Fix return value of wrong fucntion by-ref assign

We should be using the result of zend_assign_to_variable() here,
which will deref prior to potential freeing.

Fixes oss-fuzz #29

Fix return value of wrong fucntion by-ref assign

We should be using the result of zend_assign_to_variable() here,
which will deref prior to potential freeing.

Fixes oss-fuzz #29899.

show more ...

Fixed bug #81090

For concatenation, the in-place variant can be much more efficient,
because it will reallocate the string in-place. Special-case the
typed property compound assignme

Fixed bug #81090

For concatenation, the in-place variant can be much more efficient,
because it will reallocate the string in-place. Special-case the
typed property compound assignment code for the case where we
concatenate to a string, in which case we know that the result
will also be a string, and we don't need the type check anyway.

show more ...

Fix Bug #80972: Memory exhaustion on invalid string offset

Closes GH-6909

Changed PowerPC CPU registers used by Zend VM to work around GCC bug.

Old registers (r28/r29) might be clobbered by _restgpr routine used for return from C function compiled with -Os.

Fixed bug #80781

zend_find_array_dim_slow() may throw, make sure to handle this.
This backports the code we already use for this on PHP-8.0,
and also backports an exception check tha

Fixed bug #80781

zend_find_array_dim_slow() may throw, make sure to handle this.
This backports the code we already use for this on PHP-8.0,
and also backports an exception check that makes this easier to
catch.

show more ...

Fix symtable cache being used while cleaning symtable

We need to first clean the symtable and then check whether a cache
slot is available for it. Otherwise, it may happen that a destruc

Fix symtable cache being used while cleaning symtable

We need to first clean the symtable and then check whether a cache
slot is available for it. Otherwise, it may happen that a destructor
runs while cleaning the table and uses up all the remaining slots
in the cache.

This is particularly insidious because once we overflow the cache,
the first pointer we modify is symtable_cache_ptr, making it hard
to understand what happened after the fact.

Fixes oss-fuzz #30815.

show more ...

Fix infinite loop on string offset during by-ref list assign

There is a deeper underlying issue here, in that the opcodes violate
VM write-fetch safety, but let's fix the infinite loop f

Fix infinite loop on string offset during by-ref list assign

There is a deeper underlying issue here, in that the opcodes violate
VM write-fetch safety, but let's fix the infinite loop first.

This fixes oss-fuzz #25352.

show more ...

Property handle read_property exception in fetch_property_address

Otherwise we leak (and corrupt uninitialized_zval).

Fixed bug #79947

Move the FREE_OP for op_data out of the zend_binary_assign_op_dim_slow()
slow path, so it can be used by the other error path as well. This
makes ASSIGN_DIM_OP struc

Fixed bug #79947

Move the FREE_OP for op_data out of the zend_binary_assign_op_dim_slow()
slow path, so it can be used by the other error path as well. This
makes ASSIGN_DIM_OP structurally more similar to ASSIGN_DIM.

show more ...

Fixed bug #79793

Make sure the string key is not released while throwing the
undefined index warning.

Fixed bug #79784

The fix here is essentially the same as for bug #78598, just for
the undefined variable notice, rather than the undefined index one.

Fixed bug #78598

When performing an RW modification of an array offset, the undefined
offset warning may call an error handler / OB callback, which may
destroy the array we're suppos

Fixed bug #78598

When performing an RW modification of an array offset, the undefined
offset warning may call an error handler / OB callback, which may
destroy the array we're supposed to change. Detect this by temporarily
incrementing the reference count. If we find that the array has been
modified/destroyed in the meantime, we do nothing -- the execution
model here would be that the modification has happened on the destroyed
version of the array.

show more ...

Fixed bug #79779

ASSIGN_OBJ_REF was not handling in zend_wrong_string_offset.

Fix zend_assign_to_typed_ref() implementation

There was some confusion going on here regarding the original
value vs the copied value.

I've dropped the needs_copy variable, beca

Fix zend_assign_to_typed_ref() implementation

There was some confusion going on here regarding the original
value vs the copied value.

I've dropped the needs_copy variable, because this code is not
inlined, so it would always be true anyway.

What we need to do is perform a move-assignment of the copied
value (in which case we don't care about performing the assignment
before destroying garbage), and destroying the original value
for the VAR/TMP cases. This is a bit complicated by the fact that
references are passed in via a separate ref variable, so we can't
just ptr_dtor the original variable.

show more ...

Fixed bug #79434

Make opcodes to return de-refereced values of typed references (in the same was as for non-typed)

Fixed bug #79094 (Crashing when running recursion function)

Properly propagate url_stat exceptions during include

Make sure we abort operations early, and that we don't emit
additional warnings or errors if an exception has been thrown.

Avoid signed integer overflow in string offset check

Cast to size_t before performing operations instead of afterwards.

Fix leak in assign_ref with function

As far as I can see, the retval copying is already done in all
callers of this function, so it should not be duplicated here.

Fix const/cv freeing on failed reference assignment

Export zend_init_func_run_time_cache()

Don't autoload when checking property types

Noticed while working on union types: We do not load argument and
return types during type checks, but we do load property types.

I'm

Don't autoload when checking property types

Noticed while working on union types: We do not load argument and
return types during type checks, but we do load property types.

I'm normalizing the behavior towards the existing status quo (not
loading), though we may consider loading everywhere (all types,
and instanceof) in order to properly support class aliases.

show more ...

Return error_zval form get_property_ptr_ptr on exception

This goes in the reverse direction of 4463acb9513dfb62206760c49b3da1fe4d92f40a.
After looking around a bit, it seems that we alre

Return error_zval form get_property_ptr_ptr on exception

This goes in the reverse direction of 4463acb9513dfb62206760c49b3da1fe4d92f40a.
After looking around a bit, it seems that we already check for
Z_ISERROR_P() on the get_property_ptr_ptr return value in other places.
So do this in zend_fetch_property_address() as well, and also make
sure that EG(error_zval) is indeed returned on exception in
get_property_ptr_ptr.

In particular, this fixes the duplicate exceptions that we used to
get because first get_property_ptr_ptr threw one and then
read_property throws the same exception again.

show more ...

Explicitly check for exceptions in by-ref obj prop assign

Relying on setting ERROR if an exception happened during the
property address fetch is both a bit fragile and may pessimize

Explicitly check for exceptions in by-ref obj prop assign

Relying on setting ERROR if an exception happened during the
property address fetch is both a bit fragile and may pessimize
other codepaths that will check for exceptions in the VM. Adding
an extra exception check instead, which should also allow us to
drop the use of ERROR in this area in master.

show more ...