#
d75c1d00 |
| 02-May-2023 |
nielsdos <7771979+nielsdos@users.noreply.github.com> |
Fix GH-11175 and GH-11177: Stream socket timeout undefined behaviour A negative value like -1 may overflow and cause incorrect results in the timeout variable, which causes an immediate
Fix GH-11175 and GH-11177: Stream socket timeout undefined behaviour A negative value like -1 may overflow and cause incorrect results in the timeout variable, which causes an immediate timeout. As this is caused by undefined behaviour the exact behaviour depends on the compiler, its version, and the platform. A large overflow is also possible, if an extremely large timeout value is passed we also set an indefinite timeout. This is because the timeout value is at least a 64-bit number and waiting for UINT64_MAX/1000000 seconds is waiting about 584K years. Closes GH-11183.
show more ...
|
#
4ca8daf3 |
| 02-May-2023 |
nielsdos <7771979+nielsdos@users.noreply.github.com> |
Fix GH-9068: Conditional jump or move depends on uninitialised value(s) This patch preserves the scratch registers of the SysV x86-64 ABI by storing them to the stack and restoring them
Fix GH-9068: Conditional jump or move depends on uninitialised value(s) This patch preserves the scratch registers of the SysV x86-64 ABI by storing them to the stack and restoring them later. We need to do this to prevent the registers of the caller from being corrupted. The reason these get corrupted is because the compiler is unaware of the Valgrind replacement function and thus makes assumptions about the original function regarding registers which are not true for the replacement function. For implementation I used a GCC and Clang attribute. A more general approach would be to use inline assembly but that's also less portable and quite hacky. This attributes is supported since GCC 7.x, but the target option is only supported since 11.x. For Clang the target option does not matter. Closes GH-10221.
show more ...
|
#
fbf5216c |
| 30-Apr-2023 |
nielsdos <7771979+nielsdos@users.noreply.github.com> |
Fix too wide OR and AND range inference There is a typo which causes the AND and OR range inference to infer a wider range than necessary. Fix this typo. There are many ranges for wh
Fix too wide OR and AND range inference There is a typo which causes the AND and OR range inference to infer a wider range than necessary. Fix this typo. There are many ranges for which the inference is too wide, I just picked one for AND and one for OR that I found through symbolic execution. In this example test, the previous range inferred for test_or was [-27..-1] instead of [-20..-1]. And the previous range inferred for test_and was [-32..-25] instead of [-28..-25]. Closes GH-11170.
show more ...
|
#
dc20cd9c |
| 01-May-2023 |
Ilija Tovilo |
Endless recursion when using + on array in foreach This reverts commit 84b4020eb4a8ebc45cb80164d4589cbf818f47f2. Fixes GH-11171
|
#
8bf2d587 |
| 28-Apr-2023 |
Ilija Tovilo |
Propagate STREAM_DISABLE_OPEN_BASEDIR src flag to php_stream_stat_path_ex Otherwise we can get open_basedir warnings from the stat call while still performing the actual copy. F
Propagate STREAM_DISABLE_OPEN_BASEDIR src flag to php_stream_stat_path_ex Otherwise we can get open_basedir warnings from the stat call while still performing the actual copy. Fixes GH-11138 Closes GH-11156
show more ...
|
#
f0149c5c |
| 25-Apr-2023 |
Máté Kocsis |
Fix ZPP of pg_lo_export() Closes GH-11132
|
#
3a76f795 |
| 26-Apr-2023 |
Ilija Tovilo |
Fix incorrect match default branch optimization Fixes GH-11134 Closes GH-11135
|
#
725f136f |
| 25-Apr-2023 |
Patrick Allaert |
PHP-8.1 is now for PHP 8.1.20-dev
|
#
4c38a79f |
| 20-Apr-2023 |
Ilija Tovilo |
Fix incorrect CG(memoize_mode) state after bailout in ??= Fixes GH-11108 Closes GH-11109
|
#
6e8f0f53 |
| 18-Apr-2023 |
Remi Collet |
[ci skip] NEWS for 11071
|
#
e8b8341d |
| 04-Apr-2023 |
Ilija Tovilo |
Support enums in array_unique Fixes GH-9775 Closes GH-11015
|
#
fc32d39b |
| 08-Apr-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-11028: Heap Buffer Overflow in zval_undefined_cv. For analysis see https://github.com/php/php-src/issues/11028#issuecomment-1508460440 Closes GH-11083.
|
#
450fcc4c |
| 11-Apr-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
[ci skip] UPDATE NEWS ElliotNB helped me a lot debugging this by constantly testing the patches. It is only fair that he is mentioned too, as I couldn't have solved it without his he
[ci skip] UPDATE NEWS ElliotNB helped me a lot debugging this by constantly testing the patches. It is only fair that he is mentioned too, as I couldn't have solved it without his help.
show more ...
|
#
51faf04d |
| 15-Mar-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-10737: PHP 8.1.16 segfaults on line 597 of sapi/apache2handler/sapi_apache2.c The TSRM keeps a hashtable mapping the thread IDs to the thread resource pointers. It's possible that
Fix GH-10737: PHP 8.1.16 segfaults on line 597 of sapi/apache2handler/sapi_apache2.c The TSRM keeps a hashtable mapping the thread IDs to the thread resource pointers. It's possible that the thread disappears without us knowing, and then another thread gets spawned some time later with the same ID as the disappeared thread. Note that since it's a new thread the TSRM key pointer and cached pointer will be NULL. The Apache request handler `php_handler()` will try to fetch some fields from the SAPI globals. It uses a lazy thread resource allocation by calling `ts_resource(0);`. This allocates a thread resource and sets up the TSRM pointers if they haven't been set up yet. At least, that's what's supposed to happen. But since we are in a situation where the thread ID still has the resources of the *old* thread associated in the hashtable, the loop in `ts_resource_ex` will find that thread resource and assume the thread has been setup already. But this is not the case since this thread is actually a new thread, just reusing the ID of the old one, without any relation whatsoever to the old thread. Because of this assumption, the TSRM pointers will not be setup, leading to a NULL pointer dereference when trying to access the SAPI globals. We can easily detect this scenario: if we're in the fallback path, and the pointer is NULL, and we're looking for our own thread resource, we know we're actually reusing a thread ID. In that case, we'll free up the old thread resources gracefully (gracefully because there might still be resources open like database connection which need to be shut down cleanly). After freeing the resources, we'll create the new resources for this thread as if the stale resources never existed in the first place. From that point forward, it is as if that situation never occurred. The fact that this situation happens isn't that bad because a child process containing threads will eventually be respawned anyway by the SAPI, so the stale thread resources won't remain forever. Note that we can't simply assign our own TSRM pointers to the existing thread resource for our ID, since it was actually from a different thread (just with the same ID!). Furthermore, the dynamically loaded extensions have their own pointer, which is only set when their constructor is called, so we'd have to call their constructor anyway... I also tried to call the dtor and then the ctor again for those resources on the pre-existing thread resource to reuse storage, but that didn't work properly because other code doesn't expect something like that to happen, which breaks assumptions, and this in turn caused Valgrind to (rightfully) complain about memory bugs. Note 2: I also had to fix a bug in the core globals destruction because it always assumed that the thread destroying them was the owning thread, which on TSRM shutdown isn't always the case. A similar bug was fixed recently with the JIT globals. Closes GH-10863.
show more ...
|
#
b81ce297 |
| 29-Jan-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-9397: exif read : warnings and errors : Potentially invalid endianess, Illegal IFD size and Undefined index Don't misinterpret DJI info maker note as DJI maker note. The DJI
Fix GH-9397: exif read : warnings and errors : Potentially invalid endianess, Illegal IFD size and Undefined index Don't misinterpret DJI info maker note as DJI maker note. The DJI and DJI info maker note both share the "DJI" make string. This caused the current code to try to interpret the DJI info maker note as a DJI maker note. However, the DJI info maker note requires custom parsing. Therefore, the misinterpretation actually caused the current code to believe that there was an unrecoverable error in the IFD for the maker note by returning false in the maker note parser. This in turn caused the inability to parse other EXIF metadata. This patch adds the identification of the DJI info maker note so that it cannot be misinterpreted. Since we don't implement custom parsing, it achieves this by setting the tag list to a special marker value (in this case the NULL pointer). When this marker value is detected, the function will just skip parsing the maker note and return true. Therefore, the other code will believe that the IFD is not corrupt. This approach is similar to handing an unrecognised maker note type (see the loop on top of exif_process_IFD_in_MAKERNOTE() which also returns true and treats it as a string). The end result of this patch is that the DJI info maker note is considered as unknown to the caller of exif_process_IFD_in_MAKERNOTE(), and therefore that the other EXIF metadata can be parsed successfully. Also fix debug output typos in exif. Closes GH-10470.
show more ...
|
#
0579beb8 |
| 30-Mar-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix incorrect error handling in dom_zvals_to_fragment() Discovered this pre-existing problem while testing GH-10682. Note: this problem existed *before* that PR. * Not all paths
Fix incorrect error handling in dom_zvals_to_fragment() Discovered this pre-existing problem while testing GH-10682. Note: this problem existed *before* that PR. * Not all paths throw a hierarchy request error * xmlFreeNode must be used instead of xmlFree for the fragment to also free its children. * Free up nodes that couldn't be added when xmlAddChild fails. I unified the error handling code that's exactly the same with a goto to prevent at least some of such problems in the future. Closes GH-10981.
show more ...
|
#
84b4020e |
| 29-Mar-2023 |
Ilija Tovilo |
Fix add_function_array() assertion when op2 contains op1 Fixes GH-10085 Closes GH-10975 Co-authored-by: Dmitry Stogov <dmitry@zend.com>
|
#
79c5b32d |
| 01-Apr-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-10990: mail() throws TypeError after iterating over $additional_headers array by reference We should dereference the values, otherwise references don't work. Closes GH-10991.
|
#
cf9b030a |
| 01-Apr-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-8841: php-cli core dump calling a badly formed function It's actually not php-cli specific, nor SAPI specific. We should delay the registration of the function into the function t
Fix GH-8841: php-cli core dump calling a badly formed function It's actually not php-cli specific, nor SAPI specific. We should delay the registration of the function into the function table until after the compilation was successful, otherwise the function is mistakingly registered and a NULL dereference will happen when trying to call it. I based my test of Nikita's test, so credits to him for the test: https://github.com/php/php-src/pull/8933#issuecomment-1259881008 Closes GH-10989.
show more ...
|
#
66ce2057 |
| 29-Mar-2023 |
Ilija Tovilo |
Fix incorrect zval type_flags in preg_replace_callback_array() for immutable arrays The ZVAL_ARR macro always set the zval type_info to IS_ARRAY_EX, even if the hash table is immutable.
Fix incorrect zval type_flags in preg_replace_callback_array() for immutable arrays The ZVAL_ARR macro always set the zval type_info to IS_ARRAY_EX, even if the hash table is immutable. Since in preg_replace_callback_array() we can return the passed array directly, and that passed array can be immutable, we need to reset the type_flags to keep the VM from performing ref-counting on the array. Fixes GH-10968 Closes GH-10970
show more ...
|
#
41bbb116 |
| 30-Mar-2023 |
Ilija Tovilo |
Unary minus const expression consistency - of 0.0 should result in -0.0 Closes GH-10978
|
#
5e76c6d2 |
| 30-Mar-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
[ci skip] NEWS
|
#
2d6decc1 |
| 23-Feb-2023 |
NathanFreeman <1056159381@qq.com> |
Fix bug #80602: Segfault when using DOMChildNode::before() This furthermore fixes the logic error explained in https://github.com/php/php-src/pull/8729#issuecomment-1161737132 C
Fix bug #80602: Segfault when using DOMChildNode::before() This furthermore fixes the logic error explained in https://github.com/php/php-src/pull/8729#issuecomment-1161737132 Closes GH-10682.
show more ...
|
#
d9df750b |
| 30-Mar-2023 |
Ben Ramsey |
PHP-8.1 is now for PHP 8.1.19-dev
|
#
87862835 |
| 25-Mar-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix undefined behaviour in unpack() atoi()'s return value is actually undefined when an underflow or overflow occurs. For example on 32-bit on my system the overflow test which input
Fix undefined behaviour in unpack() atoi()'s return value is actually undefined when an underflow or overflow occurs. For example on 32-bit on my system the overflow test which inputs "h2147483648" results in repetitions==2147483647 and on 64-bit this gives repetitions==-2147483648. The reason the test works on 32-bit is because there's a second undefined behaviour problem: in case 'h' when repetitions==2147483647, we add 1 and divide by 2. This is signed-wrap undefined behaviour and accidentally triggers the overflow check like we wanted to. Avoid all this trouble and use strtol with explicit error checking. This also fixes a semantic bug where repetitions==INT_MAX would result in the overflow check to trigger, even though there is no overflow. Closes GH-10943.
show more ...
|