Avoid OOB reads in create_name_with_username()

`accel_uname_id` and `zend_system_id` are MD5 buffers which are not
NUL terminated. Thus, we must not pass them to `snprintf()`.

Avoid OOB reads in create_name_with_username()

`accel_uname_id` and `zend_system_id` are MD5 buffers which are not
NUL terminated. Thus, we must not pass them to `snprintf()`.

Closes GH-6968.

show more ...

Fix return value of wrong fucntion by-ref assign

We should be using the result of zend_assign_to_variable() here,
which will deref prior to potential freeing.

Fixes oss-fuzz #29

Fix return value of wrong fucntion by-ref assign

We should be using the result of zend_assign_to_variable() here,
which will deref prior to potential freeing.

Fixes oss-fuzz #29899.

show more ...

Fixed bug #80173

The analysis in the bug report wasn't correct (at least not in
this case -- there may still be a more general problem here),
the issue was that write_property return

Fixed bug #80173

The analysis in the bug report wasn't correct (at least not in
this case -- there may still be a more general problem here),
the issue was that write_property returned the original variable_ptr
rather than the zend_assign_to_variable() return value, which will
DEREF the variable before overwriting it.

show more ...

Fix leak on foreach by ref assign to property

In this case we ended up creating an ASSIGN_OBJ_REF with VAR
result operand, which was not freed.

Fix this by implementing assign_r

Fix leak on foreach by ref assign to property

In this case we ended up creating an ASSIGN_OBJ_REF with VAR
result operand, which was not freed.

Fix this by implementing assign_ref_znode the same was as
assign_znode, i.e. performing an assignment with result and
then freeing the result, which will result mark the result as
UNUSED. This is more robust than the special handling for
result == NULL that was used before.

This fixes one of the issues reported in bug #81190.

show more ...

Fix #52093: openssl_csr_sign truncates $serial

We use `ASN1_INTEGER_set_int64()` if supported[1], to avoid the
truncation of the integer.

[1] <https://www.openssl.org/docs/man1.

Fix #52093: openssl_csr_sign truncates $serial

We use `ASN1_INTEGER_set_int64()` if supported[1], to avoid the
truncation of the integer.

[1] <https://www.openssl.org/docs/man1.1.0/man3/ASN1_INTEGER_set_int64.html#HISTORY>

Closes GH-7209.

show more ...

Fix #73630: Built-in Weberver - overwrite $_SERVER['request_uri']

The built-in Webserver's `on_path`, `on_query_string` and `on_url`
callbacks may be called multiple times from the parse

Fix #73630: Built-in Weberver - overwrite $_SERVER['request_uri']

The built-in Webserver's `on_path`, `on_query_string` and `on_url`
callbacks may be called multiple times from the parser; we must not
simply replace the old values, but need to concatenate the new values
instead.

This appears to be tricky for `on_path` due to the path normalization,
so we fail if the function is called again.

The built-in Webserver logs errors during request parsing to stderr,
but this is ignored by the php_cli_server framework, and apparently the
Webserver does not send a resonse at all in such cases (instead of an
4xx). Thus we can only check that a request with an overly long path
fails.

Closes GH-7207.

show more ...

Fix bug #80728: Don't reset the timeout on ini deactivate

When the time limit for a script is changed, when the script ends,
its INI value will be reset. This calls the event handler for

Fix bug #80728: Don't reset the timeout on ini deactivate

When the time limit for a script is changed, when the script ends,
its INI value will be reset. This calls the event handler for the
timeout change, which will unset then reset the timeout. However,
this is done even if the script is done executing, and say, the CGI
or CLI web server process is idle.

This is probably incorrect, but isn't a problem on most platforms,
because PHP uses a timer that only ticks when the process is active
(that is, executing code). Since when it's idle, it's blocking on
listen/read, it won't tick because nothing executes. However, on
platforms where only the real-time timer is supported, (Cygwin/PASE)
it ticks regardless of if PHP is even executing. This means that the
idle processes are subject to timeouts from the INI reset on script
end.

This makes it so the timer is never set if the state is deactivating.
Testing with the CLI web server indicates the timer no longer
spuriously activates under PASE.

Closes GH-6683.

show more ...

Fix warning

(cherry picked from commit 190013787bbc424c240413d914e3a038f974ccef)

Fix #68471: IntlDateFormatter fails for "GMT+00:00" timezone

GMT+00:00 is recognized by ICU, and is normalized to GMT. There are no
issues when GMT+00:00 is passed to `IntlTimeZone::cre

Fix #68471: IntlDateFormatter fails for "GMT+00:00" timezone

GMT+00:00 is recognized by ICU, and is normalized to GMT. There are no
issues when GMT+00:00 is passed to `IntlTimeZone::createTimeZone()`,
but passing it to IntlDateFormatter::__construct() causes a failure,
since there is an additional check regarding the validity. While
checking the validity of the result of `TimeZone::createTimeZone()`[1]
is a good idea, comparing the IDs is overly restrictive. Instead we
just check that the timezone is supported by ICU.

[1] <https://unicode-org.github.io/icu-docs/apidoc/dev/icu4c/classicu_1_1TimeZone.html#a35da0507b62754ffe5d8d59c19775cdb>

Closes GH-7190.

show more ...

Merge branch 'PHP-7.3' into PHP-7.4

* PHP-7.3:
Update NEWS
Fix #76448: Stack buffer overflow in firebird_info_cb
Fix #76449: SIGSEGV in firebird_handle_doer
Fix #7645

Merge branch 'PHP-7.3' into PHP-7.4

* PHP-7.3:
Update NEWS
Fix #76448: Stack buffer overflow in firebird_info_cb
Fix #76449: SIGSEGV in firebird_handle_doer
Fix #76450: SIGSEGV in firebird_stmt_execute
Fix #76452: Crash while parsing blob data in firebird_fetch_blob
Fix #81122: SSRF bypass in FILTER_VALIDATE_URL

show more ...

Update NEWS

Fix #76448: Stack buffer overflow in firebird_info_cb

We ensure not to overflow the stack allocated buffer by using `strlcat`.

Fix #76449: SIGSEGV in firebird_handle_doer

We need to verify that the `result_size` is not larger than our buffer,
and also should make sure that the `len` which is passed to
`isc_v

Fix #76449: SIGSEGV in firebird_handle_doer

We need to verify that the `result_size` is not larger than our buffer,
and also should make sure that the `len` which is passed to
`isc_vax_integer()` has a permissible value; otherwise we bail out.

show more ...

Fix #76450: SIGSEGV in firebird_stmt_execute

We need to verify that the `result_size` is not larger than our buffer,
and also should make sure that the `len` which is passed to
`isc_

Fix #76450: SIGSEGV in firebird_stmt_execute

We need to verify that the `result_size` is not larger than our buffer,
and also should make sure that the `len` which is passed to
`isc_vax_integer()` has a permissible value; otherwise we bail out.

show more ...

Fix #76452: Crash while parsing blob data in firebird_fetch_blob

We need to prevent integer overflow when calling `erealloc()` with
`len+1`.

Fix #81122: SSRF bypass in FILTER_VALIDATE_URL

We need to ensure that the password detected by parse_url() is actually
a valid password; we can re-use is_userinfo_valid() for that.

NEWS: Add bug #81101 note

[ci skip]

Signed-off-by: Anatol Belski <ab@php.net>

pcre: Workaround bug #81101

The way to fix it is to disable certain match start optimizaions. The
observed performance impact appears negligible ATM, compared to the
functional regre

pcre: Workaround bug #81101

The way to fix it is to disable certain match start optimizaions. The
observed performance impact appears negligible ATM, compared to the
functional regression revealed.

A possible side effect might occur if a pattern uses (*COMMIT) or
(*MARK), which is however not a very broadly used syntax in PHP. Still
this should be observed and handled by possibly adding a possibility to
reverse PCRE2_NO_START_OPTIMIZE on the user side.

One test shows a behavior change, where instead of int 0 the match
would produce an error and return false. Except strict comparison
is used, this should be acceptable.

Signed-off-by: Anatol Belski <ab@php.net>
(cherry picked from commit d188ca7688315e3d32d41a32e0ce7b1f9bffb4cf)
Signed-off-by: Anatol Belski <ab@php.net>

show more ...

Fix bug #81163 indirect vars in __sleep

Fix test in case fallocate(1) is available, but fails

That happens on Travis s390x for whatever reasons. Thus, instead of
checking for `fallocate -h`, we attempt the real allocation and

Fix test in case fallocate(1) is available, but fails

That happens on Travis s390x for whatever reasons. Thus, instead of
checking for `fallocate -h`, we attempt the real allocation and skip if
that fails.

show more ...

Fix #81145: copy() and stream_copy_to_stream() fail for +4GB files

When mapping the file, we need to pass the proper `dwFileOffsetHigh`
instead of `0`.

Co-authored-by: Nikita Po

Fix #81145: copy() and stream_copy_to_stream() fail for +4GB files

When mapping the file, we need to pass the proper `dwFileOffsetHigh`
instead of `0`.

Co-authored-by: Nikita Popov <nikita.ppv@gmail.com>

Closes GH-7158.

show more ...

Fix #72809: Locale::lookup() wrong result with canonicalize option

Canonicalization converts the locale to ICU format[1]. However, the
lookup described in RFC 4647, section 3.4, is abou

Fix #72809: Locale::lookup() wrong result with canonicalize option

Canonicalization converts the locale to ICU format[1]. However, the
lookup described in RFC 4647, section 3.4, is about POSIX format. To
make that lookup work for ICU format, we also need to cater to keyword
separators.

The results are somewhat unexpected, but apparently canonical lookup is
explicitly supposed to return canonical language tags[2].

[1] <https://unicode-org.github.io/icu/userguide/locale/#canonicalization>
[2] <https://github.com/php/php-src/blob/php-7.4.20/ext/intl/locale/locale_methods.c#L1504>

Closes GH-7151.

show more ...

Prepare for 7.4.22

Fix test wrt. OPENSSL_CONF

This test is supposed to verify the path of the default OpenSSL config
file; it will fail, though, if OPENSSL_CONF is explicitly set, so we
explicitly unse

Fix test wrt. OPENSSL_CONF

This test is supposed to verify the path of the default OpenSSL config
file; it will fail, though, if OPENSSL_CONF is explicitly set, so we
explicitly unset this environment variable for this test.

show more ...

Mitigation for bug #81096

This issue is properly fixed by GH-7121 on master. For older
branches, disable the use of range information in SCCP, to
reduce impact of potentially incorre

Mitigation for bug #81096

This issue is properly fixed by GH-7121 on master. For older
branches, disable the use of range information in SCCP, to
reduce impact of potentially incorrect ranges.

show more ...