PHP 7.0.26 Released

PHP 7 ChangeLog

Version 7.0.26

  • Core:
    • Fixed bug #75420 (Crash when modifing property name in __isset for BP_VAR_IS).
    • Fixed bug #75368 (mmap/munmap trashing on unlucky allocations).
  • CLI:
    • Fixed bug #75287 (Builtin webserver crash after chdir in a shutdown function).
  • Enchant:
    • Fixed bug #53070 (enchant_broker_get_path crashes if no path is set).
    • Fixed bug #75365 (Enchant still reports version 1.1.0).
  • Exif:
    • Fixed bug #75301 (Exif extension has built in revision version).
  • GD:
    • Fixed bug #65148 (imagerotate may alter image dimensions).
    • Fixed bug #75437 (Wrong reflection on imagewebp).
  • intl:
    • Fixed bug #75317 (UConverter::setDestinationEncoding changes source instead of destination).
  • interbase:
    • Fixed bug #75453 (Incorrect reflection for ibase_[p]connect).
  • Mysqli:
    • Fixed bug #75434 (Wrong reflection for mysqli_fetch_all function).
  • OCI8:
    • Fixed valgrind issue.
  • Opcache:
    • Fixed bug #75373 (Warning Internal error: wrong size calculation).
  • OpenSSL:
    • Fixed bug #75363 (openssl_x509_parse leaks memory).
    • Fixed bug #75307 (Wrong reflection for openssl_open function).
  • PGSQL:
    • Fixed bug #75419 (Default link incorrectly cleared/linked by pg_close()).
  • SOAP:
    • Fixed bug #75464 (Wrong reflection on SoapClient::__setSoapHeaders).
  • Zlib:
    • Fixed bug #75299 (Wrong reflection on inflate_init and inflate_add).

Version 7.1.11

  • Core:
    • Fixed bug #75241 (Null pointer dereference in zend_mm_alloc_small()).
    • Fixed bug #75236 (infinite loop when printing an error-message).
    • Fixed bug #75252 (Incorrect token formatting on two parse errors in one request).
    • Fixed bug #75220 (Segfault when calling is_callable on parent).
    • Fixed bug #75290 (debug info of Closures of internal functions contain garbage argument names).
  • Date:
    • Fixed bug #75055 (Out-Of-Bounds Read in timelib_meridian()).
  • Apache2Handler:
    • Fixed bug #75311 (error: 'zend_hash_key' has no member named 'arKey' in apache2handler).
  • Hash:
    • Fixed bug #75303 (sha3 hangs on bigendian).
  • Intl:
    • Fixed bug #75318 (The parameter of UConverter::getAliases() is not optional).
  • litespeed:
    • Fixed bug #75248 (Binary directory doesn't get created when building only litespeed SAPI).
    • Fixed bug #75251 (Missing program prefix and suffix).
  • mcrypt:
    • Fixed bug #72535 (arcfour encryption stream filter crashes php).
  • MySQLi:
    • Fixed bug #75018 (Data corruption when reading fields of bit type).
  • OCI8:
    • Fixed incorrect reference counting.
  • Opcache:
    • Fixed bug #75255 (Request hangs and not finish).
  • PCRE:
    • Fixed bug #75207 (applied upstream patch for CVE-2016-1283).
  • PDO_mysql:
    • Fixed bug #75177 (Type 'bit' is fetched as unexpected string).
  • SPL:
    • Fixed bug #73629 (SplDoublyLinkedList::setIteratorMode masks intern flags).

Version 7.0.25

  • Core:
    • Fixed bug #75241 (Null pointer dereference in zend_mm_alloc_small()).
    • Fixed bug #75236 (infinite loop when printing an error-message).
    • Fixed bug #75252 (Incorrect token formatting on two parse errors in one request).
    • Fixed bug #75220 (Segfault when calling is_callable on parent).
    • Fixed bug #75290 (debug info of Closures of internal functions contain garbage argument names).
  • Apache2Handler:
    • Fixed bug #75311 (error: 'zend_hash_key' has no member named 'arKey' in apache2handler).
  • Date:
    • Fixed bug #75055 (Out-Of-Bounds Read in timelib_meridian()).
  • Intl:
    • Fixed bug #75318 (The parameter of UConverter::getAliases() is not optional).
  • mcrypt:
    • Fixed bug #72535 (arcfour encryption stream filter crashes php).
  • OCI8:
    • Fixed incorrect reference counting.
  • PCRE:
    • Fixed bug #75207 (applied upstream patch for CVE-2016-1283).
  • litespeed:
    • Fixed bug #75248 (Binary directory doesn't get created when building only litespeed SAPI).
    • Fixed bug #75251 (Missing program prefix and suffix).
  • SPL:
    • Fixed bug #73629 (SplDoublyLinkedList::setIteratorMode masks intern flags).

Version 7.1.10

  • Core:
    • Fixed bug #75042 (run-tests.php issues with EXTENSION block).
  • BCMath:
    • Fixed bug #44995 (bcpowmod() fails if scale != 0).
    • Fixed bug #46781 (BC math handles minus zero incorrectly).
    • Fixed bug #54598 (bcpowmod() may return 1 if modulus is 1).
    • Fixed bug #75178 (bcpowmod() misbehaves for non-integer base or modulus).
  • CLI server:
    • Fixed bug #70470 (Built-in server truncates headers spanning over TCP packets).
  • CURL:
    • Fixed bug #75093 (OpenSSL support not detected).
  • GD:
    • Fixed bug #75124 (gdImageGrayScale() may produce colors).
    • Fixed bug #75139 (libgd/gd_interpolation.c:1786: suspicious if ?).
  • Gettext:
    • Fixed bug #73730 (textdomain(null) throws in strict mode).
  • Intl:
    • Fixed bug #75090 (IntlGregorianCalendar doesn't have constants from parent class).
    • Fixed bug #75193 (segfault in collator_convert_object_to_string).
  • PDO_OCI:
    • Fixed bug #74631 (PDO_PCO with PHP-FPM: OCI environment initialized before PHP-FPM sets it up).
  • SPL:
    • Fixed bug #75155 (AppendIterator::append() is broken when appending another AppendIterator).
    • Fixed bug #75173 (incorrect behavior of AppendIterator::append in foreach loop).
  • Standard:
    • Fixed bug #75152 (signed integer overflow in parse_iv).
    • Fixed bug #75097 (gethostname fails if your host name is 64 chars long).

Version 7.0.24

  • Core:
    • Fixed bug #75042 (run-tests.php issues with EXTENSION block).
  • BCMath:
    • Fixed bug #44995 (bcpowmod() fails if scale != 0).
    • Fixed bug #46781 (BC math handles minus zero incorrectly).
    • Fixed bug #54598 (bcpowmod() may return 1 if modulus is 1).
    • Fixed bug #75178 (bcpowmod() misbehaves for non-integer base or modulus).
  • CLI server:
    • Fixed bug #70470 (Built-in server truncates headers spanning over TCP packets).
  • CURL:
    • Fixed bug #75093 (OpenSSL support not detected).
  • GD:
    • Fixed bug #75124 (gdImageGrayScale() may produce colors).
    • Fixed bug #75139 (libgd/gd_interpolation.c:1786: suspicious if ?).
  • Gettext:
    • Fixed bug #73730 (textdomain(null) throws in strict mode).
  • Intl:
    • Fixed bug #75090 (IntlGregorianCalendar doesn't have constants from parent class).
  • PDO_OCI:
    • Fixed bug #74631 (PDO_PCO with PHP-FPM: OCI environment initialized before PHP-FPM sets it up).
  • SPL:
    • Fixed bug #75173 (incorrect behavior of AppendIterator::append in foreach loop).
  • Standard:
    • Fixed bug #75097 (gethostname fails if your host name is 64 chars long).

Version 7.1.9

  • Core:
    • Fixed bug #74947 (Segfault in scanner on INF number).
    • Fixed bug #74954 (null deref and segfault in zend_generator_resume()).
    • Fixed bug #74725 (html_errors=1 breaks unhandled exceptions).
    • Fixed bug #75063 (Main CWD initialized with wrong codepage).
    • Fixed bug #75349 (NAN comparison).
  • cURL:
    • Fixed bug #74125 (Fixed finding CURL on systems with multiarch support).
  • Date:
    • Fixed bugĀ #75002 (Null Pointer Dereference in timelib_time_clone).
  • Intl:
    • Fixed bug #74993 (Wrong reflection on some locale_* functions).
  • Mbstring:
    • Fixed bug #71606 (Segmentation fault mb_strcut with HTML-ENTITIES encoding).
    • Fixed bug #62934 (mb_convert_kana() does not convert iteration marks).
    • Fixed bug #75001 (Wrong reflection on mb_eregi_replace).
  • MySQLi:
    • Fixed bug #74968 (PHP crashes when calling mysqli_result::fetch_object with an abstract class).
  • OCI8:
    • Expose oci_unregister_taf_callback() (Tianfang Yang)
  • Opcache:
    • Fixed bug #74980 (Narrowing occurred during type inference).
  • phar:
    • Fixed bug #74991 (include_path has a 4096 char limit in some cases).
  • Reflection:
    • Fixed bug #74949 (null pointer dereference in _function_string).
  • Session:
    • Fixed bug #74892 (Url Rewriting (trans_sid) not working on urls that start with "#").
    • Fixed bug #74833 (SID constant created with wrong module number).
  • SimpleXML:
    • Fixed bug #74950 (nullpointer deref in simplexml_element_getDocNamespaces).
  • SPL:
    • Fixed bug #75049 (spl_autoload_unregister can't handle spl_autoload_functions results).
    • Fixed bug #74669 (Unserialize ArrayIterator broken).
    • Fixed bug #74977 (Appending AppendIterator leads to segfault).
    • Fixed bug #75015 (Crash in recursive iterator destructors).
  • Standard:
    • Fixed bug #75075 (unpack with X* causes infinity loop).
    • Fixed bug #74103 (heap-use-after-free when unserializing invalid array size).
    • Fixed bug #75054 (A Denial of Service Vulnerability was found when performing deserialization).
  • WDDX:
    • Fixed bug #73793 (WDDX uses wrong decimal seperator).
  • XMLRPC:
    • Fixed bug #74975 (Incorrect xmlrpc serialization for classes with declared properties).

Version 7.0.23

  • Core:
    • Fixed bug #74947 (Segfault in scanner on INF number).
    • Fixed bug #74954 (null deref and segfault in zend_generator_resume()).
    • Fixed bug #74725 (html_errors=1 breaks unhandled exceptions).
    • Fixed bug #75349 (NAN comparison).
  • cURL:
    • Fixed bug #74125 (Fixed finding CURL on systems with multiarch support).
  • Date:
    • Fixed bug #75002 (Null Pointer Dereference in timelib_time_clone).
  • Intl:
    • Fixed bug #74993 (Wrong reflection on some locale_* functions).
  • Mbstring:
    • Fixed bug #71606 (Segmentation fault mb_strcut with HTML-ENTITIES encoding).
    • Fixed bug #62934 (mb_convert_kana() does not convert iteration marks).
    • Fixed bug #75001 (Wrong reflection on mb_eregi_replace).
  • MySQLi:
    • Fixed bug #74968 (PHP crashes when calling mysqli_result::fetch_object with an abstract class).
  • OCI8:
    • Expose oci_unregister_taf_callback() (Tianfang Yang)
  • phar:
    • Fixed bug #74991 (include_path has a 4096 char limit in some cases).
  • Reflection:
    • Fixed bug #74949 (null pointer dereference in _function_string).
  • Session:
    • Fixed bug #74833 (SID constant created with wrong module number).
  • SimpleXML:
    • Fixed bug #74950 (nullpointer deref in simplexml_element_getDocNamespaces).
  • SPL:
    • Fixed bug #75049 (spl_autoload_unregister can't handle spl_autoload_functions results).
    • Fixed bug #74669 (Unserialize ArrayIterator broken).
    • Fixed bug #75015 (Crash in recursive iterator destructors).
  • Standard:
    • Fixed bug #75075 (unpack with X* causes infinity loop).
    • Fixed bug #74103 (heap-use-after-free when unserializing invalid array size).
    • Fixed bug #75054 (A Denial of Service Vulnerability was found when performing deserialization).
  • WDDX:
    • Fixed bug #73793 (WDDX uses wrong decimal seperator).
  • XMLRPC:
    • Fixed bug #74975 (Incorrect xmlrpc serialization for classes with declared properties).

Version 7.1.8

  • Core:
    • Fixed bug #74832 (Loading PHP extension with already registered function name leads to a crash).
    • Fixed bug #74780 (parse_url() broken when query string contains colon).
    • Fixed bug #74761 (Unary operator expected error on some systems).
    • Fixed bug #73900 (Use After Free in unserialize() SplFixedArray).
    • Fixed bug #74923 (Crash when crawling through network share).
    • Fixed bug #74913 (fixed incorrect poll.h include).
    • Fixed bug #74906 (fixed incorrect errno.h include).
  • Date:
    • Fixed bug #74852 (property_exists returns true on unknown DateInterval property).
  • OCI8:
    • Fixed bug #74625 (Integer overflow in oci_bind_array_by_name).
  • Opcache:
    • Fixed bug #74623 (Infinite loop in type inference when using HTMLPurifier).
  • OpenSSL:
    • Fixed bug #74798 (pkcs7_en/decrypt does not work if \x0a is used in content).
    • Added OPENSSL_DONT_ZERO_PAD_KEY constant to prevent key padding and fix bug #71917 (openssl_open() returns junk on envelope < 16 bytes) and bug #72362 (OpenSSL Blowfish encryption is incorrect for short keys).
  • PDO:
    • Fixed bug #69356 (PDOStatement::debugDumpParams() truncates query).
  • SPL:
    • Fixed bug #73471 (PHP freezes with AppendIterator).
  • SQLite3:
    • Fixed bug #74883 (SQLite3::__construct() produces "out of memory" exception with invalid flags).
  • Wddx:
    • Fixed bug #73173 (huge memleak when wddx_unserialize).
  • zlib:
    • Fixed bug #73944 (dictionary option of inflate_init() does not work).

Version 7.0.22

  • Core:
    • Fixed bug #74832 (Loading PHP extension with already registered function name leads to a crash).
    • Fixed bug #74780 (parse_url() borken when query string contains colon).
    • Fixed bug #74761 (Unary operator expected error on some systems).
    • Fixed bug #73900 (Use After Free in unserialize() SplFixedArray).
    • Fixed bug #74913 (fixed incorrect poll.h include).
    • Fixed bug #74906 (fixed incorrect errno.h include).
  • Date:
    • Fixed bug #74852 (property_exists returns true on unknown DateInterval property).
  • OCI8:
    • Fixed bug #74625 (Integer overflow in oci_bind_array_by_name).
  • Opcache:
    • Fixed bug #74840 (Opcache overwrites argument of GENERATOR_RETURN within finally).
  • PDO:
    • Fixed bug #69356 (PDOStatement::debugDumpParams() truncates query).
  • SPL:
    • Fixed bug #73471 (PHP freezes with AppendIterator).
  • SQLite3:
    • Fixed bug #74883 (SQLite3::__construct() produces "out of memory" exception with invalid flags).
  • Wddx:
    • Fixed bug #73173 (huge memleak when wddx_unserialize).
  • zlib:
    • Fixed bug #73944 (dictionary option of inflate_init() does not work).

Version 7.1.7

  • Core:
    • Fixed bug #74738 (Multiple [PATH=] and [HOST=] sections not properly parsed).
    • Fixed bug #74658 (Undefined constants in array properties result in broken properties).
    • Fixed misparsing of abstract unix domain socket names.
    • Fixed bug #74603 (PHP INI Parsing Stack Buffer Overflow Vulnerability).
    • Fixed bug #74101, bug #74614 (Unserialize Heap Use-After-Free (READ: 1) in zval_get_type).
    • Fixed bug #74111 (Heap buffer overread (READ: 1) finish_nested_data from unserialize).
    • Fixed bug #74819 (wddx_deserialize() heap out-of-bound read via php_parse_date()).
  • Date:
    • Fixed bug #74639 (implement clone for DatePeriod and DateInterval).
  • DOM:
    • Fixed bug #69373 (References to deleted XPath query results).
  • GD:
    • Fixed bug #74435 (Buffer over-read into uninitialized memory). (CVE-2017-7890)
  • Intl:
    • Fixed bug #73473 (Stack Buffer Overflow in msgfmt_parse_message).
    • Fixed bug #74705 (Wrong reflection on Collator::getSortKey and collator_get_sort_key).
  • Mbstring:
    • Add oniguruma upstream fix (CVE-2017-9224, CVE-2017-9226, CVE-2017-9227, CVE-2017-9228, CVE-2017-9229)
  • OCI8:
    • Add TAF callback (PR #2459).
  • Opcache:
    • Fixed bug #74663 (Segfault with opcache.memory_protect and validate_timestamp).
    • Revert opcache.enable_cli to default disabled.
  • OpenSSL:
    • Fixed bug #74720 (pkcs7_en/decrypt does not work if \x1a is used in content).
    • Fixed bug #74651 (negative-size-param (-1) in memcpy in zif_openssl_seal()).
  • PDO_OCI:
    • Support Instant Client 12.2 in --with-pdo-oci configure option.
  • Reflection:
    • Fixed bug #74673 (Segfault when cast Reflection object to string with undefined constant).
  • SPL:
    • Fixed bug #74478 (null coalescing operator failing with SplFixedArray).
  • FTP:
    • Fixed bug #74598 (ftp:// wrapper ignores context arg).
  • PHAR:
    • Fixed bug #74386 (Phar::__construct reflection incorrect).
  • SOAP:
    • Fixed bug #74679 (Incorrect conversion array with WSDL_CACHE_MEMORY).
  • Streams:
    • Fixed bug #74556 (stream_socket_get_name() returns '\0').

Version 7.0.21

  • Core:
    • Fixed bug #74738 (Multiple [PATH=] and [HOST=] sections not properly parsed).
    • Fixed bug #74658 (Undefined constants in array properties result in broken properties).
    • Fixed misparsing of abstract unix domain socket names.
    • Fixed bug #74101, bug #74614 (Unserialize Heap Use-After-Free (READ: 1) in zval_get_type).
    • Fixed bug #74111 (Heap buffer overread (READ: 1) finish_nested_data from unserialize).
    • Fixed bug #74603 (PHP INI Parsing Stack Buffer Overflow Vulnerability).
    • Fixed bug #74819 (wddx_deserialize() heap out-of-bound read via php_parse_date()).
  • DOM:
    • Fixed bug #69373 (References to deleted XPath query results).
  • GD:
    • Fixed bug #74435 (Buffer over-read into uninitialized memory). (CVE-2017-7890)
  • Intl:
    • Fixed bug #73473 (Stack Buffer Overflow in msgfmt_parse_message).
    • Fixed bug #74705 (Wrong reflection on Collator::getSortKey and collator_get_sort_key).
    • Fixed bug #73634 (grapheme_strpos illegal memory access).
  • Mbstring:
    • Add oniguruma upstream fix (CVE-2017-9224, CVE-2017-9226, CVE-2017-9227, CVE-2017-9228, CVE-2017-9229)
  • OCI8:
    • Add TAF callback (PR #2459).
  • Opcache:
    • Fixed bug #74663 (Segfault with opcache.memory_protect and validate_timestamp).
  • OpenSSL:
    • Fixed bug #74651 (negative-size-param (-1) in memcpy in zif_openssl_seal()).
  • PCRE:
    • Fixed bug #74087 (Segmentation fault in PHP7.1.1(compiled using the bundled PCRE library)).
  • PDO_OCI:
    • Support Instant Client 12.2 in --with-pdo-oci configure option.
  • Reflection:
    • Fixed bug #74673 (Segfault when cast Reflection object to string with undefined constant).
  • SPL:
    • Fixed bug #74478 (null coalescing operator failing with SplFixedArray).
  • Standard:
    • Fixed bug #74708 (Invalid Reflection signatures for random_bytes and random_int).
    • Fixed bug #73648 (Heap buffer overflow in substr).
  • FTP:
    • Fixed bug #74598 (ftp:// wrapper ignores context arg).
  • PHAR:
    • Fixed bug #74386 (Phar::__construct reflection incorrect).
  • SOAP:
    • Fixed bug #74679 (Incorrect conversion array with WSDL_CACHE_MEMORY).
  • Streams:
    • Fixed bug #74556 (stream_socket_get_name() returns '\0').

Version 7.1.6

  • Core:
    • Fixed bug #74600 (crash (SIGSEGV) in _zend_hash_add_or_update_i).
    • Fixed bug #74546 (SIGILL in ZEND_FETCH_CLASS_CONSTANT_SPEC_CONST_CONST).
    • Fixed bug #74589 (__DIR__ wrong for unicode character).
  • intl:
    • Fixed bug #74468 (wrong reflection on Collator::sortWithSortKeys).
  • MySQLi:
    • Fixed bug #74547 (mysqli::change_user() doesn't accept null as $database argument w/strict_types).
  • Opcache:
    • Fixed bug #74596 (SIGSEGV with opcache.revalidate_path enabled).
  • phar:
    • Fixed bug #51918 (Phar::webPhar() does not handle requests sent through PUT and DELETE method).
  • Readline:
    • Fixed bug #74490 (readline() moves the cursor to the beginning of the line).
  • Standard:
    • Fixed bug #74510 (win32/sendmail.c anchors CC header but not BCC).
  • xmlreader:
    • Fixed bug #74457 (Wrong reflection on XMLReader::expand).

Version 7.0.20

  • Core:
    • Fixed bug #74600 (crash (SIGSEGV) in _zend_hash_add_or_update_i).
    • Fixed bug #74546 (SIGILL in ZEND_FETCH_CLASS_CONSTANT_SPEC_CONST_CONST).
  • intl:
    • Fixed bug #74468 (wrong reflection on Collator::sortWithSortKeys).
  • MySQLi:
    • Fixed bug #74547 (mysqli::change_user() doesn't accept null as $database argument w/strict_types).
  • Opcache:
    • Fixed bug #74596 (SIGSEGV with opcache.revalidate_path enabled).
  • phar:
    • Fixed bug #51918 (Phar::webPhar() does not handle requests sent through PUT and DELETE method).
  • Standard:
    • Fixed bug #74510 (win32/sendmail.c anchors CC header but not BCC).
  • xmlreader:
    • Fixed bug #74457 (Wrong reflection on XMLReader::expand).

Version 7.1.5

  • Core:
    • Fixed bug #74408 (Endless loop bypassing execution time limit).
    • Fixed bug #74353 (Segfault when killing within bash script trap code).
    • Fixed bug #74340 (Magic function __get has different behavior in php 7.1.x).
    • Fixed bug #74188 (Null coalescing operator fails for undeclared static class properties).
    • Fixed bug #74444 (multiple catch freezes in some cases).
    • Fixed bug #74410 (stream_select() is broken on Windows Nanoserver).
    • Fixed bug #74337 (php-cgi.exe crash on facebook callback).
  • Date:
    • Fixed bug #74404 (Wrong reflection on DateTimeZone::getTransitions).
    • Fixed bug #74080 (add constant for RFC7231 format datetime).
  • DOM:
    • Fixed bug #74416 (Wrong reflection on DOMNode::cloneNode).
  • Fileinfo:
    • Fixed bug #74379 (syntax error compile error in libmagic/apprentice.c).
  • GD:
    • Fixed bug #74343 (compile fails on solaris 11 with system gd2 library).
  • MySQLnd:
    • Fixed bug #74376 (Invalid free of persistent results on error/connection loss).
  • Intl:
    • Fixed bug #65683 (Intl does not support DateTimeImmutable).
    • Fixed bug #74298 (IntlDateFormatter->format() doesn't return microseconds/fractions).
    • Fixed bug #74433 (wrong reflection for Normalizer methods).
    • Fixed bug #74439 (wrong reflection for Locale methods).
  • Opcache:
    • Fixed bug #74456 (Segmentation error while running a script in CLI mode).
    • Fixed bug #74431 (foreach infinite loop).
    • Fixed bug #74442 (Opcached version produces a nested array).
  • OpenSSL:
    • Fixed bug #73833 (null character not allowed in openssl_pkey_get_private).
    • Fixed bug #73711 (Segfault in openssl_pkey_new when generating DSA or DH key).
    • Fixed bug #74341 (openssl_x509_parse fails to parse ASN.1 UTCTime without seconds).
  • phar:
    • Fixed bug #74383 (phar method parameters reflection correction).
  • Readline:
    • Fixed bug #74489 (readline() immediately returns false in interactive console mode).
  • Standard:
    • Fixed bug #72071 (setcookie allows max-age to be negative).
    • Fixed bug #74361 (Compaction in array_rand() violates COW).
  • Streams:
    • Fixed bug #74429 (Remote socket URI with unique persistence identifier broken).

Version 7.0.19

  • Core:
    • Fixed bug #74188 (Null coalescing operator fails for undeclared static class properties).
    • Fixed bug #74408 (Endless loop bypassing execution time limit).
    • Fixed bug #74410 (stream_select() is broken on Windows Nanoserver).
    • Fixed bug #74337 (php-cgi.exe crash on facebook callback).
    • Patch for bug #74216 was reverted.
  • Date:
    • Fixed bug #74404 (Wrong reflection on DateTimeZone::getTransitions).
    • Fixed bug #74080 (add constant for RFC7231 format datetime).
  • DOM:
    • Fixed bug #74416 (Wrong reflection on DOMNode::cloneNode).
  • Fileinfo:
    • Fixed bug #74379 (syntax error compile error in libmagic/apprentice.c).
  • GD:
    • Fixed bug #74343 (compile fails on solaris 11 with system gd2 library).
  • intl:
    • Fixed bug #74433 (wrong reflection for Normalizer methods).
    • Fixed bug #74439 (wrong reflection for Locale methods).
  • MySQLi:
    • Fixed bug #74432 (mysqli_connect adding ":3306" to $host if $port parameter not given).
  • MySQLnd:
    • Added support for MySQL 8.0 types.
    • Fixed bug #74376 (Invalid free of persistent results on error/connection loss).
  • OpenSSL:
    • Fixed bug #73833 (null character not allowed in openssl_pkey_get_private).
    • Fixed bug #73711 (Segfault in openssl_pkey_new when generating DSA or DH key).
    • Fixed bug #74341 (openssl_x509_parse fails to parse ASN.1 UTCTime without seconds).
    • Added OpenSSL 1.1.0 support.
  • phar:
    • Fixed bug #74383 (phar method parameters reflection correction).
  • Standard:
    • Fixed bug #74409 (Reflection information for ini_get_all() is incomplete).
    • Fixed bug #72071 (setcookie allows max-age to be negative).
  • Streams:
    • Fixed bug #74429 (Remote socket URI with unique persistence identifier broken).
  • SQLite3:
    • Fixed bug #74413 (incorrect reflection for SQLite3::enableExceptions).

Version 7.1.4

  • Core:
    • Fixed bug #74149 (static embed SAPI linkage error).
    • Fixed bug #73370 (falsely exits with "Out of Memory" when using USE_ZEND_ALLOC=0).
    • Fixed bug #73960 (Leak with instance method calling static method with referenced return).
    • Fixed bug #69676 (Resolution of self::FOO in class constants not correct).
    • Fixed bug #74265 (Build problems after 7.0.17 release: undefined reference to `isfinite').
    • Fixed bug #74302 (yield fromLABEL is over-greedy).
  • Apache:
    • Reverted patch for bug #61471, fixes bug #74318.
  • Date:
    • Fixed bug #72096 (Swatch time value incorrect for dates before 1970).
  • DOM:
    • Fixed bug #74004 (LIBXML_NOWARNING flag ingnored on loadHTML*).
  • iconv:
    • Fixed bug #74230 (iconv fails to fail on surrogates).
  • Opcache:
    • Fixed bug #74250 (OPcache compilation performance regression in PHP 5.6/7 with huge classes).
  • OpenSSL:
    • Fixed bug #72333 (fwrite() on non-blocking SSL sockets doesn't work).
  • PDO MySQL:
    • Fixed bug #71003 (Expose MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT to PDO interface).
  • SPL:
    • Fixed bug #74058 (ArrayObject can not notice changes).
  • SQLite:
    • Fixed bug #74217 (Allow creation of deterministic sqlite functions).
  • Streams:
    • Fixed bug #74216 (Correctly fail on invalid IP address ports).
  • zlib:
    • Fixed bug #74240 (deflate_add can allocate too much memory).

Version 7.0.18

  • Core:
    • Fixed bug #73370 (falsely exits with "Out of Memory" when using USE_ZEND_ALLOC=0).
    • Fixed bug #73960 (Leak with instance method calling static method with referenced return).
    • Fixed bug #74265 (Build problems after 7.0.17 release: undefined reference to `isfinite').
    • Fixed bug #74302 (yield fromLABEL is over-greedy).
  • Apache:
    • Reverted patch for bug #61471, fixes bug #74318.
  • Date:
    • Fixed bug #72096 (Swatch time value incorrect for dates before 1970).
  • DOM:
    • Fixed bug #74004 (LIBXML_NOWARNING flag ingnored on loadHTML*).
  • iconv:
    • Fixed bug #74230 (iconv fails to fail on surrogates).
  • OpenSSL:
    • Fixed bug #72333 (fwrite() on non-blocking SSL sockets doesn't work).
  • PDO MySQL:
    • Fixed bug #71003 (Expose MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT to PDO interface).
  • Streams:
    • Fixed bug #74216 (Correctly fail on invalid IP address ports).
  • Zlib:
    • Fixed bug #74240 (deflate_add can allocate too much memory).

Version 7.1.3

  • Core:
    • Fixed bug #74157 (Segfault with nested generators).
    • Fixed bug #74164 (PHP hangs when an invalid value is dynamically passed to typehinted by-ref arg).
    • Fixed bug #74093 (Maximum execution time of n+2 seconds exceed not written in error_log).
    • Fixed bug #73989 (PHP 7.1 Segfaults within Symfony test suite).
    • Fixed bug #74084 (Out of bound read - zend_mm_alloc_small).
    • Fixed bug #73807 (Performance problem with processing large post request).
    • Fixed bug #73998 (array_key_exists fails on arrays created by get_object_vars).
    • Fixed bug #73954 (NAN check fails on Alpine Linux with musl).
    • Fixed bug #73677 (Generating phar.phar core dump with gcc ASAN enabled build).
  • Apache:
    • Fixed bug #61471 (Incomplete POST does not timeout but is passed to PHP).
  • Date:
    • Fixed bug #73837 ("new DateTime()" sometimes returns 1 second ago value).
  • FPM:
    • Fixed bug #69860 (php-fpm process accounting is broken with keepalive).
  • Hash:
    • Fixed bug #73127 (gost-crypto hash incorrect if input data contains long 0xFF sequence).
  • GD:
    • Fixed bug #74031 (ReflectionFunction for imagepng is missing last two parameters).
  • Mysqlnd:
    • Fixed bug #74021 (fetch_array broken data. Data more then MEDIUMBLOB).
  • Opcache:
    • Fixed bug #74019 (Segfault with list).
  • OpenSSL:
    • Fixed bug #74022 (PHP Fast CGI crashes when reading from a pfx file).
    • Fixed bug #74099 (Memory leak with openssl_encrypt()).
  • Standard:
    • Fixed bug #74005 (mail.add_x_header causes RFC-breaking lone line feed).
    • Fixed bug #74041 (substr_count with length=0 broken).
    • Fixed bug #73118 (is_callable callable name reports misleading value for anonymous classes).
    • Fixed bug #74105 (PHP on Linux should use /dev/urandom when getrandom is not available).
  • Streams:
    • Fixed bug #73496 (Invalid memory access in zend_inline_hash_func).
    • Fixed bug #74090 (stream_get_contents maxlength>-1 returns empty string).

Version 7.0.17

  • Core:
    • Fixed bug #73989 (PHP 7.1 Segfaults within Symfony test suite).
    • Fixed bug #74084 (Out of bound read - zend_mm_alloc_small).
    • Fixed bug #73807 (Performance problem with processing large post request).
    • Fixed bug #73998 (array_key_exists fails on arrays created by get_object_vars).
    • Fixed bug #73954 (NAN check fails on Alpine Linux with musl).
    • Fixed bug #74039 (is_infinite(-INF) returns false).
    • Fixed bug #73677 (Generating phar.phar core dump with gcc ASAN enabled build).
  • Apache:
    • Fixed bug #61471 (Incomplete POST does not timeout but is passed to PHP).
  • Date:
    • Fixed bug #72719 (Relative datetime format ignores weekday on sundays only).
    • Fixed bug #73294 (DateTime wrong when date string is negative).
    • Fixed bug #73489 (wrong timestamp when call setTimeZone multi times with UTC offset).
    • Fixed bug #73858 (first/last day of' flag is not being reset).
    • Fixed bug #73942 ($date->modify('Friday this week') doesn't return a Friday if $date is a Sunday).
    • Fixed bug #74057 (wrong day when using "this week" in strtotime).
  • FPM:
    • Fixed bug #69860 (php-fpm process accounting is broken with keepalive).
  • Hash:
    • Fixed bug #73127 (gost-crypto hash incorrect if input data contains long 0xFF sequence).
  • GD:
    • Fixed bug #74031 (ReflectionFunction for imagepng is missing last two parameters).
  • Mysqlnd:
    • Fixed bug #74021 (fetch_array broken data. Data more then MEDIUMBLOB).
  • Opcache:
    • Fixed bug #74152 (if statement says true to a null variable).
    • Fixed bug #74019 (Segfault with list).
  • OpenSSL:
    • Fixed bug #74022 (PHP Fast CGI crashes when reading from a pfx file).
  • Standard:
    • Fixed bug #74148 (ReflectionFunction incorrectly reports the number of arguments).
    • Fixed bug #74005 (mail.add_x_header causes RFC-breaking lone line feed).
    • Fixed bug #73118 (is_callable callable name reports misleading value for anonymous classes).
    • Fixed bug #74105 (PHP on Linux should use /dev/urandom when getrandom is not available).
  • Streams:
    • Fixed bug #73496 (Invalid memory access in zend_inline_hash_func).
    • Fixed bug #74090 (stream_get_contents maxlength>-1 returns empty string).

Version 7.1.2

  • Core:
    • Improved GENERATOR_CREATE opcode handler.
    • Fixed bug #73877 (readlink() returns garbage for UTF-8 paths).
    • Fixed bug #73876 (Crash when exporting **= in expansion of assign op).
    • Fixed bug #73962 (bug with symlink related to cyrillic directory).
    • Fixed bug #73969 (segfault in debug_print_backtrace).
    • Fixed bug #73994 (arginfo incorrect for unpack).
    • Fixed bug #73973 (assertion error in debug_zval_dump).
  • DOM:
    • Fixed bug #54382 (getAttributeNodeNS doesn't get xmlns* attributes).
  • DTrace:
    • Fixed bug #73965 (DTrace reported as enabled when disabled).
  • FCGI:
    • Fixed bug #73904 (php-cgi fails to load -c specified php.ini file).
    • Fixed bug #72898 (PHP_FCGI_CHILDREN is not included in phpinfo()).
  • FPM:
    • Fixed bug #69865 (php-fpm does not close stderr when using syslog).
  • GD:
    • Fixed bug #73968 (Premature failing of XBM reading).
  • GMP:
    • Fixed bug #69993 (test for gmp.h needs to test machine includes).
  • Hash:
    • Added hash_hkdf() function.
    • Fixed bug #73961 (environmental build dependency in hash sha3 source).
  • Intl:
    • Fix bug #73956 (Link use CC instead of CXX).
  • LDAP:
    • Fixed bug #73933 (error/segfault with ldap_mod_replace and opcache).
  • MySQLi:
    • Fixed bug #73949 (leak in mysqli_fetch_object).
  • Mysqlnd:
    • Fixed bug #69899 (segfault on close() after free_result() with mysqlnd).
  • Opcache:
    • Fixed bug #73983 (crash on finish work with phar in cli + opcache).
  • OpenSSL:
    • Fixed bug #71519 (add serial hex to return value array).
    • Fixed bug #73692 (Compile ext/openssl with openssl 1.1.0 on Win).
    • Fixed bug #73978 (openssl_decrypt triggers bug in PDO).
  • PDO_Firebird:
    • Implemented FR #72583 (All data are fetched as strings).
  • PDO_PgSQL:
    • Fixed bug #73959 (lastInsertId fails to throw an exception for wrong sequence name).
  • Phar:
    • Fixed bug #70417 (PharData::compress() doesn't close temp file).
  • posix:
    • Fixed bug #71219 (configure script incorrectly checks for ttyname_r).
  • Session:
    • Fixed bug #69582 (session not readable by root in CLI).
  • SPL:
    • Fixed bug #73896 (spl_autoload() crashes when calls magic _call()).
  • Standard:
    • Fixed bug #69442 (closing of fd incorrect when PTS enabled).
    • Fixed bug #47021 (SoapClient stumbles over WSDL delivered with "Transfer-Encoding: chunked").
    • Fixed bug #72974 (imap is undefined service on AIX).
    • Fixed bug #72979 (money_format stores wrong length AIX).
    • Fixed bug #73374 (intval() with base 0 should detect binary).
    • Fixed bug #69061 (mail.log = syslog contains double information).
  • ZIP:
    • Fixed bug #70103 (ZipArchive::addGlob ignores remove_all_path option).

Version 7.0.16

  • Core:
    • Fixed bug #73916 (zend_print_flat_zval_r doesn't consider reference).
    • Fixed bug #73876 (Crash when exporting **= in expansion of assign op).
    • Fixed bug #73969 (segfault in debug_print_backtrace).
    • Fixed bug #73973 (assertion error in debug_zval_dump).
  • DOM:
    • Fixed bug #54382 (getAttributeNodeNS doesn't get xmlns* attributes).
  • DTrace:
    • Fixed bug #73965 (DTrace reported as enabled when disabled).
  • FPM:
    • Fixed bug #67583 (double fastcgi_end_request on max_children limit).
    • Fixed bug #69865 (php-fpm does not close stderr when using syslog).
  • GD:
    • Fixed bug #73968 (Premature failing of XBM reading).
  • GMP:
    • Fixed bug #69993 (test for gmp.h needs to test machine includes).
  • Intl:
    • Fixed bug #73956 (Link use CC instead of CXX).
  • LDAP:
    • Fixed bug #73933 (error/segfault with ldap_mod_replace and opcache).
  • MySQLi:
    • Fixed bug #73949 (leak in mysqli_fetch_object).
  • Mysqlnd:
    • Fixed bug #69899 (segfault on close() after free_result() with mysqlnd).
  • Opcache:
    • Fixed bug #73983 (crash on finish work with phar in cli + opcache).
  • OpenSSL:
    • Fixed bug #71519 (add serial hex to return value array).
  • PDO_Firebird:
    • Implemented FR #72583 (All data are fetched as strings).
  • PDO_PgSQL:
    • Fixed bug #73959 (lastInsertId fails to throw an exception for wrong sequence name).
  • Phar:
    • Fixed bug #70417 (PharData::compress() doesn't close temp file).
  • posix:
    • Fixed bug #71219 (configure script incorrectly checks for ttyname_r).
  • Session:
    • Fixed bug #69582 (session not readable by root in CLI).
  • SPL:
    • Fixed bug #73896 (spl_autoload() crashes when calls magic _call()).
  • Standard:
    • Fixed bug #69442 (closing of fd incorrect when PTS enabled).
    • Fixed bug #47021 (SoapClient stumbles over WSDL delivered with "Transfer-Encoding: chunked").
    • Fixed bug #72974 (imap is undefined service on AIX).
    • Fixed bug #72979 (money_format stores wrong length AIX).
  • ZIP:
    • Fixed bug #70103 (ZipArchive::addGlob ignores remove_all_path option).

Version 7.0.15

  • Core:
    • Fixed bug #73792 (invalid foreach loop hangs script).
    • Fixed bug #73663 ("Invalid opcode 65/16/8" occurs with a variable created with list()).
    • Fixed bug #73585 (Logging of "Internal Zend error - Missing class information" missing class name).
    • Fixed bug #73753 (unserialized array pointer not advancing).
    • Fixed bug #73825 (Heap out of bounds read on unserialize in finish_nested_data()). (CVE-2016-10161)
    • Fixed bug #73831 (NULL Pointer Dereference while unserialize php object). (CVE-2016-10162)
    • Fixed bug #73832 (Use of uninitialized memory in unserialize()). (CVE-2017-5340)
    • Fixed bug #73092 (Unserialize use-after-free when resizing object's properties hash table). (CVE-2016-7479)
    • Fixed bug #69425 (Use After Free in unserialize()).
    • Fixed bug #72731 (Type Confusion in Object Deserialization).
  • COM:
    • Fixed bug #73679 (DOTNET read access violation using invalid codepage).
  • DOM:
    • Fixed bug #67474 (getElementsByTagNameNS filter on default ns).
  • EXIF:
    • Fixed bug #73737 (FPE when parsing a tag format). (CVE-2016-10158)
  • GD:
    • Fixed bug #73869 (Signed Integer Overflow gd_io.c). (CVE-2016-10168)
    • Fixed bug #73868 (DOS vulnerability in gdImageCreateFromGd2Ctx()). (CVE-2016-10167)
  • GMP:
    • Fixed bug #70513 (GMP Deserialization Type Confusion Vulnerability).
  • Mysqli:
    • Fixed bug #73462 (Persistent connections don't set $connect_errno).
  • Mysqlnd:
    • Fixed issue with decoding BIT columns when having more than one rows in the result set. 7.0+ problem.
    • Fixed bug #73800 (sporadic segfault with MYSQLI_OPT_INT_AND_FLOAT_NATIVE).
  • PCRE:
    • Fixed bug #73612 (preg_*() may leak memory).
  • PDO_Firebird:
    • Fixed bug #72931 (PDO_FIREBIRD with Firebird 3.0 not work on returning statement).
  • Phar:
    • Fixed bug #73773 (Seg fault when loading hostile phar).
    • Fixed bug #73768 (Memory corruption when loading hostile phar). (CVE-2016-10160)
    • Fixed bug #73764 (Crash while loading hostile phar archive). (CVE-2016-10159)
  • Phpdbg:
    • Fixed bug #73615 (phpdbg without option never load .phpdbginit at startup).
    • Fixed issue getting executable lines from custom wrappers.
    • Fixed bug #73704 (phpdbg shows the wrong line in files with shebang).
  • Reflection:
    • Fixed bug #46103 (ReflectionObject memory leak).
  • Streams:
    • Fixed bug #73586 (php_user_filter::$stream is not set to the stream the filter is working on).
  • SQLite3:
    • Reverted fix for #73530 (Unsetting result set may reset other result set).
  • Standard:
    • Fixed bug #73594 (dns_get_record does not populate $additional out parameter).
    • Fixed bug #70213 (Unserialize context shared on double class lookup).
    • Fixed bug #73154 (serialize object with __sleep function crash).
    • Fixed bug #70490 (get_browser function is very slow).
    • Fixed bug #73265 (Loading browscap.ini at startup causes high memory usage).
    • Fixed bug #31875 (get_defined_functions additional param to exclude disabled functions).
  • Zlib:
    • Fixed bug #73373 (deflate_add does not verify that output was not truncated).

Version 7.1.1

  • Core
    • Fixed bug #73792 (invalid foreach loop hangs script).
    • Fixed bug #73686 (Adding settype()ed values to ArrayObject results in references).
    • Fixed bug #73663 ("Invalid opcode 65/16/8" occurs with a variable created with list()).
    • Fixed bug #73727 (ZEND_MM_BITSET_LEN is "undefined symbol" in zend_bitset.h).
    • Fixed bug #73753 (unserialized array pointer not advancing).
    • Fixed bug #73783 (SIG_IGN doesn't work when Zend Signals is enabled).
    • Fixed bug #73825 (Heap out of bounds read on unserialize in finish_nested_data()). (CVE-2016-10161)
    • Fixed bug #73831 (NULL Pointer Dereference while unserialize php object). (CVE-2016-10162)
    • Fixed bug #73832 (Use of uninitialized memory in unserialize()). (CVE-2017-5340)
  • CLI
    • Fixed bug #72555 (CLI output(japanese) on Windows).
  • COM
    • Fixed bug #73679 (DOTNET read access violation using invalid codepage).
  • DOM
    • Fixed bug #67474 (getElementsByTagNameNS filter on default ns).
  • EXIF
    • Fixed bug #73737 (FPE when parsing a tag format). (CVE-2016-10158)
  • GD
    • Fixed bug #73869 (Signed Integer Overflow gd_io.c). (CVE-2016-10168)
    • Fixed bug #73868 (DOS vulnerability in gdImageCreateFromGd2Ctx()). (CVE-2016-10167)
  • mbstring
    • Fixed bug #73646 (mb_ereg_search_init null pointer dereference).
  • MySQLi
    • Fixed bug #73462 (Persistent connections don't set $connect_errno).
  • mysqlnd
    • Optimized handling of BIT fields - less memory copies and lower memory usage.
    • Fixed bug #73800 (sporadic segfault with MYSQLI_OPT_INT_AND_FLOAT_NATIVE).
  • opcache
    • Fixed bug #73789 (Strange behavior of class constants in switch/case block).
    • Fixed bug #73746 (Method that returns string returns UNKNOWN:0 instead).
    • Fixed bug #73654 (Segmentation fault in zend_call_function).
    • Fixed bug #73668 ("SIGFPE Arithmetic exception" in opcache when divide by minus 1).
    • Fixed bug #73847 (Recursion when a variable is redefined as array).
  • PDO Firebird
    • Fixed bug #72931 (PDO_FIREBIRD with Firebird 3.0 not work on returning statement).
  • Phar:
    • Fixed bug #73773 (Seg fault when loading hostile phar).
    • Fixed bug #73768 (Memory corruption when loading hostile phar). (CVE-2016-10160)
    • Fixed bug #73764 (Crash while loading hostile phar archive). (CVE-2016-10159)
  • phpdbg
    • Fixed bug #73794 (Crash (out of memory) when using run and # command separator).
    • Fixed bug #73704 (phpdbg shows the wrong line in files with shebang).
  • SQLite3
    • Reverted fix for Fixed bug #73530 (Unsetting result set may reset other result set).
  • Standard
    • Fixed bug #73594 (dns_get_record does not populate $additional out parameter).
    • Fixed bug #70213 (Unserialize context shared on double class lookup).
    • Fixed bug #73154 (serialize object with __sleep function crash).
    • Fixed bug #70490 (get_browser function is very slow).
    • Fixed bug #73265 (Loading browscap.ini at startup causes high memory usage).
    • (add subject to mail log).
    • Fixed bug #31875 (get_defined_functions additional param to exclude disabled functions).
  • zlib
    • Fixed bug #73373 (deflate_add does not verify that output was not truncated).

Version 7.0.14

Hash: (phe crea aviorru kes faFnheadils to locustom wr
  • Hard: