Jump to content
Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble
Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble
Sign in to follow this  

PHP Version 7.1.0 - Released

Recommended Posts

Version 7.1.0

01 Dec 2016


Added nullable types.

Added DFA optimization framework based on e-SSA form.

Added specialized opcode handlers (e.g. ZEND_ADD_LONG_NO_OVERFLOW).

Added [] = as alternative construct to list() =.

Added void return type.

Added support for negative string offsets in string offset syntax and various string functions.

Added a form of the list() construct where keys can be specified.

Implemented safe execution timeout handling, that prevents random crashes after "Maximum execution time exceeded" error.

Implemented the RFC `Support Class Constant Visibility`.

Implemented the RFC `Catching multiple exception types`.

Implemented logging to syslog with dynamic error levels.

Implemented FR #72614 (Support "nmake test" on building extensions by phpize).

Implemented RFC: Iterable.

Implemented RFC: Closure::fromCallable (Danack)

Implemented RFC: Replace "Missing argument" warning with "\ArgumentCountError" exception.

Implemented RFC: Fix inconsistent behavior of $this variable.

Fixed bug #73585 (Logging of "Internal Zend error - Missing class information" missing class name).

Fixed memory leak(null coalescing operator with Spl hash).

Fixed bug #72736 (Slow performance when fetching large dataset with mysqli / PDO).

Fixed bug #72482 (Ilegal write/read access caused by gdImageAALine overflow).

Fixed bug #72696 (imagefilltoborder stackoverflow on truecolor images).

Fixed bug #73350 (Exception::__toString() cause circular references).

Fixed bug #73329 ((Float)"Nano" == NAN).

Fixed bug #73288 (Segfault in __clone > Exception.toString > __get).

Fixed for #73240 (Write out of bounds at number_format).

Fix pthreads detection when cross-compiling (ffontaine)

Fixed bug #73337 (try/catch not working with two exceptions inside a same operation).

Fixed bug #73156 (segfault on undefined function).

Fixed bug #73163 (PHP hangs if error handler throws while accessing undef const in default value).

Fixed bug #73172 (parse error: Invalid numeric literal).

Fixed bug #73181 (parse_str() without a second argument leads to crash).

Fixed bug #73025 (Heap Buffer Overflow in virtual_popen of zend_virtual_cwd.c).

Fixed bug #73058 (crypt broken when salt is 'too' long).

Fixed bug #72944 (Null pointer deref in zval_delref_p).

Fixed bug #72943 (assign_dim on string doesn't reset hval).

Fixed bug #72598 (Reference is lost after array_slice()) (Nikita)

Fixed bug #72703 (Out of bounds global memory read in BF_crypt triggered by password_verify).

Fixed bug #72813 (Segfault with __get returned by ref).

Fixed bug #72767 (PHP Segfaults when trying to expand an infinite operator).

TypeError messages for arg_info type checks will now say "must be ... or null" where the parameter or return type accepts null.

Fixed bug #72857 (stream_socket_recvfrom read access violation).

Fixed bug #72663 (Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization).

Fixed bug #72681 (PHP Session Data Injection Vulnerability).

Fixed bug #72742 (memory allocator fails to realloc small block to large one).

Fixed URL rewriter. It would not rewrite '//example.com/' URL unconditionally. URL rewrite target hosts whitelist is implemented.

Fixed bug #72641 (phpize (on Windows) ignores PHP_PREFIX).

Fixed bug #72683 (getmxrr broken).

Fixed bug #72629 (Caught exception assignment to variables ignores references).

Fixed bug #72594 (Calling an earlier instance of an included anonymous class fatals).

Fixed bug #72581 (previous property undefined in Exception after deserialization).

Fixed bug #72543 (Different references behavior comparing to PHP 5) (Laruence, Dmitry, Nikita)

Fixed bug #72347 (VERIFY_RETURN type casts visible in finally).

Fixed bug #72216 (Return by reference with finally is not memory safe).

Fixed bug #72215 (Wrong return value if var modified in finally).

Fixed bug #71818 (Memory leak when array altered in destructor).

Fixed bug #71539 (Memory error on $arr[$a] =& $arr[$b] if RHS rehashes) (Dmitry, Nikita)

Added new constant PHP_FD_SETSIZE.

Added optind parameter to getopt().

Added PHP to SAPI error severity mapping for logs.

Fixed bug #71911 (Unable to set --enable-debug on building extensions by phpize on Windows).

Fixed bug #29368 (The destructor is called when an exception is thrown from the constructor).

Implemented RFC: RNG Fixes.

Implemented email validation as per RFC 6531.

Fixed bug #72513 (Stack-based buffer overflow vulnerability in virtual_file_ex).

Fixed bug #72573 (HTTP_PROXY is improperly trusted by some PHP libraries and applications).

Fixed bug #72523 (dtrace issue with reflection (failed test)).

Fixed bug #72508 (strange references after recursive function call and "switch" statement).

Fixed bug #72441 (Segmentation fault: RFC list_keys).

Fixed bug #72395 (list() regression).

Fixed bug #72373 (TypeError after Generator function w/declared return type finishes).

Fixed bug #69489 (tempnam() should raise notice if falling back to temp dir).

Fixed UTF-8 and long path support on Windows.

Fixed bug #53432 (Assignment via string index access on an empty string converts to array).

Fixed bug #62210 (Exceptions can leak temporary variables).

Fixed bug #62814 (It is possible to stiffen child class members visibility).

Fixed bug #69989 (Generators don't participate in cycle GC).

Fixed bug #70228 (Memleak if return in finally block).

Fixed bug #71266 (Missing separation of properties HT in foreach etc).

Fixed bug #71604 (Aborted Generators continue after nested finally).

Fixed bug #71572 (String offset assignment from an empty string inserts null byte).

Fixed bug #71897 (ASCII 0x7F Delete control character permitted in identifiers).

Fixed bug #72188 (Nested try/finally blocks losing return value).

Fixed bug #72213 (Finally leaks on nested exceptions).

Fixed bug #47517 (php-cgi.exe missing UAC manifest).

Change statement and fcall extension handlers to accept frame.

Number operators taking numeric strings now emit E_NOTICEs or E_WARNINGs when given malformed numeric strings.

(int), intval() where $base is 10 or unspecified, settype(), decbin(), decoct(), dechex(), integer operators and other conversions now always respect scientific notation in numeric strings.

Raise a compile-time warning on octal escape sequence overflow.


Enable per-module logging in Apache 2.4+.


Fix bug #73190 (memcpy negative parameter _bc_new_num_ex).


Fixed bug #72837 (integer overflow in bzdecompress caused heap corruption).

Fixed bug #72613 (Inadequate error handling in bzread()).


Fix integer overflows (Joshua Rogers)

Fixed bug #67976 (cal_days_month() fails for final month of the French calendar).

Fixed bug #71894 (AddressSanitizer: global-buffer-overflow in zif_cal_from_jd).

CLI Server:

Fixed bug #73360 (Unable to work in root with unicode chars).

Fixed bug #71276 (Built-in webserver does not send Date header).


Fixed bug #73126 (Cannot pass parameter 1 by reference).

Fixed bug #69579 (Invalid free in extension trait).

Fixed bug #72922 (COM called from PHP does not return out parameters).

Fixed bug #72569 (DOTNET/COM array parameters broke in PHP7).

Fixed bug #72498 (variant_date_from_timestamp null dereference).


Implement support for handling HTTP/2 Server Push.

Add curl_multi_errno(), curl_share_errno() and curl_share_strerror() functions.

Fixed bug #72674 (Heap overflow in curl_escape).

Fixed bug #72541 (size_t overflow lead to heap corruption). (Stas).

Fixed bug #71709 (curl_setopt segfault with empty CURLOPT_HTTPHEADER).

Fixed bug #71929 (CURLINFO_CERTINFO data parsing error).


Fixed bug #69587 (DateInterval properties and isset).

Fixed bug #73426 (createFromFormat with 'z' format char results in incorrect time).

Fixed bug #45554 (Inconsistent behavior of the u format char).

Fixed bug #48225 (DateTime parser doesn't set microseconds for "now").

Fixed bug #52514 (microseconds are missing in DateTime class).

Fixed bug #52519 (microseconds in DateInterval are missing).

Fixed bug #60089 (DateTime::createFromFormat() U after u nukes microtime).

Fixed bug #64887 (Allow DateTime modification with subsecond items).

Fixed bug #68506 (General DateTime improvments needed for microseconds to become useful).

Fixed bug #73109 (timelib_meridian doesn't parse dots correctly).

Fixed bug #73247 (DateTime constructor does not initialise microseconds property).

Fixed bug #73147 (Use After Free in PHP7 unserialize()).

Fixed bug #73189 (Memcpy negative size parameter php_resolve_path).

Fixed bug #66836 (DateTime::createFromFormat 'U' with pre 1970 dates fails parsing).

Invalid serialization data for a DateTime or DatePeriod object will now throw an instance of Error from __wakeup() or __set_state() instead of resulting in a fatal error.

Timezone initialization failure from serialized data will now throw an instance of Error from __wakeup() or __set_state() instead of resulting in a fatal error.

Export date_get_interface_ce() for extension use.

Fixed bug #63740 (strtotime seems to use both sunday and monday as start of week).


Fixed bug #70825 (Cannot fetch multiple values with group in ini file).

Data modification functions (e.g.: dba_insert()) now throw an instance of Error instead of triggering a catchable fatal error if the key is does not contain exactly two elements.


Fixed bug #73150 (missing NULL check in dom_document_save_html).

Fixed bug #66502 (DOM document dangling reference).

Invalid schema or RelaxNG validation contexts will throw an instance of Error instead of resulting in a fatal error.

Attempting to register a node class that does not extend the appropriate base class will now throw an instance of Error instead of resulting in a fatal error.

Attempting to read an invalid or write to a readonly property will throw an instance of Error instead of resulting in a fatal error.


Disabled PHP call tracing by default (it makes significant overhead). This may be enabled again using envirionment variable USE_ZEND_DTRACE=1.


Fixed bug #72735 (Samsung picture thumb not read (zero size)).

Fixed bug #72627 (Memory Leakage In exif_process_IFD_in_TIFF).

Fixed bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE).

Fixed bug #72618 (NULL Pointer Dereference in exif_process_user_comment).


Fixed bug #72972 (Bad filter for the flags FILTER_FLAG_NO_RES_RANGE and FILTER_FLAG_NO_PRIV_RANGE).

Fixed bug #73054 (default option ignored when object passed to int filter).

Fixed bug #71745 (FILTER_FLAG_NO_RES_RANGE does not cover whole range).


Fixed bug #72575 (using --allow-to-run-as-root should ignore missing user).


Fixed bug #70195 (Cannot upload file using ftp_put to FTPES with require_ssl_reuse).

Implemented FR #55651 (Option to ignore the returned FTP PASV address).


Fixed bug #73213 (Integer overflow in imageline() with antialiasing).

Fixed bug #73272 (imagescale() is not affected by, but affects imagesetinterpolation()).

Fixed bug #73279 (Integer overflow in gdImageScaleBilinearPalette()).

Fixed bug #73280 (Stack Buffer Overflow in GD dynamicGetbuf).

Fixed bug #50194 (imagettftext broken on transparent background w/o alphablending).

Fixed bug #73003 (Integer Overflow in gdImageWebpCtx of gd_webp.c).

Fixed bug #53504 (imagettfbbox gives incorrect values for bounding box).

Fixed bug #73157 (imagegd2() ignores 3rd param if 4 are given).

Fixed bug #73155 (imagegd2() writes wrong chunk sizes on boundaries).

Fixed bug #73159 (imagegd2(): unrecognized formats may result in corrupted files).

Fixed bug #73161 (imagecreatefromgd2() may leak memory).

Fixed bug #67325 (imagetruecolortopalette: white is duplicated in palette).

Fixed bug #66005 (imagecopy does not support 1bit transparency on truecolor images).

Fixed bug #72913 (imagecopy() loses single-color transparency on palette images).

Fixed bug #68716 (possible resource leaks in _php_image_convert()).

Fixed bug #72709 (imagesetstyle() causes OOB read for empty $styles).

Fixed bug #72697 (select_colors write out-of-bounds).

Fixed bug #72730 (imagegammacorrect allows arbitrary write access).

Fixed bug #72596 (imagetypes function won't advertise WEBP support).

Fixed bug #72604 (imagearc() ignores thickness for full arcs).

Fixed bug #70315 (500 Server Error but page is fully rendered).

Fixed bug #43828 (broken transparency of imagearc for truecolor in blendingmode).

Fixed bug #72512 (gdImageTrueColorToPaletteBody allows arbitrary write/read access).

Fixed bug #72519 (imagegif/output out-of-bounds access).

Fixed bug #72558 (Integer overflow error within _gdContributionsAlloc()).

Fixed bug #72482 (Ilegal write/read access caused by gdImageAALine overflow).

Fixed bug #72494 (imagecropauto out-of-bounds access).

Fixed bug #72404 (imagecreatefromjpeg fails on selfie).

Fixed bug #43475 (Thick styled lines have scrambled patterns).

Fixed bug #53640 (XBM images require width to be multiple of 8).

Fixed bug #64641 (imagefilledpolygon doesn't draw horizontal line).


Added SHA3 fixed mode algorithms (224, 256, 384, and 512 bit).

Added SHA512/256 and SHA512/224 algorithms.


Fixed bug #72320 (iconv_substr returns false for empty strings).


Fixed bug #73418 (Integer Overflow in "_php_imap_mail" leads to crash).

An email address longer than 16385 bytes will throw an instance of Error instead of resulting in a fatal error.


Fixed bug #73512 (Fails to find firebird headers as don't use fb_config output).


Fixed bug #73007 (add locale length check).

Fixed bug #73218 (add mitigation for ICU int overflow).

Fixed bug #65732 (grapheme_*() is not Unicode compliant on CR LF sequence).

Fixed bug #73007 (add locale length check).

Fixed bug #72639 (Segfault when instantiating class that extends IntlCalendar and adds a property).

Fixed bug #72658 (Locale::lookup() / locale_lookup() hangs if no match found).

Partially fixed #72506 (idn_to_ascii for UTS #46 incorrect for long domain names).

Fixed bug #72533 (locale_accept_from_http out-of-bounds access).

Failure to call the parent constructor in a class extending Collator before invoking the parent methods will throw an instance of Error instead of resulting in a recoverable fatal error.

Cloning a Transliterator object may will now throw an instance of Error instead of resulting in a fatal error if cloning the internal transliterator fails.

Added IntlTimeZone::getWindowsID() and IntlTimeZone::getIDForWindowsID().

Fixed bug #69374 (IntlDateFormatter formatObject returns wrong utf8 value).

Fixed bug #69398 (IntlDateFormatter formatObject returns wrong value when time style is NONE).


Introduced encoder struct instead of global which fixes bugs #66025 and #73254 related to pretty print indentation.

Fixed bug #73113 (Segfault with throwing JsonSerializable).

Implemented earlier return when json_encode fails, fixes bugs #68992 (Stacking exceptions thrown by JsonSerializable) and #70275 (On recursion error, json_encode can eat up all system memory).

Implemented FR #46600 ("_empty_" key in objects).

Exported JSON parser API including json_parser_method that can be used for implementing custom logic when parsing JSON.

Escaped U+2028 and U+2029 when JSON_UNESCAPED_UNICODE is supplied as json_encode options and added JSON_UNESCAPED_LINE_TERMINATORS to restore the previous behaviour.


Providing an unknown modification type to ldap_batch_modify() will now throw an instance of Error instead of resulting in a fatal error.


Fixed bug #73532 (Null pointer dereference in mb_eregi).

Fixed bug #66964 (mb_convert_variables() cannot detect recursion) (Yasuo)

Fixed bug #72992 (mbstring.internal_encoding doesn't inherit default_charset).

Fixed bug #66797 (mb_substr only takes 32-bit signed integer).

Fixed bug #72711 (`mb_ereg` does not clear the `$regs` parameter on failure).

Fixed bug #72691 (mb_ereg_search raises a warning if a match zero-width).

Fixed bug #72693 (mb_ereg_search increments search position when a match zero-width).

Fixed bug #72694 (mb_ereg_search_setpos does not accept a string's last position).

Fixed bug #72710 (`mb_ereg` causes buffer overflow on regexp compile error).

Deprecated mb_ereg_replace() eval option.

Fixed bug #69151 (mb_ereg should reject ill-formed byte sequence).

Fixed bug #72405 (mb_ereg_replace - mbc_to_code (oniguruma) - oob read access).

Fixed bug #72399 (Use-After-Free in MBString (search_re)).

mb_ereg() and mb_eregi() will now throw an instance of ParseError if an invalid PHP expression is provided and the 'e' option is used.


Deprecated ext/mcrypt.

Fixed bug #72782 (Heap Overflow due to integer overflows).

Fixed bug #72551, bug #72552 (In correct casting from size_t to int lead to heap overflow in mdecrypt_generic).

mcrypt_encrypt() and mcrypt_decrypt() will throw an instance of Error instead of resulting in a fatal error if mcrypt cannot be initialized.


Attempting to read an invalid or write to a readonly property will throw an instance of Error instead of resulting in a fatal error.


Fixed bug #64526 (Add missing mysqlnd.* parameters to php.ini-*).

Fixed bug #71863 (Segfault when EXPLAIN with "Unknown column" error when using MariaDB).

Fixed bug #72701 (mysqli_get_host_info() wrong output).


Fixed bug #71148 (Bind reference overwritten on PHP 7).

Fixed invalid handle error with Implicit Result Sets.

Fixed bug #72524 (Binding null values triggers ORA-24816 error).


Fixed bug #73448 (odbc_errormsg returns trash, always 513 bytes).


Fixed bug #73583 (Segfaults when conditionally declared class and function have the same name).

Fixed bug #69090 (check cached files permissions)

Fixed bug #72982 (Memory leak in zend_accel_blacklist_update_regexp() function).

Fixed bug #72949 (Typo in opcache error message).

Fixed bug #72762 (Infinite loop while parsing a file with opcache enabled).

Fixed bug #72590 (Opcache restart with kill_all_lockers does not work).


Fixed bug #73478 (openssl_pkey_new() generates wrong pub/priv keys with Diffie Hellman).

Fixed bug #73276 (crash in openssl_random_pseudo_bytes function).

Fixed bug #73072 (Invalid path SNI_server_certs causes segfault).

Fixed bug #72360 (ext/openssl build failure with OpenSSL 1.1.0).

Bumped a minimal version to 1.0.1.

Dropped support for SSL2.

Implemented FR #61204 (Add elliptic curve support for OpenSSL).

Implemented FR #67304 (Added AEAD support [CCM and GCM modes] to openssl_encrypt and openssl_decrypt).

Implemented error storing to the global queue and cleaning up the OpenSSL error queue (resolves bugs #68276 and #69882).


Implemented asynchronous signal handling without TICKS.

Added pcntl_signal_get_handler() that returns the current signal handler for a particular signal. Addresses FR #72409.

Add signinfo to pcntl_signal() handler args (Bishop Bettini, David Walker)


Fixed bug #73483 (Segmentation fault on pcre_replace_callback).

Fixed bug #73612 (preg_*() may leak memory).

Fixed bug #73392 (A use-after-free in zend allocator management).

Fixed bug #73121 (Bundled PCRE doesn't compile because JIT isn't supported on s390).

Fixed bug #72688 (preg_match missing group names in matches).

Downgraded to PCRE 8.38.

Fixed bug #72476 (Memleak in jit_stack).

Fixed bug #72463 (mail fails with invalid argument).

Upgraded to PCRE 8.39.


Fixed bug #72788 (Invalid memory access when using persistent PDO connection).

Fixed bug #72791 (Memory leak in PDO persistent connection handling).

Fixed bug #60665 (call to empty() on NULL result using PDO::FETCH_LAZY returns false).


Fixed bug #72414 (Never quote values as raw binary data).

Allow \PDO::setAttribute() to set query timeouts.

Handle SQLDECIMAL/SQLNUMERIC types, which are used by later TDS versions.

Add common PDO test suite.

Free error and message strings when cleaning up PDO instances.

Fixed bug #67130 (\PDOStatement::nextRowset() should succeed when all rows in current rowset haven't been fetched).

Ignore potentially misleading dberr values.

Implemented stringify 'uniqueidentifier' fields.


Fixed bug #73087, #61183, #71494 (Memory corruption in bindParam).

Fixed bug #60052 (Integer returned as a 64bit integer on X86_64).


Fixed bug #70313 (PDO statement fails to throw exception).

Fixed bug #72570 (Segmentation fault when binding parameters on a query without placeholders).

Implemented FR #72633 (Postgres PDO lastInsertId() should work without specifying a sequence).


Fixed bug #72928 (Out of bound when verify signature of zip phar in phar_parse_zipfile).

Fixed bug #73035 (Out of bound when verify signature of tar phar in phar_parse_tarfile).


Added generator command for inspection of currently alive generators.


Fixed bug #73498 (Incorrect SQL generated for pg_copy_to()).

Implemented FR #31021 (pg_last_notice() is needed to get all notice messages).

Implemented FR #48532 (Allow pg_fetch_all() to index numerically).


Fixed bug #72538 (readline_redisplay crashes php).


Undo backwards compatiblity break in ReflectionType->__toString() and deprecate via documentation instead.

Reverted prepending \ for class names.

Implemented request #38992 (invoke() and invokeArgs() static method calls should match). (cmb).

Add ReflectionNamedType::getName(). This method should be used instead of ReflectionType::__toString()

Prepend \ for class names and ? for nullable types returned from ReflectionType::__toString().

Fixed bug #72661 (ReflectionType::__toString crashes with iterable).

Fixed bug #72222 (ReflectionClass::export doesn't handle array constants).

Failure to retrieve a reflection object or retrieve an object property will now throw an instance of Error instead of resulting in a fatal error.

Fix #72209 (ReflectionProperty::getValue() doesn't fail if object doesn't match type).


Fixed bug #73273 (session_unset() empties values from all variables in which is $_session stored).

Fixed bug #73100 (session_destroy null dereference in ps_files_path_create).

Fixed bug #68015 (Session does not report invalid uid for files save handler).

Fixed bug #72940 (SID always return "name=ID", even if session cookie exist).

Implemented session_gc() (Yasuo) https://wiki.php.net/rfc/session-create-id

Implemented session_create_id() (Yasuo) https://wiki.php.net/rfc/session-gc

Implemented RFC: Session ID without hashing. (Yasuo) https://wiki.php.net/rfc/session-id-without-hashing

Fixed bug #72531 (ps_files_cleanup_dir Buffer overflow).

Custom session handlers that do not return strings for session IDs will now throw an instance of Error instead of resulting in a fatal error when a function is called that must generate a session ID.

An invalid setting for session.hash_function will throw an instance of Error instead of resulting in a fatal error when a session ID is created.

Fixed bug #72562 (Use After Free in unserialize() with Unexpected Session Deserialization).

Improved fix for bug #68063 (Empty session IDs do still start sessions).

Fixed bug #71038 (session_start() returns TRUE on failure). Session save handlers must return 'string' always for successful read. i.e. Non-existing session read must return empty string. PHP 7.0 is made not to tolerate buggy return value.

Fixed bug #71394 (session_regenerate_id() must close opened session on errors).


Fixed bug #73293 (NULL pointer dereference in SimpleXMLElement::asXML()).

Fixed bug #72971 (SimpleXML isset/unset do not respect namespace).

Fixed bug #72957 (Null coalescing operator doesn't behave as expected with SimpleXMLElement).

Fixed bug #72588 (Using global var doesn't work while accessing SimpleXML element).

Creating an unnamed or duplicate attribute will throw an instance of Error instead of resulting in a fatal error.


Fixed bug #72708 (php_snmp_parse_oid integer overflow in memory allocation).

Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and unserialize()).


Fixed bug #73538 (SoapClient::__setSoapHeaders doesn't overwrite SOAP headers).

Fixed bug #73452 (Segfault (Regression for #69152)).

Fixed bug #73037 (SoapServer reports Bad Request when gzipped).

Fixed bug #73237 (Nested object in "any" element overwrites other fields).

Fixed bug #69137 (Peer verification fails when using a proxy with SoapClient) (Keith Smiley)

Fixed bug #71711 (Soap Server Member variables reference bug).

Fixed bug #71996 (Using references in arrays doesn't work like expected).


Fixed bug #73423 (Reproducible crash with GDB backtrace).

Fixed bug #72888 (Segfault on clone on splFileObject).

Fixed bug #73029 (Missing type check when unserializing SplArray).

Fixed bug #72646 (SplFileObject::getCsvControl does not return the escape character).

Fixed bug #72684 (AppendIterator segfault with closed generator).

Attempting to clone an SplDirectory object will throw an instance of Error instead of resulting in a fatal error.

Calling ArrayIterator::append() when iterating over an object will throw an instance of Error instead of resulting in a fatal error.

Fixed bug #55701 (GlobIterator throws LogicException).


Update to SQLite 3.15.1.

Fixed bug #73530 (Unsetting result set may reset other result set).

Fixed bug #73333 (2147483647 is fetched as string).

Fixed bug #72668 (Spurious warning when exception is thrown in user defined function).

Implemented FR #72653 (SQLite should allow opening with empty filename).

Fixed bug #70628 (Clearing bindings on an SQLite3 statement doesn't work).

Implemented FR #71159 (Upgraded bundled SQLite lib to 3.9.2).


Fixed bug #73297 (HTTP stream wrapper should ignore HTTP 100 Continue).

Fixed bug #73303 (Scope not inherited by eval in assert()).

Fixed bug #73192 (parse_url return wrong hostname).

Fixed bug #73203 (passing additional_parameters causes mail to fail).

Fixed bug #73203 (passing additional_parameters causes mail to fail).

Fixed bug #72920 (Accessing a private constant using constant() creates an exception AND warning).

Fixed bug #65550 (get_browser() incorrectly parses entries with "+" sign).

Fixed bug #71882 (Negative ftruncate() on php://memory exhausts memory).

Fixed bug #55451 (substr_compare NULL length interpreted as 0).

Fixed bug #72278 (getimagesize returning FALSE on valid jpg).

Fixed bug #61967 (unset array item in array_walk_recursive cause inconsistent array).

Fixed bug #62607 (array_walk_recursive move internal pointer).

Fixed bug #69068 (Exchanging array during array_walk -> memory errors).

Fixed bug #70713 (Use After Free Vulnerability in array_walk()/ array_walk_recursive()).

Fixed bug #72622 (array_walk + array_replace_recursive create references from nothing).

Fixed bug #72330 (CSV fields incorrectly split if escape char followed by UTF chars).

Implemented RFC: More precise float values.

array_multisort now uses zend_sort instead zend_qsort.

Fixed bug #72505 (readfile() mangles files larger than 2G).

assert() will throw a ParseError when evaluating a string given as the first argument if the PHP code is invalid instead of resulting in a catchable fatal error.

Calling forward_static_call() outside of a class scope will now throw an instance of Error instead of resulting in a fatal error.

Added is_iterable() function.

Fixed bug #72306 (Heap overflow through proc_open and $env parameter).

Fixed bug #71100 (long2ip() doesn't accept integers in strict mode).

Implemented FR #55716 (Add an option to pass a custom stream context to get_headers()).

Additional validation for parse_url() for login/pass components).

Implemented FR #69359 (Provide a way to fetch the current environment variables).

unpack() function accepts an additional optional argument $offset.

Implemented #51879 stream context socket option tcp_nodelay (Joe)


Fixed bug #73586 (php_user_filter::$stream is not set to the stream the filter is working on).

Fixed bug #72853 (stream_set_blocking doesn't work).

Fixed bug #72743 (Out-of-bound read in php_stream_filter_create).

Implemented FR #27814 (Multiple small packets send for HTTP request).

Fixed bug #72764 (ftps:// opendir wrapper data channel encryption fails with IIS FTP 7.5, 8.5).

Fixed bug #72810 (Missing SKIP_ONLINE_TESTS checks).

Fixed bug #41021 (Problems with the ftps wrapper).

Fixed bug #54431 (opendir() does not work with ftps:// wrapper).

Fixed bug #72667 (opendir() with ftp:// attempts to open data stream for non-existent directories).

Fixed bug #72771 (ftps:// wrapper is vulnerable to protocol downgrade attack).

Fixed bug #72534 (stream_socket_get_name crashes).

Fixed bug #72439 (Stream socket with remote address leads to a segmentation fault).


Fixed bug #72858 (shm_attach null dereference).


Implemented support for libtidy 5.0.0 and above.

Creating a tidyNode manually will now throw an instance of Error instead of resulting in a fatal error.


Fixed bug #73331 (NULL Pointer Dereference in WDDX Packet Deserialization with PDORow).

Fixed bug #72142 (WDDX Packet Injection Vulnerability in wddx_serialize_value()).

Fixed bug #72749 (wddx_deserialize allows illegal memory access) (Stas)

Fixed bug #72750 (wddx_deserialize null dereference).

Fixed bug #72790 (wddx_deserialize null dereference with invalid xml).

Fixed bug #72799 (wddx_deserialize null dereference in php_wddx_pop_element).

Fixed bug #72860 (wddx_deserialize use-after-free).

Fixed bug #73065 (Out-Of-Bounds Read in php_wddx_push_element).

Fixed bug #72564 (boolean always deserialized as "true") (Remi)

A circular reference when serializing will now throw an instance of Error instead of resulting in a fatal error.


Fixed bug #72135 (malformed XML causes fault) (edgarsandi)

Fixed bug #72714 (_xml_startElementHandler() segmentation fault).

Fixed bug #72085 (SEGV on unknown address zif_xml_parse).


Fixed bug #72647 (xmlrpc_encode() unexpected output after referencing array elements).

Fixed bug #72606 (heap-buffer-overflow (write) simplestring_addn simplestring.c).

A circular reference when serializing will now throw an instance of Error instead of resulting in a fatal error.


Fixed bug #68302 (impossible to compile php with zip support).

Fixed bug #72660 (NULL Pointer dereference in zend_virtual_cwd).

Fixed bug #72520 (Stack-based buffer overflow vulnerability in php_stream_zip_opener).

ZipArchive::addGlob() will throw an instance of Error instead of resulting in a fatal error if glob support is not available.

  • Like 1

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this