Fix Bug #81588 TokyoCabinet driver leaks memory

Prepare for 7.4.27

[ci skip] Fix NEWS

Bug #81026 has already been fixed in PHP 7.4.25 and 8.0.12.

Fix #76167: mbstring may use pointer from some previous request

We must not reuse per-request memory across multiple requests, so this
check triggered during RINIT makes no sense. As ex

Fix #76167: mbstring may use pointer from some previous request

We must not reuse per-request memory across multiple requests, so this
check triggered during RINIT makes no sense. As explained in the bug
report[1], it can be even harmful, if some request startup fails, and
the pointers refer to already freed memory in the next request.

[1] <https://bugs.php.net/76167>

Closes GH-7604.

show more ...

Add FPM fix news

Fix #81500: Interval serialization regression since 7.3.14 / 7.4.2

While it may not be desired, `DateInterval::$f` supports negative
values, at least with regard to calculations. We sti

Fix #81500: Interval serialization regression since 7.3.14 / 7.4.2

While it may not be desired, `DateInterval::$f` supports negative
values, at least with regard to calculations. We still need to guard
from assigning double values which are out of range for signed 64bit
integers (which would be undefined behavior). zend_dval_to_lval() does
this by returning `0` instead of triggering UB. This way we can avoid
setting the invalid marker, which doesn't work as expected anyway.

We must not do that only for unserialization, but also when the property
is set in the first place.

We need to adapt some of the existing tests wrt. this behavior. In
particular, we check for an arbitrary value in bug79015.phpt, to cater
to differences between 32bit and 64bit architectures.

Closes GH-7575.

show more ...

Fix #81518: Header injection via default_mimetype / default_charset

We forbid setting these INI options to values containing NUL bytes, CR
or LF.

Closes GH-7574.

Fix #81424: PCRE2 10.35 JIT performance regression

We backport the respective upstream fix[1] to our bundled pcre2lib plus
the follow-up fix[2] for a functional regression.

[1]

Fix #81424: PCRE2 10.35 JIT performance regression

We backport the respective upstream fix[1] to our bundled pcre2lib plus
the follow-up fix[2] for a functional regression.

[1] <https://github.com/PhilipHazel/pcre2/commit/dc5f96663597572f694147aeec3525003c351123>
[2] <https://github.com/PhilipHazel/pcre2/commit/e7af7efaa11f71b187b0432e9e60f18ba4d90a0c>

Closes GH-7573.

show more ...

Fixed bug #81494

Use the proper error reporting mechanism rather than throwing a
warning. This requires something of a hack because we don't have
direct access to the connection obje

Fixed bug #81494

Use the proper error reporting mechanism rather than throwing a
warning. This requires something of a hack because we don't have
direct access to the connection object at this point.

show more ...

Fixed bug #54350

Don't allow calling fclose() on the stream while in the user
filter callback. This is basically the same protection as xp_ssl
streams use during callback invocations

Fixed bug #54350

Don't allow calling fclose() on the stream while in the user
filter callback. This is basically the same protection as xp_ssl
streams use during callback invocations.

There are more issues in this general area (e.g. stack overflow
on stream_filter_remove), but this addresses freeing the stream
during the filter callback invocation at least.

show more ...

Prepare branch for 7.4.26-dev

Revert "Fix #81424: PCRE2 10.35 JIT performance regression"

This reverts commit a2471383fec332ae30827c7e3f4f9451420f1f0b.

Fixing the performance regression, apparently fixes a funct

Revert "Fix #81424: PCRE2 10.35 JIT performance regression"

This reverts commit a2471383fec332ae30827c7e3f4f9451420f1f0b.

Fixing the performance regression, apparently fixes a functional
regression[1], so we revert for now.

[1] <https://github.com/PhilipHazel/pcre2/issues/21>

Closes GH-7556.

show more ...

Fix #77978: Dirname ending in colon unzips to wrong dir

When making the relative path, we must not stop on a `:\` sequence in
the middle of the filename. This is only significant on Win

Fix #77978: Dirname ending in colon unzips to wrong dir

When making the relative path, we must not stop on a `:\` sequence in
the middle of the filename. This is only significant on Windows as it
may indicate an absolute filename, but this is already checked at the
beginning of the function.

Note that the bug and this patch affects all systems. However, on
Windows the file is no longer extracted at all, since Windows NTSF does
not allow filenames containing colons.

Closes GH-7528.

show more ...

[ci skip] Add missing NEWS

Fix #81490: ZipArchive::extractTo() may leak memory

We always need to free the CWD state.

Closes GH-7536.

Fix #81475: stream_isatty emits warning with attached stream wrapper

We must not issue warnings, if `show_err` is false.

Closes GH-7513.

Fix #80663: Recursive SplFixedArray::setSize() may cause double-free

We address the `::setSize(0)` case by setting `array->element = NULL`
and `array->size = 0` before we destroy the ele

Fix #80663: Recursive SplFixedArray::setSize() may cause double-free

We address the `::setSize(0)` case by setting `array->element = NULL`
and `array->size = 0` before we destroy the elements.

Co-authored-by: Tyson Andre <tyson.andre@uwaterloo.ca>

Closes GH-7503.

show more ...

[ci skip] Add missing CVE to NEWS

[ci skip] Add missing NEWS entry

Fix #61700: FILTER_FLAG_IPV6/FILTER_FLAG_NO_PRIV|RES_RANGE failing

It makes no sense to compare IPv6 address ranges as strings; there are
too many different representation possibilities.

Fix #61700: FILTER_FLAG_IPV6/FILTER_FLAG_NO_PRIV|RES_RANGE failing

It makes no sense to compare IPv6 address ranges as strings; there are
too many different representation possibilities. Instead, we change
`_php_filter_validate_ipv6()` so that it can calculate the IP address
as integer array. We do not rely on `inet_pton()` which may not be
available everywhere, at least IPv6 support may not, but rather parse
the IP address manually. Finally, we compare the integers.

Note that this patch does not fix what we consider as reserved and
private, respectively, but merely tries to keep what we had so far.

Co-authored-by: Nikita Popov <nikita.ppv@gmail.com>

Closes GH-7476.

show more ...

NEWS: Add note for bug #78987

Signed-off-by: Anatol Belski <ab@php.net>

Fix #70962: XML_OPTION_SKIP_WHITE strips embedded whitespace

We must never strip embedded whitespace; we only need to skip values
when that option is set, and make sure that we keep BC r

Fix #70962: XML_OPTION_SKIP_WHITE strips embedded whitespace

We must never strip embedded whitespace; we only need to skip values
when that option is set, and make sure that we keep BC regarding the
different behavior for "cdata" and "complete" elements (for the former,
the whole element is skipped; for the latter only the "value" key).

We also fix erroneous `int` types which should actually be `size_t`.

Co-authored-by: Christoph M. Becker <cmbecker69@gmx.de>

Closes GH-7493.

show more ...

Fixed bug #79576 ("TYPE *" shows unhelpful message when type is not defined)

Fix #81424: PCRE2 10.35 JIT performance regression

We backport the respective upstream fix[1] to our bundled pcre2lib.

[1] <https://github.com/PhilipHazel/pcre2/commit/dc5f966635975

Fix #81424: PCRE2 10.35 JIT performance regression

We backport the respective upstream fix[1] to our bundled pcre2lib.

[1] <https://github.com/PhilipHazel/pcre2/commit/dc5f96663597572f694147aeec3525003c351123>

Closes GH-7484.

show more ...

Fix #81433: DOMElement::setIdAttribute() called twice may remove ID

We must only remove the attribute id, if the user requested that.

Closes GH-7482.