Merge branch 'PHP-7.0'

* PHP-7.0:
  update NEWS
  refix bug #70895
  Fixed bug Bug #70895 null ptr deref and segfault

Author: weltling

Zend/tests/bug70895.phpt

@@ -0,0 +1,15 @@
+--TEST--
+Bug #70895 null ptr deref and segfault with crafted calable
+--FILE--
+<?php
+
+array_map("%n", 0);
+array_map("%n %i", 0);
+array_map("%n %i aoeu %f aoeu %p", 0);
+?>
+--EXPECTREGEX--
+Warning: array_map\(\) expects parameter 1 to be a valid callback, function '%n' not found or invalid function name in .+
+
+Warning: array_map\(\) expects parameter 1 to be a valid callback, function '%n %i' not found or invalid function name in .+
+
+Warning: array_map\(\) expects parameter 1 to be a valid callback, function '%n %i aoeu %f aoeu %p' not found or invalid function name in .+bug70895.php on line \d+

Zend/zend_API.c

@@ -242,17 +242,37 @@ ZEND_API ZEND_COLD void ZEND_FASTCALL zend_wrong_callback_error(int severity, in
 	const char *space;
 	const char *class_name = get_active_class_name(&space);
 
+	size_t error_len = strlen(error), sanitized_error_len = error_len, k = 0, n = 0;
+	char *sanitized_error = emalloc(sizeof(char) * error_len);
+
+	while (k < error_len) {
+		sanitized_error[n] = error[k];
+		if ('%' == error[k]) {
+			n++;
+			sanitized_error[n] = '%';
+		}
+		k++;
+		n++;
+
+		if (n == sanitized_error_len) {
+			sanitized_error_len += error_len - k;
+			sanitized_error = erealloc(sanitized_error, sanitized_error_len);
+		}
+	}
+	sanitized_error[n] = '\0';
+
 	if (severity == E_WARNING) {
 		zend_internal_type_error(ZEND_ARG_USES_STRICT_TYPES(), "%s%s%s() expects parameter %d to be a valid callback, %s",
-			class_name, space, get_active_function_name(), num, error);
+			class_name, space, get_active_function_name(), num, sanitized_error);
 	} else if (severity == E_ERROR) {
 		zend_throw_error(zend_ce_type_error, "%s%s%s() expects parameter %d to be a valid callback, %s",
-			class_name, space, get_active_function_name(), num, error);
+			class_name, space, get_active_function_name(), num, sanitized_error);
 	} else {
 		zend_error(severity, "%s%s%s() expects parameter %d to be a valid callback, %s",
-			class_name, space, get_active_function_name(), num, error);
+			class_name, space, get_active_function_name(), num, sanitized_error);
 	}
 	efree(error);
+	efree(sanitized_error);
 }
 /* }}} */