support [CCM and GCM modes] to openssl_encrypt and openssl_decrypt).
Implemented error storing to the global queue and cleaning up the OpenSSL error queue (resolves bugs #68276 and #69882).
Pcntl:
Implemented asynchronous signal handling without TICKS.
Added pcntl_signal_get_handler() that returns the current signal handler for a particular signal. Addresses FR #72409 .
Add signinfo to pcntl_signal() handler args (Bishop Bettini, David Walker)
PCRE:
Fixed bug #73483 (Segmentation fault on pcre_replace_callback).
Fixed bug #73612 (preg_*() may leak memory).
Fixed bug #73392 (A use-after-free in zend allocator management).
Fixed bug #73121 (Bundled PCRE doesn't compile because JIT isn't supported on s390).
Fixed bug #72688 (preg_match missing group names in matches).
Downgraded to PCRE 8.38.
Fixed bug #72476 (Memleak in jit_stack).
Fixed bug #72463 (mail fails with invalid argument).
Upgraded to PCRE 8.39.
PDO:
Fixed bug #72788 (Invalid memory access when using persistent PDO connection).
Fixed bug #72791 (Memory leak in PDO persistent connection handling).
Fixed bug #60665 (call to empty() on NULL result using PDO::FETCH_LAZY returns false).
PDO_DBlib:
Fixed bug #72414 (Never quote values as raw binary data).
Allow \PDO::setAttribute() to set query timeouts.
Handle SQLDECIMAL/SQLNUMERIC types, which are used by later TDS versions.
Add common PDO test suite.
Free error and message strings when cleaning up PDO instances.
Fixed bug #67130 (\PDOStatement::nextRowset() should succeed when all rows in current rowset haven't been fetched).
Ignore potentially misleading dberr values.
Implemented stringify 'uniqueidentifier' fields.
PDO_Firebird:
Fixed bug #73087 , #61183 , #71494 (Memory corruption in bindParam).
Fixed bug #60052 (Integer returned as a 64bit integer on X86_64).
PDO_pgsql:
Fixed bug #70313 (PDO statement fails to throw exception).
Fixed bug #72570 (Segmentation fault when binding parameters on a query without placeholders).
Implemented FR #72633 (Postgres PDO lastInsertId() should work without specifying a sequence).
Phar:
Fixed bug #72928 (Out of bound when verify signature of zip phar in phar_parse_zipfile).
Fixed bug #73035 (Out of bound when verify signature of tar phar in phar_parse_tarfile).
phpdbg:
Added generator command for inspection of currently alive generators.
Postgres:
Fixed bug #73498 (Incorrect SQL generated for pg_copy_to()).
Implemented FR #31021 (pg_last_notice() is needed to get all notice messages).
Implemented FR #48532 (Allow pg_fetch_all() to index numerically).
Readline:
Fixed bug #72538 (readline_redisplay crashes php).
Reflection:
Undo backwards compatiblity break in ReflectionType->__toString() and deprecate via documentation instead.
Reverted prepending \ for class names.
Implemented request #38992 (invoke() and invokeArgs() static method calls should match). (cmb).
Add ReflectionNamedType::getName(). This method should be used instead of ReflectionType::__toString()
Prepend \ for class names and ? for nullable types returned from ReflectionType::__toString().
Fixed bug #72661 (ReflectionType::__toString crashes with iterable).
Fixed bug #72222 (ReflectionClass::export doesn't handle array constants).
Failure to retrieve a reflection object or retrieve an object property will now throw an instance of Error instead of resulting in a fatal error.
Fix #72209 (ReflectionProperty::getValue() doesn't fail if object doesn't match type).
Session:
Fixed bug #73273 (session_unset() empties values from all variables in which is $_session stored).
Fixed bug #73100 (session_destroy null dereference in ps_files_path_create).
Fixed bug #68015 (Session does not report invalid uid for files save handler).
Fixed bug #72940 (SID always return "name=ID", even if session cookie exist).
Implemented session_gc() (Yasuo) https://wiki.php.net/rfc/session-create-id
Implemented session_create_id() (Yasuo) https://wiki.php.net/rfc/session-gc
Implemented RFC: Session ID without hashing. (Yasuo) https://wiki.php.net/rfc/session-id-without-hashing
Fixed bug #72531 (ps_files_cleanup_dir Buffer overflow).
Custom session handlers that do not return strings for session IDs will now throw an instance of Error instead of resulting in a fatal error when a function is called that must generate a session ID.
An invalid setting for session.hash_function will throw an instance of Error instead of resulting in a fatal error when a session ID is created.
Fixed bug #72562 (Use After Free in unserialize() with Unexpected Session Deserialization).
Improved fix for bug #68063 (Empty session IDs do still start sessions).
Fixed bug #71038 (session_start() returns TRUE on failure). Session save handlers must return 'string' always for successful read. i.e. Non-existing session read must return empty string. PHP 7.0 is made not to tolerate buggy return value.
Fixed bug #71394 (session_regenerate_id() must close opened session on errors).
SimpleXML:
Fixed bug #73293 (NULL pointer dereference in SimpleXMLElement::asXML()).
Fixed bug #72971 (SimpleXML isset/unset do not respect namespace).
Fixed bug #72957 (Null coalescing operator doesn't behave as expected with SimpleXMLElement).
Fixed bug #72588 (Using global var doesn't work while accessing SimpleXML element).
Creating an unnamed or duplicate attribute will throw an instance of Error instead of resulting in a fatal error.
SNMP:
Fixed bug #72708 (php_snmp_parse_oid integer overflow in memory allocation).
Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and unserialize()).
Soap:
Fixed bug #73538 (SoapClient::__setSoapHeaders doesn't overwrite SOAP headers).
Fixed bug #73452 (Segfault (Regression for #69152)).
Fixed bug #73037 (SoapServer reports Bad Request when gzipped).
Fixed bug #73237 (Nested object in "any" element overwrites other fields).
Fixed bug #69137 (Peer verification fails when using a proxy with SoapClient).
Fixed bug #71711 (Soap Server Member variables reference bug).
Fixed bug #71996 (Using references in arrays doesn't work like expected).
SPL:
Fixed bug #73423 (Reproducible crash with GDB backtrace).
Fixed bug #72888 (Segfault on clone on splFileObject).
Fixed bug #73029 (Missing type check when unserializing SplArray).
Fixed bug #72646 (SplFileObject::getCsvControl does not return the escape character).
Fixed bug #72684 (AppendIterator segfault with closed generator).
Attempting to clone an SplDirectory object will throw an instance of Error instead of resulting in a fatal error.
Calling ArrayIterator::append() when iterating over an object will throw an instance of Error instead of resulting in a fatal error.
Fixed bug #55701 (GlobIterator throws LogicException).
SQLite3:
Update to SQLite 3.15.1.
Fixed bug #73530 (Unsetting result set may reset other result set).
Fixed bug #73333 (2147483647 is fetched as string).
Fixed bug #72668 (Spurious warning when exception is thrown in user defined function).
Implemented FR #72653 (SQLite should allow opening with empty filename).
Fixed bug #70628 (Clearing bindings on an SQLite3 statement doesn't work).
Implemented FR #71159 (Upgraded bundled SQLite lib to 3.9.2).
Standard:
Fixed bug #73297 (HTTP stream wrapper should ignore HTTP 100 Continue).
Fixed bug #73303 (Scope not inherited by eval in assert()).
Fixed bug #73192 (parse_url return wrong hostname).
Fixed bug #73203 (passing additional_parameters causes mail to fail).
Fixed bug #73203 (passing additional_parameters causes mail to fail).
Fixed bug #72920 (Accessing a private constant using constant() creates an exception AND warning).
Fixed bug #65550 (get_browser() incorrectly parses entries with "+" sign).
Fixed bug #71882 (Negative ftruncate() on php://memory exhausts memory).
Fixed bug #55451 (substr_compare NULL length interpreted as 0).
Fixed bug #72278 (getimagesize returning FALSE on valid jpg).
Fixed bug #61967 (unset array item in array_walk_recursive cause inconsistent array).
Fixed bug #62607 (array_walk_recursive move internal pointer).
Fixed bug #69068 (Exchanging array during array_walk -> memory errors).
Fixed bug #70713 (Use After Free Vulnerability in array_walk()/ array_walk_recursive()).
Fixed bug #72622 (array_walk + array_replace_recursive create references from nothing).
Fixed bug #72330 (CSV fields incorrectly split if escape char followed by UTF chars).
Implemented RFC: More precise float values.
array_multisort now uses zend_sort instead zend_qsort.
Fixed bug #72505 (readfile() mangles files larger than 2G).
assert() will throw a ParseError when evaluating a string given as the first argument if the PHP code is invalid instead of resulting in a catchable fatal error.
Calling forward_static_call() outside of a class scope will now throw an instance of Error instead of resulting in a fatal error.
Added is_iterable() function.
Fixed bug #72306 (Heap overflow through proc_open and $env parameter).
Fixed bug #71100 (long2ip() doesn't accept integers in strict mode).
Implemented FR #55716 (Add an option to pass a custom stream context to get_headers()).
Additional validation for parse_url() for login/pass components).
Implemented FR #69359 (Provide a way to fetch the current environment variables).
unpack() function accepts an additional optional argument $offset.
Implemented #51879 stream context socket option tcp_nodelay (Joe)
Streams:
Fixed bug #73586 (php_user_filter::$stream is not set to the stream the filter is working on).
Fixed bug #72853 (stream_set_blocking doesn't work).
Fixed bug #72743 (Out-of-bound read in php_stream_filter_create).
Implemented FR #27814 (Multiple small packets send for HTTP request).
Fixed bug #72764 (ftps:// opendir wrapper data channel encryption fails with IIS FTP 7.5, 8.5).
Fixed bug #72810 (Missing SKIP_ONLINE_TESTS checks).
Fixed bug #41021 (Problems with the ftps wrapper).
Fixed bug #54431 (opendir() does not work with ftps:// wrapper).
Fixed bug #72667 (opendir() with ftp:// attempts to open data stream for non-existent directories).
Fixed bug #72771 (ftps:// wrapper is vulnerable to protocol downgrade attack).
Fixed bug #72534 (stream_socket_get_name crashes).
Fixed bug #72439 (Stream socket with remote address leads to a segmentation fault).
sysvshm:
Fixed bug #72858 (shm_attach null dereference).
Tidy:
Implemented support for libtidy 5.0.0 and above.
Creating a tidyNode manually will now throw an instance of Error instead of resulting in a fatal error.
Wddx:
Fixed bug #73331 (NULL Pointer Dereference in WDDX Packet Deserialization with PDORow). (CVE-2016-9934)
Fixed bug #72142 (WDDX Packet Injection Vulnerability in wddx_serialize_value()).
Fixed bug #72749 (wddx_deserialize allows illegal memory access).
Fixed bug #72750 (wddx_deserialize null dereference).
Fixed bug #72790 (wddx_deserialize null dereference with invalid xml).
Fixed bug #72799 (wddx_deserialize null dereference in php_wddx_pop_element).
Fixed bug #72860 (wddx_deserialize use-after-free).
Fixed bug #73065 (Out-Of-Bounds Read in php_wddx_push_element).
Fixed bug #72564 (boolean always deserialized as "true").
A circular reference when serializing will now throw an instance of Error instead of resulting in a fatal error.
XML:
Fixed bug #72135 (malformed XML causes fault).
Fixed bug #72714 (_xml_startElementHandler() segmentation fault).
Fixed bug #72085 (SEGV on unknown address zif_xml_parse).
XMLRPC:
Fixed bug #72647 (xmlrpc_encode() unexpected output after referencing array elements).
Fixed bug #72606 (heap-buffer-overflow (write) simplestring_addn simplestring.c).
A circular reference when serializing will now throw an instance of Error instead of resulting in a fatal error.
Zip:
Fixed bug #68302 (impossible to compile php with zip support).
Fixed bug #72660 (NULL Pointer dereference in zend_virtual_cwd).
Fixed bug #72520 (Stack-based buffer overflow vulnerability in php_stream_zip_opener).
ZipArchive::addGlob() will throw an instance of Error instead of resulting in a fatal error if glob support is not available.
Version 7.0.13
10 Nov 2016
Core:
Fixed bug #73350 (Exception::__toString() cause circular references).
Fixed bug #73181 (parse_str() without a second argument leads to crash).
Fixed bug #66773 (Autoload with Opcache allows importing conflicting class name to namespace).
Fixed bug #66862 ((Sub-)Namespaces unexpected behaviour).
Fix pthreads detection when cross-compiling.
Fixed bug #73337 (try/catch not working with two exceptions inside a same operation).
Fixed bug #73338 (Exception thrown from error handler causes valgrind warnings (and crashes)).
Fixed bug #73329 ((Float)"Nano" == NAN).
GD:
Fixed bug #73213 (Integer overflow in imageline() with antialiasing).
Fixed bug #73272 (imagescale() is not affected by, but affects imagesetinterpolation()).
Fixed bug #73279 (Integer overflow in gdImageScaleBilinearPalette()).
Fixed bug #73280 (Stack Buffer Overflow in GD dynamicGetbuf).
Fixed bug #72482 (Ilegal write/read access caused by gdImageAALine overflow).
Fixed bug #72696 (imagefilltoborder stackoverflow on truecolor images). (CVE-2016-9933)
IMAP:
Fixed bug #73418 (Integer Overflow in "_php_imap_mail" leads to crash).
OCI8:
Fixed bug #71148 (Bind reference overwritten on PHP 7).
phpdbg:
Properly allow for stdin input from a file.
Add -s command line option / stdin command for reading script from stdin.
Ignore non-executable opcodes in line mode of phpdbg_end_oplog().
Fixed bug #70776 (Simple SIGINT does not have any effect with -rr).
Fixed bug #71234 (INI files are loaded even invoked as -n --version).
Session:
Fixed bug #73273 (session_unset() empties values from all variables in which is $_session stored).
SOAP:
Fixed bug #73037 (SoapServer reports Bad Request when gzipped).
Fixed bug #73237 (Nested object in "any" element overwrites other fields).
Fixed bug #69137 (Peer verification fails when using a proxy with SoapClient)
SQLite3:
Fixed bug #73333 (2147483647 is fetched as string).
Standard:
Fixed bug #73203 (passing additional_parameters causes mail to fail).
Fixed bug #71241 (array_replace_recursive sometimes mutates its parameters).
Fixed bug #73192 (parse_url return wrong hostname).
Wddx:
Fixed bug #73331 (NULL Pointer Dereference in WDDX Packet Deserialization with PDORow). (CVE-2016-9934)
Version 7.0.12
13 Oct 2016 Core:
Fixed bug #73025 (Heap Buffer Overflow in virtual_popen of zend_virtual_cwd.c).
Fixed bug #72703 (Out of bounds global memory read in BF_crypt triggered by password_verify).
Fixed bug #73058 (crypt broken when salt is 'too' long).
Fixed bug #69579 (Invalid free in extension trait).
Fixed bug #73156 (segfault on undefined function).
Fixed bug #73163 (PHP hangs if error handler throws while accessing undef const in default value).
Fixed bug #73172 (parse error: Invalid numeric literal).
Fixed bug #73240 (Write out of bounds at number_format).
Fixed bug #73147 (Use After Free in PHP7 unserialize()).
Fixed bug #73189 (Memcpy negative size parameter php_resolve_path).
BCmath:
Fixed bug #73190 (memcpy negative parameter _bc_new_num_ex).
COM:
Fixed bug #73126 (Cannot pass parameter 1 by reference).
Date:
Fixed bug #73091 (Unserializing DateInterval object may lead to __toString invocation).
DOM:
Fixed bug #73150 (missing NULL check in dom_document_save_html).
Filter:
Fixed bug #72972 (Bad filter for the flags FILTER_FLAG_NO_RES_RANGE and FILTER_FLAG_NO_PRIV_RANGE).
Fixed bug #73054 (default option ignored when object passed to int filter).
GD:
Fixed bug #67325 (imagetruecolortopalette: white is duplicated in palette).
Fixed bug #50194 (imagettftext broken on transparent background w/o alphablending).
Fixed bug #73003 (Integer Overflow in gdImageWebpCtx of gd_webp.c).
Fixed bug #53504 (imagettfbbox gives incorrect values for bounding box).
Fixed bug #73157 (imagegd2() ignores 3rd param if 4 are given).
Fixed bug #73155 (imagegd2() writes wrong chunk sizes on boundaries).
Fixed bug #73159 (imagegd2(): unrecognized formats may result in corrupted files).
Fixed bug #73161 (imagecreatefromgd2() may leak memory).
Intl:
Fixed bug #73218 (add mitigation for ICU int overflow).
Mbstring:
Fixed bug #66797 (mb_substr only takes 32-bit signed integer).
Fixed bug #66964 (mb_convert_variables() cannot detect recursion).
Fixed bug #72992 (mbstring.internal_encoding doesn't inherit default_charset).
Mysqlnd:
Fixed bug #72489 (PHP Crashes When Modifying Array Containing MySQLi Result Data).
Opcache:
Fixed bug #72982 (Memory leak in zend_accel_blacklist_update_regexp() function).
OpenSSL:
Fixed bug #73072 (Invalid path SNI_server_certs causes segfault).
Fixed bug #73276 (crash in openssl_random_pseudo_bytes function).
Fixed bug #73275 (crash in openssl_encrypt function).
PCRE:
Fixed bug #73121 (Bundled PCRE doesn't compile because JIT isn't supported on s390).
Fixed bug #73174 (heap overflow in php_pcre_replace_impl).
PDO_DBlib:
Fixed bug #72414 (Never quote values as raw binary data).
Allow \PDO::setAttribute() to set query timeouts.
Handle SQLDECIMAL/SQLNUMERIC types, which are used by later TDS versions.
Add common PDO test suite.
Free error and message strings when cleaning up PDO instances.
Fixed bug #67130 (\PDOStatement::nextRowset() should succeed when all rows in current rowset haven't been fetched).
Ignore potentially misleading dberr values.
phpdbg:
Fixed bug #72996 (phpdbg_prompt.c undefined reference to DL_LOAD).
Fixed next command not stopping when leaving function.
Session:
Fixed bug #68015 (Session does not report invalid uid for files save handler).
Fixed bug #73100 (session_destroy null dereference in ps_files_path_create).
SimpleXML:
Fixed bug #73293 (NULL pointer dereference in SimpleXMLElement::asXML()).
SOAP:
Fixed bug #71711 (Soap Server Member variables reference bug).
Fixed bug #71996 (Using references in arrays doesn't work like expected).
SPL:
Fixed bug #73257 , Fixed bug #73258 (SplObjectStorage unserialize allows use of non-object as key).
SQLite3:
Updated bundled SQLite3 to 3.14.2.
Zip:
Fixed bug #70752 (Depacking with wrong password leaves 0 length files).
Version 7.0.11
15 Sep 2016 Core:
Fixed bug #72944 (Null pointer deref in zval_delref_p).
Fixed bug #72943 (assign_dim on string doesn't reset hval).
Fixed bug #72911 (Memleak in zend_binary_assign_op_obj_helper).
Fixed bug #72813 (Segfault with __get returned by ref).
Fixed bug #72767 (PHP Segfaults when trying to expand an infinite operator).
Fixed bug #72854 (PHP Crashes on duplicate destructor call).
Fixed bug #72857 (stream_socket_recvfrom read access violation).
COM:
Fixed bug #72922 (COM called from PHP does not return out parameters).
Dba:
Fixed bug #70825 (Cannot fetch multiple values with group in ini file).
FTP:
Fixed bug #70195 (Cannot upload file using ftp_put to FTPES with require_ssl_reuse).
GD:
Fixed bug #72709 (imagesetstyle() causes OOB read for empty $styles).
Fixed bug #66005 (imagecopy does not support 1bit transparency on truecolor images).
Fixed bug #72913 (imagecopy() loses single-color transparency on palette images).
Fixed bug #68716 (possible resource leaks in _php_image_convert()).
iconv:
Fixed bug #72320 (iconv_substr returns false for empty strings).
IMAP:
Fixed bug #72852 (imap_mail null dereference).
Intl:
Fixed bug #65732 (grapheme_*() is not Unicode compliant on CR LF sequence).
Fixed bug #73007 (add locale length check). (CVE-2016-7416)
Mysqlnd:
Fixed bug #72293 (Heap overflow in mysqlnd related to BIT fields). (CVE-2016-7412)
OCI8:
Fixed invalid handle error with Implicit Result Sets.
Fixed bug #72524 (Binding null values triggers ORA-24816 error).
Opcache:
Fixed bug #72949 (Typo in opcache error message).
PDO:
Fixed bug #72788 (Invalid memory access when using persistent PDO connection).
Fixed bug #72791 (Memory leak in PDO persistent connection handling).
Fixed bug #60665 (call to empty() on NULL result using PDO::FETCH_LAZY returns false).
PDO_DBlib:
Implemented stringify 'uniqueidentifier' fields.
PDO_pgsql:
Implemented FR #72633 (Postgres PDO lastInsertId() should work without specifying a sequence).
Fixed bug #72759 (Regression in pgo_pgsql).
Phar:
Fixed bug #72928 (Out of bound when verify signature of zip phar in phar_parse_zipfile). (CVE-2016-7414)
Fixed bug #73035 (Out of bound when verify signature of tar phar in phar_parse_tarfile).
Reflection:
Fixed bug #72846 (getConstant for a array constant with constant values returns NULL/NFC/UKNOWN).
Session:
Fixed bug #72724 (PHP7: session-uploadprogress kills httpd).
Fixed bug #72940 (SID always return "name=ID", even if session cookie exist).
SimpleXML:
Fixed bug #72971 (SimpleXML isset/unset do not respect namespace).
Fixed bug #72957 (Null coalescing operator doesn't behave as expected with SimpleXMLElement).
SPL:
Fixed bug #73029 (Missing type check when unserializing SplArray). (CVE-2016-7417)
Standard:
Fixed bug #55451 (substr_compare NULL length interpreted as 0).
Fixed bug #72278 (getimagesize returning FALSE on valid jpg).
Fixed bug #65550 (get_browser() incorrectly parses entries with "+" sign).
Streams:
Fixed bug #72853 (stream_set_blocking doesn't work).
Fixed bug #72764 (ftps:// opendir wrapper data channel encryption fails with IIS FTP 7.5, 8.5).
Fixed bug #71882 (Negative ftruncate() on php://memory exhausts memory).
SQLite3:
Downgraded bundled SQLite to 3.8.10.2, see #73068
Sysvshm:
Fixed bug #72858 (shm_attach null dereference).
Wddx:
Fixed bug #72860 (wddx_deserialize use-after-free). (CVE-2016-7413)
Fixed bug #73065 (Out-Of-Bounds Read in php_wddx_push_element). (CVE-2016-7418)
XML:
Fixed bug #72085 (SEGV on unknown address zif_xml_parse).
Fixed bug #72714 (_xml_startElementHandler() segmentation fault).
ZIP:
Fixed bug #68302 (impossible to compile php with zip support).
Version 7.0.10
18 Aug 2016 Core:
Fixed bug #72629 (Caught exception assignment to variables ignores references).
Fixed bug #72594 (Calling an earlier instance of an included anonymous class fatals).
Fixed bug #72581 (previous property undefined in Exception after deserialization).
Fixed bug #72496 (Cannot declare public method with signature incompatible with parent private method).
Fixed bug #72024 (microtime() leaks memory).
Fixed bug #71911 (Unable to set --enable-debug on building extensions by phpize on Windows).
Fixed bug causing ClosedGeneratorException being thrown into the calling code instead of the Generator yielding from.
Implemented FR #72614 (Support "nmake test" on building extensions by phpize).
Fixed bug #72641 (phpize (on Windows) ignores PHP_PREFIX).
Fixed potential segfault in object storage freeing in shutdown sequence.
Fixed bug #72663 (Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization). (CVE-2016-7124)
Fixed bug #72681 (PHP Session Data Injection Vulnerability). (CVE-2016-7125)
Fixed bug #72683 (getmxrr broken).
Fixed bug #72742 (memory allocator fails to realloc small block to large one). (CVE-2016-7133)
Bz2:
Fixed bug #72837 (integer overflow in bzdecompress caused heap corruption).
Calendar:
Fixed bug #67976 (cal_days_month() fails for final month of the French calendar).
Fixed bug #71894 (AddressSanitizer: global-buffer-overflow in zif_cal_from_jd).
COM:
Fixed bug #72569 (DOTNET/COM array parameters broke in PHP7).
CURL:
Fixed bug #71709 (curl_setopt segfault with empty CURLOPT_HTTPHEADER).
Fixed bug #71929 (CURLINFO_CERTINFO data parsing error).
Fixed bug #72674 (Heap overflow in curl_escape). (CVE-2016-7134)
DOM:
Fixed bug #66502 (DOM document dangling reference).
EXIF:
Fixed bug #72735 (Samsung picture thumb not read (zero size)).
Fixed bug #72627 (Memory Leakage In exif_process_IFD_in_TIFF). (CVE-2016-7128)
Filter:
Fixed bug #71745 (FILTER_FLAG_NO_RES_RANGE does not cover whole 127.0.0.0/8 range).
FPM:
Fixed bug #72575 (using --allow-to-run-as-root should ignore missing user).
GD:
Fixed bug #72596 (imagetypes function won't advertise WEBP support).
Fixed bug #72604 (imagearc() ignores thickness for full arcs).
Fixed bug #70315 (500 Server Error but page is fully rendered).
Fixed bug #43828 (broken transparency of imagearc for truecolor in blendingmode).
Fixed bug #66555 (Always false condition in ext/gd/libgd/gdkanji.c).
Fixed bug #68712 (suspicious if-else statements).
Fixed bug #72697 (select_colors write out-of-bounds). (CVE-2016-7126)
Fixed bug #72730 (imagegammacorrect allows arbitrary write access). (CVE-2016-7127)
Fixed bug #72494 (imagecropauto out-of-bounds access)
Intl:
Fixed bug #72639 (Segfault when instantiating class that extends IntlCalendar and adds a property).
Partially fixed Fixed bug #72506 (idn_to_ascii for UTS #46 incorrect for long domain names).
mbstring:
Fixed bug #72691 (mb_ereg_search raises a warning if a match zero-width).
Fixed bug #72693 (mb_ereg_search increments search position when a match zero-width).
Fixed bug #72694 (mb_ereg_search_setpos does not accept a string's last position).
Fixed bug #72710 (`mb_ereg` causes buffer overflow on regexp compile error).
Mcrypt:
Fixed bug #72782 (Heap Overflow due to integer overflows).
Opcache:
Fixed bug #72590 (Opcache restart with kill_all_lockers does not work).
PCRE:
Fixed bug #72688 (preg_match missing group names in matches).
PDO_pgsql:
Fixed bug #70313 (PDO statement fails to throw exception).
Reflection:
Fixed bug #72222 (ReflectionClass::export doesn't handle array constants).
SimpleXML:
Fixed bug #72588 (Using global var doesn't work while accessing SimpleXML element).
SNMP:
Fixed bug #72708 (php_snmp_parse_oid integer overflow in memory allocation).
SPL:
Fixed bug #55701 (GlobIterator throws LogicException).
Fixed bug #72646 (SplFileObject::getCsvControl does not return the escape character).
Fixed bug #72684 (AppendIterator segfault with closed generator).
SQLite3:
Fixed bug #72668 (Spurious warning when exception is thrown in user defined function).
Fixed bug #72571 (SQLite3::bindValue, SQLite3::bindParam crash).
Implemented FR #72653 (SQLite should allow opening with empty filename).
Updated to SQLite3 3.13.0.
Standard:
Fixed bug #72622 (array_walk + array_replace_recursive create references from nothing).
Fixed bug #72152 (base64_decode $strict fails to detect null byte).
Fixed bug #72263 (base64_decode skips a character after padding in strict mode).
Fixed bug #72264 (base64_decode $strict fails with whitespace between padding).
Fixed bug #72330 (CSV fields incorrectly split if escape char followed by UTF chars).
Streams:
Fixed bug #41021 (Problems with the ftps wrapper).
Fixed bug #54431 (opendir() does not work with ftps:// wrapper).
Fixed bug #72667 (opendir() with ftp:// attempts to open data stream for non-existent directories).
Fixed bug #72771 (ftps:// wrapper is vulnerable to protocol downgrade attack).
XMLRPC:
Fixed bug #72647 (xmlrpc_encode() unexpected output after referencing array elements).
Wddx:
Fixed bug #72564 (boolean always deserialized as "true").
Fixed bug #72142 (WDDX Packet Injection Vulnerability in wddx_serialize_value()).
Fixed bug #72749 (wddx_deserialize allows illegal memory access). (CVE-2016-7129)
Fixed bug #72750 (wddx_deserialize null dereference). (CVE-2016-7130)
Fixed bug #72790 (wddx_deserialize null dereference with invalid xml). (CVE-2016-7131)
Fixed bug #72799 (wddx_deserialize null dereference in php_wddx_pop_element). (CVE-2016-7132)
Zip:
Fixed bug #72660 (NULL Pointer dereference in zend_virtual_cwd).
Version 7.0.9
21 Jul 2016 Core:
Fixed bug #72508 (strange references after recursive function call and "switch" statement).
Fixed bug #72513 (Stack-based buffer overflow vulnerability in virtual_file_ex). (CVE-2016-6289)
Fixed bug #72573 (HTTP_PROXY is improperly trusted by some PHP libraries and applications). (CVE-2016-5385)
bz2:
Fixed bug #72613 (Inadequate error handling in bzread()). (CVE-2016-5399)
CLI:
Fixed bug #72484 (SCRIPT_FILENAME shows wrong path if the user specify router.php).
COM:
Fixed bug #72498 (variant_date_from_timestamp null dereference).
Curl:
Fixed bug #72541 (size_t overflow lead to heap corruption).
Date:
Fixed bug #66836 (DateTime::createFromFormat 'U' with pre 1970 dates fails parsing).
Exif:
Fixed bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE). (CVE-2016-6291)
Fixed bug #72618 (NULL Pointer Dereference in exif_process_user_comment). (CVE-2016-6292)
GD:
Fixed bug #43475 (Thick styled lines have scrambled patterns).
Fixed bug #53640 (XBM images require width to be multiple of 8).
Fixed bug #64641 (imagefilledpolygon doesn't draw horizontal line).
Fixed bug #72512 (gdImageTrueColorToPaletteBody allows arbitrary write/read access).
Fixed bug #72519 (imagegif/output out-of-bounds access).
Fixed bug #72558 (Integer overflow error within _gdContributionsAlloc()). (CVE-2016-6207)
Fixed bug #72482 (Ilegal write/read access caused by gdImageAALine overflow).
Fixed bug #72494 (imagecropauto out-of-bounds access).
Intl:
Fixed bug #72533 (locale_accept_from_http out-of-bounds access). (CVE-2016-6294)
Mbstring:
Fixed bug #72405 (mb_ereg_replace - mbc_to_code (oniguruma) - oob read access).
Fixed bug #72399 (Use-After-Free in MBString (search_re)).
mcrypt:
Fixed bug #72551 , bug #72552 (Incorrect casting from size_t to int lead to heap overflow in mdecrypt_generic).
PDO_pgsql:
Fixed bug #72570 (Segmentation fault when binding parameters on a query without placeholders).
PCRE:
Fixed bug #72476 (Memleak in jit_stack).
Fixed bug #72463 (mail fails with invalid argument).
Readline:
Fixed bug #72538 (readline_redisplay crashes php).
Standard:
Fixed bug #72505 (readfile() mangles files larger than 2G).
Fixed bug #72306 (Heap overflow through proc_open and $env parameter).
Session:
Fixed bug #72531 (ps_files_cleanup_dir Buffer overflow).
Fixed bug #72562 (Use After Free in unserialize() with Unexpected Session Deserialization).
SNMP:
Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and unserialize()). (CVE-2016-6295)
Streams:
Fixed bug #72439 (Stream socket with remote address leads to a segmentation fault).
XMLRPC:
Fixed bug #72606 (heap-buffer-overflow (write) simplestring_addn simplestring.c). (CVE-2016-6296)
Zip:
Fixed bug #72520 (Stack-based buffer overflow vulnerability in php_stream_zip_opener). (CVE-2016-6297)
Version 7.0.8
23 Jun 2016 Core:
Fixed bug #72218 (If host name cannot be resolved then PHP 7 crashes).
Fixed bug #72221 (segfault, past-the-end access).
Fixed bug #72268 (Integer Overflow in nl2br()).
Fixed bug #72275 (Integer Overflow in json_encode()/json_decode()/ json_utf8_to_utf16()).
Fixed bug #72400 (Integer Overflow in addcslashes/addslashes).
Fixed bug #72403 (Integer Overflow in Length of String-typed ZVAL).
Date:
Fixed bug #63740 (strtotime seems to use both sunday and monday as start of week).
FPM:
Fixed bug #72308 (fastcgi_finish_request and logging environment variables).
GD:
Fixed bug #72298 (pass2_no_dither out-of-bounds access).
Fixed bug #72337 (invalid dimensions can lead to crash).
Fixed bug #72339 (Integer Overflow in _gd2GetHeader() resulting in heap overflow). (CVE-2016-5766)
Fixed bug #72407 (NULL Pointer Dereference at _gdScaleVert).
Fixed bug #72446 (Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow). (CVE-2016-5767)
Intl:
Fixed bug #70484 (selectordinal doesn't work with named parameters).
mbstring:
Fixed bug #72402 (_php_mb_regex_ereg_replace_exec - double free). (CVE-2016-5768)
mcrypt:
Fixed bug #72455 (Heap Overflow due to integer overflows). (CVE-2016-5769)
OpenSSL:
Fixed bug #72140 (segfault after calling ERR_free_strings()).
PCRE:
Fixed bug #72143 (preg_replace uses int instead of size_t).
PDO_pgsql:
Fixed bug #71573 (Segfault (core dumped) if paramno beyond bound).
Fixed bug #72294 (Segmentation fault/invalid pointer in connection with pgsql_stmt_dtor).
Phar:
Fixed bug #72321 (invalid free in phar_extract_file()). (CVE-2016-4473)
Phpdbg:
Fixed bug #72284 (phpdbg fatal errors with coverage).
Postgres:
Fixed bug #72195 (pg_pconnect/pg_connect cause use-after-free).
Fixed bug #72197 (pg_lo_create arbitrary read).
Standard:
Fixed bug #72017 (range() with float step produces unexpected result).
Fixed bug #72193 (dns_get_record returns array containing elements of type 'unknown').
Fixed bug #72229 (Wrong reference when serialize/unserialize an object).
Fixed bug #72300 (ignore_user_abort(false) has no effect).
WDDX:
Fixed bug #72340 (Double Free Courruption in wddx_deserialize). (CVE-2016-5772)
XML:
Fixed bug #72206 (xml_parser_create/xml_parser_free leaks mem).
XMLRPC:
Fixed bug #72155 (use-after-free caused by get_zval_xmlrpc_type).
Zip:
Fixed bug #72258 (ZipArchive converts filenames to unrecoverable form).
Fixed bug #72434 (ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize). (CVE-2016-5773)
Version 7.0.7
26 May 2016 Core:
Fixed bug #72162 (use-after-free - error_reporting).
Add compiler option to disable special case function calls.
Fixed bug #72101 (crash on complex code).
Fixed bug #72100 (implode() inserts garbage into resulting string when joins very big integer).
Fixed bug #72057 (PHP Hangs when using custom error handler and typehint).
Fixed bug #72038 (Function calls with values to a by-ref parameter don't always throw a notice).
Fixed bug #71737 (Memory leak in closure with parameter named $this).
Fixed bug #72059 (?? is not allowed on constant expressions).
Fixed bug #72159 (Imported Class Overrides Local Class Name).
Curl:
Fixed bug #68658 (Define CURLE_SSL_CACERT_BADFILE).
DBA:
Fixed bug #72157 (use-after-free caused by dba_open).
GD:
Fixed bug #72227 (imagescale out-of-bounds read). (CVE-2013-7456)
Intl:
Fixed bug #64524 (Add intl.use_exceptions to php.ini-*).
Fixed bug #72241 (get_icu_value_internal out-of-bounds read). (CVE-2016-5093)
JSON:
Fixed bug #72069 (Behavior \JsonSerializable different from json_encode).
Mbstring:
Fixed bug #72164 (Null Pointer Dereference - mb_ereg_replace).
OCI8:
Fixed bug #71600 (oci_fetch_all segfaults when selecting more than eight columns).
Opcache:
Fixed bug #72014 (Including a file with anonymous classes multiple times leads to fatal error).
OpenSSL:
Fixed bug #72165 (Null pointer dereference - openssl_csr_new).
PCNTL:
Fixed bug #72154 (pcntl_wait/pcntl_waitpid array internal structure overwrite).
POSIX:
Fixed bug #72133 (php_posix_group_to_array crashes if gr_passwd is NULL).
Postgres:
Fixed bug #72028 (pg_query_params(): NULL converts to empty string).
Fixed bug #71062 (pg_convert() doesn't accept ISO 8601 for datatype timestamp).
Fixed bug #72151 (mysqli_fetch_object changed behaviour). Patch to #71820 is reverted.
Reflection:
Fixed bug #72174 (ReflectionProperty#getValue() causes __isset call).
Session:
Fixed bug #71972 (Cyclic references causing session_start(): Failed to decode session object).
Sockets:
Added socket_export_stream() function for getting a stream compatible resource from a socket resource.
SPL:
Fixed bug #72051 (The reference in CallbackFilterIterator doesn't work as expected).
SQLite3:
Fixed bug #68849 (bindValue is not using the right data type).
Standard:
Fixed bug #72075 (Referencing socket resources breaks stream_select).
Fixed bug #72031 (array_column() against an array of objects discards all values matching null).
Version 7.0.6
28 Apr 2016 Core:
Fixed bug #71930 (_zval_dtor_func: Assertion `(arr)->gc.refcount <= 1' failed).
Fixed bug #71922 (Crash on assert(new class{})).
Fixed bug #71914 (Reference is lost in "switch").
Fixed bug #71871 (Interfaces allow final and abstract functions).
Fixed bug #71859 (zend_objects_store_call_destructors operates on realloced memory, crashing).
Fixed bug #71841 (EG(error_zval) is not handled well).
Fixed bug #71750 (Multiple Heap Overflows in php_raw_url_encode/ php_url_encode).
Fixed bug #71731 (Null coalescing operator and ArrayAccess).
Fixed bug #71609 (Segmentation fault on ZTS with gethostbyname).
Fixed bug #71414 (Inheritance, traits and interfaces).
Fixed bug #71359 (Null coalescing operator and magic).
Fixed bug #71334 (Cannot access array keys while uksort()).
Fixed bug #69659 (ArrayAccess, isset() and the offsetExists method).
Fixed bug #69537 (__debugInfo with empty string for key gives error).
Fixed bug #62059 (ArrayObject and isset are not friends).
Fixed bug #71980 (Decorated/Nested Generator is Uncloseable in Finally).
BCmath:
Fixed bug #72093 (bcpowmod accepts negative scale and corrupts _one_ definition). (CVE-2016-4537, CVE-2016-4538)
Curl:
Fixed bug #71831 (CURLOPT_NOPROXY applied as long instead of string).
Date:
Fixed bug #71889 (DateInterval::format Segmentation fault).
EXIF:
Fixed bug #72094 (Out of bounds heap read access in exif header processing). (CVE-2016-4542, CVE-2016-4543, CVE-2016-4544)
GD:
Fixed bug #71912 (libgd: signedness vulnerability). (CVE-2016-3074)
Intl:
Fixed bug #71516 (IntlDateFormatter looses locale if pattern is set via constructor).
Fixed bug #70455 (Missing constant: IntlChar::NO_NUMERIC_VALUE).
Fixed bug #70451 , #70452 (Inconsistencies in return values of IntlChar methods).
Fixed bug #68893 (Stackoverflow in datefmt_create).
Fixed bug #66289 (Locale::lookup incorrectly returns en or en_US if locale is empty).
Fixed bug #70484 (selectordinal doesn't work with named parameters).
Fixed bug #72061 (Out-of-bounds reads in zif_grapheme_stripos with negative offset). (CVE-2016-4540, CVE-2016-4541)
ODBC:
Fixed bug #63171 (Script hangs after max_execution_time).
Opcache:
Fixed bug #71843 (null ptr deref ZEND_RETURN_SPEC_CONST_HANDLER).
PDO:
Fixed bug #52098 (Own PDOStatement implementation ignore __call()).
Fixed bug #71447 (Quotes inside comments not properly handled).
PDO_DBlib:
Fixed bug #71943 (dblib_handle_quoter needs to allocate an extra byte).
Add DBLIB-specific attributes for controlling timeouts.
PDO_pgsql:
Fixed bug #62498 (pdo_pgsql inefficient when getColumnMeta() is used).
Postgres:
Fixed bug #71820 (pg_fetch_object binds parameters before call constructor).
Fixed bug #71998 (Function pg_insert does not insert when column type = inet).
SOAP:
Fixed bug #71986 (Nested foreach assign-by-reference creates broken variables).
SPL:
Fixed bug #71838 (Deserializing serialized SPLObjectStorage-Object can't access properties in PHP).
Fixed bug #71735 (Double-free in SplDoublyLinkedList::offsetSet).
Fixed bug #67582 (Cloned SplObjectStorage with overwritten getHash fails offsetExists()).
Fixed bug #52339 (SPL autoloader breaks class_exists()).
Standard:
Fixed bug #72116 (array_fill optimization breaks implementation).
Fixed bug #71995 (Returning the same var twice from __sleep() produces broken serialized data).
Fixed bug #71940 (Unserialize crushes on restore object reference).
Fixed bug #71969 (str_replace returns an incorrect resulting array after a foreach by reference).
Fixed bug #71891 (header_register_callback() and register_shutdown_function()).
Fixed bug #71884 (Null pointer deref (segfault) in stream_context_get_default).
Fixed bug #71840 (Unserialize accepts wrongly data).
Fixed bug #71837 (Wrong arrays behaviour).
Fixed bug #71827 (substr_replace bug, string length).
Fixed bug #67512 (php_crypt() crashes if crypt_r() does not exist or _REENTRANT is not defined).
XML:
Fixed bug #72099 (xml_parse_into_struct segmentation fault). (CVE-2016-4539)
Zip:
Fixed bug #71923 (integer overflow in ZipArchive::getFrom*). (CVE-2016-3078)
Version 7.0.5
31 Mar 2016 Core:
Huge pages disabled by default.
Added ability to enable huge pages in Zend Memory Manager through the environment variable USE_ZEND_ALLOC_HUGE_PAGES=1.
Fixed bug #71756 (Call-by-reference widens scope to uninvolved functions when used in switch).
Fixed bug #71729 (Possible crash in zend_bin_strtod, zend_oct_strtod, zend_hex_strtod).
Fixed bug #71695 (Global variables are reserved before execution).
Fixed bug #71629 (Out-of-bounds access in php_url_decode in context php_stream_url_wrap_rfc2397).
Fixed bug #71622 (Strings used in pass-as-reference cannot be used to invoke C::$callable()).
Fixed bug #71596 (Segmentation fault on ZTS with date function (setlocale)).
Fixed bug #71535 (Integer overflow in zend_mm_alloc_heap()).
Fixed bug #71470 (Leaked 1 hashtable iterators).
Fixed bug #71575 (ISO C does not allow extra ‘;’ outside of a function).
Fixed bug #71724 (yield from does not count EOLs).
Fixed bug #71767 (ReflectionMethod::getDocComment returns the wrong comment).
Fixed bug #71806 (php_strip_whitespace() fails on some numerical values).
Fixed bug #71624 (`php -R` (PHP_MODE_PROCESS_STDIN) is broken).
CLI Server:
Fixed bug #69953 (Support MKCALENDAR request method).
Curl:
Fixed bug #71694 (Support constant CURLM_ADDED_ALREADY).
Date:
Fixed bug #71635 (DatePeriod::getEndDate segfault).
Fileinfo:
Fixed bug #71527 (Buffer over-write in finfo_open with malformed magic file). (CVE-2015-8865)
libxml:
Fixed bug #71536 (Access Violation crashes php-cgi.exe).
mbstring:
Fixed bug #71906 (AddressSanitizer: negative-size-param (-1) in mbfl_strcut). (CVE-2016-4073)
ODBC:
Fixed bug #47803 , #69526 (Executing prepared statements is succesfull only for the first two statements).
PCRE:
Fixed bug #71659 (segmentation fault in pcre running twig tests).
PDO_DBlib:
Fixed bug #54648 (PDO::MSSQL forces format of datetime fields).
Phar:
Fixed bug #71625 (Crash in php7.dll with bad phar filename).
Fixed bug #71317 (PharData fails to open specific file).
Fixed bug #71860 (Invalid memory write in phar on filename with \0 in name). (CVE-2016-4072)
phpdbg:
Fixed crash when advancing (except step) inside an internal function.
Session:
Fixed bug #71683 (Null pointer dereference in zend_hash_str_find_bucket).
SNMP:
Fixed bug #71704 (php_snmp_error() Format String Vulnerability). (CVE-2016-4071)
SPL:
Fixed bug #71617 (private properties lost when unserializing ArrayObject).
Standard:
Fixed bug #71660 (array_column behaves incorrectly after foreach by reference).
Fixed bug #71798 (Integer Overflow in php_raw_url_encode). (CVE-2016-4070)
Zip:
Update bundled libzip to 1.1.2.
Version 7.0.4
03 Mar 2016 Core:
Fixed bug (Low probability segfault in zend_arena).
Fixed bug #71441 (Typehinted Generator with return in try/finally crashes).
Fixed bug #71442 (forward_static_call crash).
Fixed bug #71443 (Segfault using built-in webserver with intl using symfony).
Fixed bug #71449 (An integer overflow bug in php_implode()).
Fixed bug #71450 (An integer overflow bug in php_str_to_str_ex()).
Fixed bug #71474 (Crash because of VM stack corruption on Magento2).
Fixed bug #71485 (Return typehint on internal func causes Fatal error when it throws exception).
Fixed bug #71529 (Variable references on array elements don't work when using count).
Fixed bug #71601 (finally block not executed after yield from).
Fixed bug #71637 (Multiple Heap Overflow due to integer overflows in xml/filter_url/addcslashes). (CVE-2016-4344, CVE-2016-4345, CVE-2016-4346)
CLI server:
Fixed bug #71559 (Built-in HTTP server, we can download file in web by bug).
CURL:
Fixed bug #71523 (Copied handle with new option CURLOPT_HTTPHEADER crashes while curl_multi_exec).
Fixed memory leak in curl_getinfo().
Date:
Fixed bug #71525 (Calls to date_modify will mutate timelib_rel_time, causing date_date_set issues).
Fileinfo:
Fixed bug #71434 (finfo throws notice for specific python file).
FPM:
Fixed bug #62172 (FPM not working with Apache httpd 2.4 balancer/fcgi setup).
Fixed bug #71269 (php-fpm dumped core).
Opcache:
Fixed bug #71584 (Possible use-after-free of ZCG(cwd) in Zend Opcache).
PCRE:
Fixed bug #71537 (PCRE segfault from Opcache).
phpdbg:
Fixed inherited functions from unspecified files being included in phpdbg_get_executable().
SOAP:
Fixed bug #71610 (Type Confusion Vulnerability - SOAP / make_http_soap_request()). (CVE-2016-3185)
Standard:
Fixed bug #71603 (compact() maintains references in php7).
Fixed bug #70720 (strip_tags improper php code parsing).
XMLRPC:
Fixed bug #71501 (xmlrpc_encode_request ignores encoding option).
Zip:
Fixed bug #71561 (NULL pointer dereference in Zip::ExtractTo).
Version 7.0.3
04 Feb 2016 Core:
Added support for new HTTP 451 code.
Fixed bug #71039 (exec functions ignore length but look for NULL termination).
Fixed bug #71089 (No check to duplicate zend_extension).
Fixed bug #71201 (round() segfault on 64-bit builds).
Fixed bug #71221 (Null pointer deref (segfault) in get_defined_vars via ob_start).
Fixed bug #71248 (Wrong interface is enforced).
Fixed bug #71273 (A wrong ext directory setup in php.ini leads to crash).
Fixed bug #71275 (Bad method called on cloning an object having a trait).
Fixed bug #71297 (Memory leak with consecutive yield from).
Fixed bug #71300 (Segfault in zend_fetch_string_offset).
Fixed bug #71314 (var_export(INF) prints INF.0).
Fixed bug #71323 (Output of stream_get_meta_data can be falsified by its input).
Fixed bug #71336 (Wrong is_ref on properties as exposed via get_object_vars()).
Fixed bug #71459 (Integer overflow in iptcembed()).
Apache2handler:
Fix >2G Content-Length headers in apache2handler.
CURL:
Fixed bug #71227 (Can't compile php_curl statically).
Fixed bug #71225 (curl_setopt() fails to set CURLOPT_POSTFIELDS with reference to CURLFile).
GD:
Interbase:
Fixed bug #71305 (Crash when optional resource is omitted).
LDAP:
Fixed bug #71249 (ldap_mod_replace/ldap_mod_add store value as string "Array").
mbstring:
Fixed bug #71397 (mb_send_mail segmentation fault).
OpenSSL:
Fixed bug #71475 (openssl_seal() uninitialized memory usage).
PCRE:
Upgraded bundled PCRE library to 8.38. (CVE-2015-8383, CVE-2015-8386, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394)
Phar:
Fixed bug #71354 (Heap corruption in tar/zip/phar parser). (CVE-2016-4342)
Fixed bug #71331 (Uninitialized pointer in phar_make_dirstream()). (CVE-2016-4343)
Fixed bug #71391 (NULL Pointer Dereference in phar_tar_setupmetadata()).
Fixed bug #71488 (Stack overflow when decompressing tar archives). (CVE-2016-2554)
SOAP:
Fixed bug #70979 (crash with bad soap request).
SPL:
Fixed bug #71204 (segfault if clean spl_autoload_funcs while autoloading).
Fixed bug #71202 (Autoload function registered by another not activated immediately).
Fixed bug #71311 (Use-after-free vulnerability in SPL(ArrayObject, unserialize)).
Fixed bug #71313 (Use-after-free vulnerability in SPL(SplObjectStorage, unserialize)).
Standard:
Fixed bug #71287 (Error message contains hexadecimal instead of decimal number).
Fixed bug #71264 (file_put_contents() returns unexpected value when filesystem runs full).
Fixed bug #71245 (file_get_contents() ignores "header" context option if it's a reference).
Fixed bug #71220 (Null pointer deref (segfault) in compact via ob_start).
Fixed bug #71190 (substr_replace converts integers in original $search array to strings).
Fixed bug #71188 (str_replace converts integers in original $search array to strings).
Fixed bug #71132 , #71197 (range() segfaults).
WDDX:
Fixed bug #71335 (Type Confusion in WDDX Packet Deserialization).
Version 7.0.2
07 Jan 2016 Core:
Fixed bug #71165 (-DGC_BENCH=1 doesn't work on PHP7).
Fixed bug #71163 (Segmentation Fault: cleanup_unfinished_calls).
Fixed bug #71109 (ZEND_MOD_CONFLICTS("xdebug") doesn't work).
Fixed bug #71092 (Segmentation fault with return type hinting).
Fixed bug memleak in header_register_callback.
Fixed bug #71067 (Local object in class method stays in memory for each call).
Fixed bug #66909 (configure fails utf8_to_mutf7 test).
Fixed bug #70781 (Extension tests fail on dynamic ext dependency).
Fixed bug #71089 (No check to duplicate zend_extension).
Fixed bug #71086 (Invalid numeric literal parse error within highlight_string() function).
Fixed bug #71154 (Incorrect HT iterator invalidation causes iterator reuse).
Fixed bug #52355 (Negating zero does not produce negative zero).
Fixed bug #66179 (var_export() exports float as integer).
Fixed bug #70804 (Unary add on negative zero produces positive zero).
CURL:
Fixed bug #71144 (Sementation fault when using cURL with ZTS).
DBA:
Fixed key leak with invalid resource.
Filter:
Fixed bug #71063 (filter_input(INPUT_ENV, ..) does not work).
FTP:
Implemented FR #55651 (Option to ignore the returned FTP PASV address).
FPM:
Fixed bug #70755 (fpm_log.c memory leak and buffer overflow). (CVE-2016-5114)
GD:
Fixed bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of Bounds). (CVE-2016-1903)
Mbstring:
Fixed bug #71066 (mb_send_mail: Program terminated with signal SIGSEGV, Segmentation fault).
Opcache:
Fixed bug #71127 (Define in auto_prepend_file is overwrite).
PCRE:
Fixed bug #71178 (preg_replace with arrays creates [0] in replace array if not already set).
Readline:
Fixed bug #71094 (readline_completion_function corrupts static array on second TAB).
Session:
Fixed bug #71122 (Session GC may not remove obsolete session data).
SPL:
Fixed bug #71077 (ReflectionMethod for ArrayObject constructor returns wrong number of parameters).
Fixed bug #71153 (Performance Degradation in ArrayIterator with large arrays).
Standard:
Fixed bug #71270 (Heap BufferOver Flow in escapeshell functions). (CVE-2016-1904)
WDDX:
Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization).
Fixed bug #70741 (Session WDDX Packet Deserialization Type Confusion Vulnerability).
XMLRPC:
Fixed bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker).
Version 7.0.1
17 Dec 2015 Core:
Fixed bug #71105 (Format String Vulnerability in Class Name Error Message). (CVE-2015-8617)
Fixed bug #70831 (Compile fails on system with 160 CPUs).
Fixed bug #71006 (symbol referencing errors on Sparc/Solaris).
Fixed bug #70997 (When using parentClass:: instead of parent::, static context changed).
Fixed bug #70970 (Segfault when combining error handler with output buffering).
Fixed bug #70967 (Weird error handling for __toString when Error is thrown).
Fixed bug #70958 (Invalid opcode while using ::class as trait method paramater default value).
Fixed bug #70944 (try{ } finally{} can create infinite chains of exceptions).
Fixed bug #70931 (Two errors messages are in conflict).
Fixed bug #70904 (yield from incorrectly marks valid generator as finished).
Fixed bug #70899 (buildconf failure in extensions).
Fixed bug #61751 (SAPI build problem on AIX: Undefined symbol: php_register_internal_extensions).
Fixed \int (or generally every scalar type name with leading backslash) to not be accepted as type name.
Fixed exception not being thrown immediately into a generator yielding from an array.
Fixed bug #70987 (static::class within Closure::call() causes segfault).
Fixed bug #71013 (Incorrect exception handler with yield from).
Fixed double free in error condition of format printer.
CLI server:
Fixed bug #71005 (Segfault in php_cli_server_dispatch_router()).
Intl:
Fixed bug #71020 (Use after free in Collator::sortWithSortKeys). (CVE-2015-8616)
Mysqlnd:
Fixed bug #68077 (LOAD DATA LOCAL INFILE / open_basedir restriction).
Fixed bug #68344 (MySQLi does not provide way to disable peer certificate validation) by introducing MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT connection flag.
OCI8:
Fixed LOB implementation size_t/zend_long mismatch reported by gcov.
Opcache:
Fixed bug #71024 (Unable to use PHP 7.0 x64 side-by-side with PHP 5.6 x32 on the same server).
Fixed bug #70991 (zend_file_cache.c:710: error: array type has incomplete element type).
Fixed bug #70977 (Segmentation fault with opcache.huge_code_pages=1).
PDO_Firebird:
Fixed bug #60052 (Integer returned as a 64bit integer on X64_86).
Phpdbg:
Fixed stderr being written to stdout.
Reflection:
Fixed bug #71018 (ReflectionProperty::setValue() behavior changed).
Fixed bug #70982 (setStaticPropertyValue behaviors inconsistently with 5.6).
Soap:
Fixed bug #70993 (Array key references break argument processing).
SPL:
Fixed bug #71028 (Undefined index with ArrayIterator).
SQLite3:
Fixed bug #71049 (SQLite3Stmt::execute() releases bound parameter instead of internal buffer).
Standard:
Fixed bug #70999 (php_random_bytes: called object is not a function).
Fixed bug #70960 (ReflectionFunction for array_unique returns wrong number of parameters).
Streams/Socket:
Add IPV6_V6ONLY constant / make it usable in stream contexts.
Version 7.0.0
03 Dec 2015 Core:
Fixed bug #70947 (INI parser segfault with INI_SCANNER_TYPED).
Fixed bug #70914 (zend_throw_or_error() format string vulnerability).
Fixed bug #70912 (Null ptr dereference instantiating class with invalid array property).
Fixed bug #70895 , #70898 (null ptr deref and segfault with crafted calable).
Fixed bug #70249 (Segmentation fault while running PHPUnit tests on phpBB 3.2-dev).
Fixed bug #70805 (Segmentation faults whilst running Drupal 8 test suite).
Fixed bug #70842 (Persistent Stream Segmentation Fault).
Fixed bug #70862 (Several functions do not check return code of php_stream_copy_to_mem()).
Fixed bug #70863 (Incorect logic to increment_function for proxy objects).
Fixed bug #70323 (Regression in zend_fetch_debug_backtrace() can cause segfaults).
Fixed bug #70873 (Regression on private static properties access).
Fixed bug #70748 (Segfault in ini_lex () at Zend/zend_ini_scanner.l).
Fixed bug #70689 (Exception handler does not work as expected).
Fixed bug #70430 (Stack buffer overflow in zend_language_parser()).
Fixed bug #70782 (null ptr deref and segfault (zend_get_class_fetch_type)).
Fixed bug #70785 (Infinite loop due to exception during identical comparison).
Fixed bug #70630 (Closure::call/bind() crash with ReflectionFunction-> getClosure()).
Fixed bug #70662 (Duplicate array key via undefined index error handler).
Fixed bug #70681 (Segfault when binding $this of internal instance method to null).
Fixed bug #70685 (Segfault for getClosure() internal method rebind with invalid $this).
Added zend_internal_function.reserved[] fields.
Fixed bug #70557 (Memleak on return type verifying failed).
Fixed bug #70555 (fun_get_arg() on unsetted vars return UNKNOW).
Fixed bug #70548 (Redundant information printed in case of uncaught engine exception).
Fixed bug #70547 (unsetting function variables corrupts backtrace).
Fixed bug #70528 (assert() with instanceof adds apostrophes around class name).
Fixed bug #70481 (Memory leak in auto_global_copy_ctor() in ZTS build).
Fixed bug #70431 (Memory leak in php_ini.c).
Fixed bug #70478 (**= does no longer work).
Fixed bug #70398 (SIGSEGV, Segmentation fault zend_ast_destroy_ex).
Fixed bug #70332 (Wrong behavior while returning reference on object).
Fixed bug #70300 (Syntactical inconsistency with new group use syntax).
Fixed bug #70321 (Magic getter breaks reference to array property).
Fixed bug #70187 (Notice: unserialize(): Unexpected end of serialized data).
Fixed bug #70145 (From field incorrectly parsed from headers).
Fixed bug #70370 (Bundled libtool.m4 doesn't handle FreeBSD 10 when building extensions).
Fixed bug causing exception traces with anon classes to be truncated.
Fixed bug #70397 (Segmentation fault when using Closure::call and yield).
Fixed bug #70299 (Memleak while assigning object offsetGet result).
Fixed bug #70288 (Apache crash related to ZEND_SEND_REF).
Fixed bug #70262 (Accessing array crashes PHP 7.0beta3).
Fixed bug #70258 (Segfault if do_resize fails to allocated memory).
Fixed bug #70253 (segfault at _efree () in zend_alloc.c:1389).
Fixed bug #70240 (Segfault when doing unset($var());).
Fixed bug #70223 (Incrementing value returned by magic getter).
Fixed bug #70215 (Segfault when __invoke is static).
Fixed bug #70207 (Finally is broken with opcache).
Fixed bug #70173 (ZVAL_COPY_VALUE_EX broken for 32bit Solaris Sparc).
Fixed bug #69487 (SAPI may truncate POST data).
Fixed bug #70198 (Checking liveness does not work as expected).
Fixed bug #70241 , #70293 (Skipped assertions affect Generator returns).
Fixed bug #70239 (Creating a huge array doesn't result in exhausted, but segfault).
Fixed "finally" issues.
Fixed bug #70098 (Real memory usage doesn't decrease).
Fixed bug #70159 (__CLASS__ is lost in closures).
Fixed bug #70156 (Segfault in zend_find_alias_name).
Fixed bug #70124 (null ptr deref / seg fault in ZEND_HANDLE_EXCEPTION).
Fixed bug #70117 (Unexpected return type error).
Fixed bug #70106 (Inheritance by anonymous class).
Fixed bug #69674 (SIGSEGV array.c:953).
Fixed bug #70164 (__COMPILER_HALT_OFFSET__ under namespace is not defined).
Fixed bug #70108 (sometimes empty $_SERVER['QUERY_STRING']).
Fixed bug #70179 ($this refcount issue).
Fixed bug #69896 ('asm' operand has impossible constraints).
Fixed bug #70183 (null pointer deref (segfault) in zend_eval_const_expr).
Fixed bug #70182 (Segfault in ZEND_ASSIGN_DIV_SPEC_CV_UNUSED_HANDLER).
Fixed bug #69793 (Remotely triggerable stack exhaustion via recursive method calls).
Fixed bug #69892 (Different arrays compare indentical due to integer key truncation).
Fixed bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref).
Fixed bug #70089 (segfault at ZEND_FETCH_DIM_W_SPEC_VAR_CONST_HANDLER ()).
Fixed bug #70057 (Build failure on 32-bit Mac OS X 10.6.8: recursive inlining).
Fixed bug #70012 (Exception lost with nested finally block).
Fixed bug #69996 (Changing the property of a cloned object affects the original).
Fixed bug #70083 (Use after free with assign by ref to overloaded objects).
Fixed bug #70006 (cli - function with default arg = STDOUT crash output).
Fixed bug #69521 (Segfault in gc_collect_cycles()).
Improved zend_string API.
Fixed bug #69955 (Segfault when trying to combine [] and assign-op on ArrayAccess object).
Fixed bug #69957 (Different ways of handling div/mod/intdiv).
Fixed bug #69900 (Too long timeout on pipes).
Fixed bug #69872 (uninitialised value in strtr with array).
Fixed bug #69868 (Invalid read of size 1 in zend_compile_short_circuiting).
Fixed bug #69849 (Broken output of apache_request_headers).
Fixed bug #69840 (iconv_substr() doesn't work with UTF-16BE).
Fixed bug #69823 (PHP 7.0.0alpha1 segmentation fault when exactly 33 extensions are loaded).
Fixed bug #69805 (null ptr deref and seg fault in zend_resolve_class_name).
Fixed bug #69802 (Reflection on Closure::__invoke borks type hint class name).
Fixed bug #69761 (Serialization of anonymous classes should be prevented).
Fixed bug #69551 (parse_ini_file() and parse_ini_string() segmentation fault).
Fixed bug #69781 (phpinfo() reports Professional Editions of Windows 7/8/8.1/10 as "Business").
Fixed bug #69835 (phpinfo() does not report many Windows SKUs).
Fixed bug #69889 (Null coalesce operator doesn't work for string offsets).
Fixed bug #69891 (Unexpected array comparison result).
Fixed bug #69892 (Different arrays compare indentical due to integer key truncation).
Fixed bug #69893 (Strict comparison between integer and empty string keys crashes).
Fixed bug #69767 (Default parameter value with wrong type segfaults).
Fixed bug #69756 (Fatal error: Nesting level too deep - recursive dependency ? with ===).
Fixed bug #69758 (Item added to array not being removed by array_pop/shift ).
Fixed bug #68475 (Add support for $callable() sytnax with 'Class::method').
Fixed bug #69485 (Double free on zend_list_dtor).
Fixed bug #69427 (Segfault on magic method __call of private method in superclass).
Improved __call() and __callStatic() magic method handling. Now they are called in a stackless way using ZEND_CALL_TRAMPOLINE opcode, without additional stack frame.
Optimized strings concatenation.
Fixed weird operators behavior. Division by zero now emits warning and returns +/-INF, modulo by zero and intdid() throws an exception, shifts by negative offset throw exceptions. Compile-time evaluation of division by zero is disabled.
Fixed bug #69371 (Hash table collision leads to inaccessible array keys).
Fixed bug #68933 (Invalid read of size 8 in zend_std_read_property).
Fixed bug #68252 (segfault in Zend/zend_hash.c in function _zend_hash_del_el).
Fixed bug #65598 (Closure executed via static autoload incorrectly marked as static).
Fixed bug #66811 (Cannot access static::class in lambda, writen outside of a class).
Fixed bug #69568 (call a private function in closure failed).
Added PHP_INT_MIN constant.
Added Closure::call() method.
Fixed bug #67959 (Segfault when calling phpversion('spl')).
Implemented the RFC `Catchable "Call to a member function bar() on a non-object"`.
Added options parameter for unserialize allowing to specify acceptable classes (https://wiki.php.net/rfc/secure_unserialize).
Fixed bug #63734 (Garbage collector can free zvals that are still referenced).
Removed ZEND_ACC_FINAL_CLASS, promoting ZEND_ACC_FINAL as final class modifier.
is_long() & is_integer() is now an alias of is_int().
Implemented FR #55467 (phpinfo: PHP Variables with $ and single quotes).
Added ?? operator.
Added <=> operator.
Added \u{xxxxx} Unicode Codepoint Escape Syntax.
Fixed oversight where define() did not support arrays yet const syntax did.
Use "integer" and "float" instead of "long" and "double" in ZPP, type hint and conversion error messages.
Implemented FR #55428 (E_RECOVERABLE_ERROR when output buffering in output buffering handler).
Removed scoped calls of non-static methods from an incompatible $this context.
Removed support for #-style comments in ini files.
Removed support for assigning the result of new by reference.
Invalid octal literals in source code now produce compile errors, fixes PHPSadness #31.
Removed dl() function on fpm-fcgi.
Removed support for hexadecimal numeric strings.
Removed obsolete extensions and SAPIs. See the full list in UPGRADING.
Added NULL byte protection to exec, system and passthru.
Added error_clear_last() function.
Fixed bug #68797 (Number 2.2250738585072012e-308 converted incorrectly).
Improved zend_qsort(using hybrid sorting algo) for better performance, and also renamed zend_qsort to zend_sort.
Added stable sorting algo zend_insert_sort.
Improved zend_memnchr(using sunday algo) for better performance.
Implemented the RFC `Scalar Type Decalarations v0.5`.
Implemented the RFC `Group Use Declarations`.
Implemented the RFC `Continue Output Buffering`.
Implemented the RFC `Constructor behaviour of internal classes`.
Implemented the RFC `Fix "foreach" behavior`.
Implemented the RFC `Generator Delegation`.
Implemented the RFC `Anonymous Class Support`.
Implemented the RFC `Context Sensitive Lexer`.
Fixed bug #69511 (Off-by-one buffer overflow in php_sys_readlink).
CLI server:
Fixed bug #68291 (404 on urls with '+').
Fixed bug #66606 (Sets HTTP_CONTENT_TYPE but not CONTENT_TYPE).
Fixed bug #70264 (CLI server directory traversal).
Fixed bug #69655 (php -S changes MKCALENDAR request method to MKCOL).
Fixed bug #64878 (304 responses return Content-Type header).
Refactor MIME type handling to use a hash table instead of linear search.
Update the MIME type list from the one shipped by Apache HTTPD.
Added support for SEARCH WebDav method.
COM:
Fixed bug #69939 (Casting object to bool returns false).
Curl:
Fixed bug #70330 (Segmentation Fault with multiple "curl_copy_handle").
Fixed bug #70163 (curl_setopt_array() type confusion).
Fixed bug #70065 (curl_getinfo() returns corrupted values).
Fixed bug #69831 (Segmentation fault in curl_getinfo).
Fixed bug #68937 (Segfault in curl_multi_exec).
Removed support for unsafe file uploads.
Date:
Fixed bug #70245 (strtotime does not emit warning when 2nd parameter is object or string).
Fixed bug #70266 (DateInterval::__construct.interval_spec is not supposed to be optional).
Fixed bug #70277 (new DateTimeZone($foo) is ignoring text after null byte).
Fixed day_of_week function as it could sometimes return negative values internally.
Removed $is_dst parameter from mktime() and gmmktime().
Removed date.timezone warning (https://wiki.php.net/rfc/date.timezone_warning_removal).
Added "v" DateTime format modifier to get the 3-digit version of fraction of seconds.
Implemented FR #69089 (Added DateTime::RFC3339_EXTENDED to output in RFC3339 Extended format which includes fraction of seconds).
DBA:
Fixed bug #62490 (dba_delete returns true on missing item (inifile)).
Fixed bug #68711 (useless comparisons).
DOM:
Fixed bug #70558 ("Couldn't fetch" error in DOMDocument::registerNodeClass()).
Fixed bug #70001 (Assigning to DOMNode::textContent does additional entity encoding).
Fixed bug #69846 (Segmenation fault (access violation) when iterating over DOMNodeList).
Made DOMNode::textContent writeable.
EXIF:
Fixed bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes).
Fileinfo:
Fixed bug #66242 (libmagic: don't assume char is signed).
Filter:
New FILTER_VALIDATE_DOMAIN and better RFC conformance for FILTER_VALIDATE_URL.
Fixed bug #67167 (Wrong return value from FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE).
FPM:
Fixed bug #70538 ("php-fpm -i" crashes).
Fixed bug #70279 (HTTP Authorization Header is sometimes passed to newer reqeusts).
Fixed bug #68945 (Unknown admin values segfault pools).
Fixed bug #65933 (Cannot specify config lines longer than 1024 bytes).
Implemented FR #67106 (Split main fpm config).
FTP:
Fixed bug #69082 (FTPS support on Windows).
GD:
Fixed bug #53156 (imagerectangle problem with point ordering).
Fixed bug #66387 (Stack overflow with imagefilltoborder). (CVE-2015-8874)
Fixed bug #70102 (imagecreatefromwebm() shifts colors).
Fixed bug #66590 (imagewebp() doesn't pad to even length).
Fixed bug #66882 (imagerotate by -90 degrees truncates image by 1px).
Fixed bug #70064 (imagescale(..., IMG_BICUBIC) leaks memory).
Fixed bug #69024 (imagescale segfault with palette based image).
Fixed bug #53154 (Zero-height rectangle has whiskers).
Fixed bug #67447 (imagecrop() add a black line when cropping).
Fixed bug #68714 (copy 'n paste error).
Fixed bug #66339 (PHP segfaults in imagexbm).
Fixed bug #70047 (gd_info() doesn't report WebP support).
Replace libvpx with libwebp for bundled libgd.
Fixed bug #61221 (imagegammacorrect function loses alpha channel).
Made fontFetch's path parser thread-safe.
Removed T1Lib support.
GMP:
Fixed bug #70284 (Use after free vulnerability in unserialize() with GMP).
hash:
Fixed bug #70312 (HAVAL gives wrong hashes in specific cases).
IMAP:
Fixed bug #70158 (Building with static imap fails).
Fixed bug #69998 (curl multi leaking memory).
Intl:
Fixed bug #70453 (IntlChar::foldCase() incorrect arguments and missing constants).
Fixed bug #70454 (IntlChar::forDigit second parameter should be optional).
Removed deprecated aliases datefmt_set_timezone_id() and IntlDateFormatter::setTimeZoneID().
JSON:
Fixed bug #62010 (json_decode produces invalid byte-sequences).
Fixed bug #68546 (json_decode() Fatal error: Cannot access property started with '\0').
Replace non-free JSON parser with a parser from Jsond extension, fixes #63520 (JSON extension includes a problematic license statement).
Fixed bug #68938 (json_decode() decodes empty string without error).
LDAP:
Fixed bug #47222 (Implement LDAP_OPT_DIAGNOSTIC_MESSAGE).
LiteSpeed:
Updated LiteSpeed SAPI code from V5.5 to V6.6.
libxml:
Fixed handling of big lines in error messages with libxml >= 2.9.0.
Mcrypt:
Fixed bug #70625 (mcrypt_encrypt() won't return data when no IV was specified under RC4).
Fixed bug #69833 (mcrypt fd caching not working).
Fixed possible read after end of buffer and use after free.
Removed mcrypt_generic_end() alias.
Removed mcrypt_ecb(), mcrypt_cbc(), mcrypt_cfb(), mcrypt_ofb().
Mysqli:
Fixed bug #32490 (constructor of mysqli has wrong name).
Mysqlnd:
Fixed bug #70949 (SQL Result Sets With NULL Can Cause Fatal Memory Errors).
Fixed bug #70384 (mysqli_real_query():Unknown type 245 sent by the server).
Fixed bug #70456 (mysqlnd doesn't activate TCP keep-alive when connecting to a server).
Fixed bug #70572 segfault in mysqlnd_connect.
Fixed bug #69796 (mysqli_stmt::fetch doesn't assign null values to bound variables).
OCI8:
Fixed memory leak with LOBs.
Fixed bug #68298 (OCI int overflow).
Corrected oci8 hash destructors to prevent segfaults, and a few other fixes.
ODBC:
Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined columns. (CVE-2015-8879)
Opcache:
Fixed bug #70656 (require() statement broken after opcache_reset() or a few hours of use).
Fixed bug #70843 (Segmentation fault on MacOSX with opcache.file_cache_only=1).
Fixed bug #70724 (Undefined Symbols from opcache.so on Mac OS X 10.10).
Fixed compatibility with Windows 10 (see also bug #70652 ).
Attmpt to fix "Unable to reattach to base address" problem.
Fixed bug #70423 (Warning Internal error: wrong size calculation).
Fixed bug #70237 (Empty while and do-while segmentation fault with opcode on CLI enabled).
Fixed bug #70111 (Segfault when a function uses both an explicit return type and an explicit cast).
Fixed bug #70058 (Build fails when building for i386).
Fixed bug #70022 (Crash with opcache using opcache.file_cache_only=1).
Removed opcache.load_comments configuration directive. Now doc comments loading costs nothing and always enabled.
Fixed bug #69838 (Wrong size calculation for function table).
Fixed bug #69688 (segfault with eval and opcache fast shutdown).
Added experimental (disabled by default) file based opcode cache.
Fixed bug with try blocks being removed when extended_info opcode generation is turned on.
Fixed bug #68644 (strlen incorrect : mbstring + func_overload=2 +UTF-8 + Opcache).
OpenSSL:
Require at least OpenSSL version 0.9.8.
Fixed bug #68312 (Lookup for openssl.cnf causes a message box).
Fixed bug #55259 (openssl extension does not get the DH parameters from DH key resource).
Fixed bug #70395 (Missing ARG_INFO for openssl_seal()).
Fixed bug #60632 (openssl_seal fails with AES).
Implemented FR #70438 (Add IV parameter for openssl_seal and openssl_open).
Fixed bug #70014 (openssl_random_pseudo_bytes() is not cryptographically secure). (CVE-2015-8867)
Fixed bug #69882 (OpenSSL error "key values mismatch" after openssl_pkcs12_read with extra cert).
Added "alpn_protocols" SSL context option allowing encrypted client/server streams to negotiate alternative protocols using the ALPN TLS extension when built against OpenSSL 1.0.2 or newer. Negotiated protocol information is accessible through stream_get_meta_data() output.
Removed "CN_match" and "SNI_server_name" SSL context options. Use automatic detection or the "peer_name" option instead.
Pcntl:
Fixed bug #70386 (Can't compile on NetBSD because of missing WCONTINUED and WIFCONTINUED).
Fixed bug #60509 (pcntl_signal doesn't decrease ref-count of old handler when setting SIG_DFL).
Implemented FR #68505 (Added wifcontinued and wcontinued).
Added rusage support to pcntl_wait() and pcntl_waitpid().
PCRE:
Fixed bug #70232 (Incorrect bump-along behavior with \K and empty string match).
Fixed bug #70345 (Multiple vulnerabilities related to PCRE functions).
Fixed bug #70232 (Incorrect bump-along behavior with \K and empty string match).
Fixed bug #53823 (preg_replace: * qualifier on unicode replace garbles the string).
Fixed bug #69864 (Segfault in preg_replace_callback).
Removed support for the /e (PREG_REPLACE_EVAL) modifier.
PDO:
Fixed bug #70861 (Segmentation fault in pdo_parse_params() during Drupal 8 test suite).
Fixed bug #70389 (PDO constructor changes unrelated variables).
Fixed bug #70272 (Segfault in pdo_mysql).
Fixed bug #70221 (persistent sqlite connection + custom function segfaults).
Fixed bug #59450 (./configure fails with "Cannot find php_pdo_driver.h").
PDO_DBlib:
Fixed bug #69757 (Segmentation fault on nextRowset).
PDO_mysql:
Fixed bug #68424 (Add new PDO mysql connection attr to control multi statements option).
PDO_OCI:
Fixed bug #70308 (PDO::ATTR_PREFETCH is ignored).
PDO_pgsql:
Fixed bug #69752 (PDOStatement::execute() leaks memory with DML Statements when closeCuror() is u).
Removed PGSQL_ATTR_DISABLE_NATIVE_PREPARED_STATEMENT attribute in favor of ATTR_EMULATE_PREPARES).
Phar:
Fixed bug #69720 (Null pointer dereference in phar_get_fp_offset()).
Fixed bug #70433 (Uninitialized pointer in phar_make_dirstream when zip entry filename is "/").
Improved fix for bug #69441 .
Fixed bug #70019 (Files extracted from archive may be placed outside of destination directory).
Phpdbg:
Fixed bug #70614 (incorrect exit code in -rr mode with Exceptions).
Fixed bug #70532 (phpdbg must respect set_exception_handler).
Fixed bug #70531 (Run and quit mode (-qrr) should not fallback to interactive mode).
Fixed bug #70533 (Help overview (-h) does not rpint anything under Windows).
Fixed bug #70449 (PHP won't compile on 10.4 and 10.5 because of missing constants).
Fixed bug #70214 (FASYNC not defined, needs sys/file.h include).
Fixed bug #70138 (Segfault when displaying memory leaks).
Reflection:
Fixed bug #70650 (Wrong docblock assignment).
Fixed bug #70674 (ReflectionFunction::getClosure() leaks memory when used for internal functions).
Fixed bug causing bogus traces for ReflectionGenerator::getTrace().
Fixed inheritance chain of Reflector interface.
Added ReflectionGenerator class.
Added reflection support for return types and type declarations.
Session:
Fixed bug #70876 (Segmentation fault when regenerating session id with strict mode).
Fixed bug #70529 (Session read causes "String is not zero-terminated" error).
Fixed bug #70013 (Reference to $_SESSION is lost after a call to session_regenerate_id()).
Fixed bug #69952 (Data integrity issues accessing superglobals by reference).
Fixed bug #67694 (Regression in session_regenerate_id()).
Fixed bug #68941 (mod_files.sh is a bash-script).
SOAP:
Fixed bug #70940 (Segfault in soap / type_to_string).
Fixed bug #70900 (SoapClient systematic out of memory error).
Fixed bug #70875 (Segmentation fault if wsdl has no targetNamespace attribute).
Fixed bug #70715 (Segmentation fault inside soap client).
Fixed bug #70709 (SOAP Client generates Segfault).
Fixed bug #70388 (SOAP serialize_function_call() type confusion / RCE).
Fixed bug #70081 (SoapClient info leak / null pointer dereference via multiple type confusions).
Fixed bug #70079 (Segmentation fault after more than 100 SoapClient calls).
Fixed bug #70032 (make_http_soap_request calls zend_hash_get_current_key_ex(,,,NULL).
Fixed bug #68361 (Segmentation fault on SoapClient::__getTypes).
SPL:
Fixed bug #70959 (ArrayObject unserialize does not restore protected fields).
Fixed bug #70853 (SplFixedArray throws exception when using ref variable as index).
Fixed bug #70868 (PCRE JIT and pattern reuse segfault).
Fixed bug #70730 (Incorrect ArrayObject serialization if unset is called in serialize()).
Fixed bug #70573 (Cloning SplPriorityQueue leads to memory leaks).
Fixed bug #70303 (Incorrect constructor reflection for ArrayObject).
Fixed bug #70068 (Dangling pointer in the unserialization of ArrayObject items).
Fixed bug #70166 (Use After Free Vulnerability in unserialize() with SPLArrayObject).
Fixed bug #70168 (Use After Free Vulnerability in unserialize() with SplObjectStorage).
Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList).
Fixed bug #70053 (MutlitpleIterator array-keys incompatible change in PHP 7).
Fixed bug #69970 (Use-after-free vulnerability in spl_recursive_it_move_forward_ex()).
Fixed bug #69845 (ArrayObject with ARRAY_AS_PROPS broken).
Changed ArrayIterator implementation using zend_hash_iterator_... API. Allowed modification of iterated ArrayObject using the same behavior as proposed in `Fix "foreach" behavior`. Removed "Array was modified outside object and internal position is no longer valid" hack.
Implemented FR #67886 (SplPriorityQueue/SplHeap doesn't expose extractFlags nor curruption state).
Fixed bug #66405 (RecursiveDirectoryIterator::CURRENT_AS_PATHNAME breaks the RecursiveIterator).
SQLite3:
Fixed bug #70571 (Memory leak in sqlite3_do_callback).
Fixed bug #69972 (Use-after-free vulnerability in sqlite3SafetyCheckSickOrOk()).
Fixed bug #69897 (segfault when manually constructing SQLite3Result).
Fixed bug #68260 (SQLite3Result::fetchArray declares wrong required_num_args).
Standard:
Fixed count on symbol tables.
Fixed bug #70963 (Unserialize shows UNKNOWN in result).
Fixed bug #70910 (extract() breaks variable references).
Fixed bug #70808 (array_merge_recursive corrupts memory of unset items).
Fixed bug #70667 (strtr() causes invalid writes and a crashes).
Fixed bug #70668 (array_keys() doesn't respect references when $strict is true).
Implemented the RFC `Random Functions Throwing Exceptions in PHP 7`.
Fixed bug #70487 (pack('x') produces an error).
Fixed bug #70342 (changing configuration with ignore_user_abort(true) isn't working).
Fixed bug #70295 (Segmentation fault with setrawcookie).
Fixed bug #67131 (setcookie() conditional for empty values not met).
Fixed bug #70365 (Use-after-free vulnerability in unserialize() with SplObjectStorage).
Fixed bug #70366 (Use-after-free vulnerability in unserialize() with SplDoublyLinkedList).
Fixed bug #70250 (extract() turns array elements to references).
Fixed bug #70211 (php 7 ZEND_HASH_IF_FULL_DO_RESIZE use after free).
Fixed bug #70208 (Assert breaking access on objects).
Fixed bug #70140 (str_ireplace/php_string_tolower - Arbitrary Code Execution).
Implemented FR #70112 (Allow "dirname" to go up various times).
Fixed bug #36365 (scandir duplicates file name at every 65535th file).
Fixed bug #70096 (Repeated iptcembed() adds superfluous FF bytes).
Fixed bug #70018 (exec does not strip all whitespace).
Fixed bug #69983 (get_browser fails with user agent of null).
Fixed bug #69976 (Unable to parse "all" urls with colon char).
Fixed bug #69768 (escapeshell*() doesn't cater to !).
Fixed bug #62922 (Truncating entire string should result in string).
Fixed bug #69723 (Passing parameters by reference and array_column).
Fixed bug #69523 (Cookie name cannot be empty).
Fixed bug #69325 (php_copy_file_ex does not pass the argument).
Fixed bug #69299 (Regression in array_filter's $flag argument in PHP 7).
Removed call_user_method() and call_user_method_array() functions.
Fixed user session handlers (See rfc:session.user.return-value).
Added intdiv() function.
Improved precision of log() function for base 2 and 10.
Remove string category support in setlocale().
Remove set_magic_quotes_runtime() and its alias magic_quotes_runtime().
Fixed bug #65272 (flock() out parameter not set correctly in windows).
Added preg_replace_callback_array function.
Deprecated salt option to password_hash.
Fixed bug #69686 (password_verify reports back error on PHP7 will null string).
Added Windows support for getrusage().
Removed hardcoded limit on number of pipes in proc_open().
Streams:
Fixed bug #70361 (HTTP stream wrapper doesn't close keep-alive connections).
Fixed bug #68532 (convert.base64-encode omits padding bytes).
Removed set_socket_blocking() in favor of its alias stream_set_blocking().
Tokenizer:
Fixed bug #69430 (token_get_all has new irrecoverable errors).
XMLReader:
Fixed bug #70309 (XmlReader read generates extra output).
XMLRPC:
Fixed bug #70526 (xmlrpc_set_type returns false on success).
XSL:
Fixed bug #70678 (PHP7 returns true when false is expected).
Fixed bug #70535 (XSLT: free(): invalid pointer).
Fixed bug #69782 (NULL pointer dereference).
Fixed bug #64776 (The XSLT extension is not thread safe).
Removed xsl.security_prefs ini option.
Zlib:
Added deflate_init(), deflate_add(), inflate_init(), inflate_add() functions allowing incremental/streaming compression/decompression.
Zip:
Fixed bug #70322 (ZipArchive::close() doesn't indicate errors).
Fixed bug #70350 (ZipArchive::extractTo allows for directory traversal when creating directories). (CVE-2014-9767)
Added ZipArchive::setCompressionName and ZipArchive::setCompressionIndex methods.
Update bundled libzip to 1.0.1.
Fixed bug #67161 (ZipArchive::getStream() returns NULL for certain file).