Fix GH-11175 and GH-11177: Stream socket timeout undefined behaviour

A negative value like -1 may overflow and cause incorrect results in the
timeout variable, which causes an immediate

Fix GH-11175 and GH-11177: Stream socket timeout undefined behaviour

A negative value like -1 may overflow and cause incorrect results in the
timeout variable, which causes an immediate timeout. As this is caused
by undefined behaviour the exact behaviour depends on the compiler, its
version, and the platform.

A large overflow is also possible, if an extremely large timeout value
is passed we also set an indefinite timeout. This is because the timeout
value is at least a 64-bit number and waiting for UINT64_MAX/1000000
seconds is waiting about 584K years.

Closes GH-11183.

show more ...

Fix GH-9068: Conditional jump or move depends on uninitialised value(s)

This patch preserves the scratch registers of the SysV x86-64 ABI by storing
them to the stack and restoring them

Fix GH-9068: Conditional jump or move depends on uninitialised value(s)

This patch preserves the scratch registers of the SysV x86-64 ABI by storing
them to the stack and restoring them later. We need to do this to prevent the
registers of the caller from being corrupted. The reason these get corrupted
is because the compiler is unaware of the Valgrind replacement function and
thus makes assumptions about the original function regarding registers which
are not true for the replacement function.

For implementation I used a GCC and Clang attribute. A more general
approach would be to use inline assembly but that's also less portable
and quite hacky. This attributes is supported since GCC 7.x, but the
target option is only supported since 11.x. For Clang the target option
does not matter.

Closes GH-10221.

show more ...

Fix too wide OR and AND range inference

There is a typo which causes the AND and OR range inference to infer a
wider range than necessary. Fix this typo. There are many ranges for
wh

Fix too wide OR and AND range inference

There is a typo which causes the AND and OR range inference to infer a
wider range than necessary. Fix this typo. There are many ranges for
which the inference is too wide, I just picked one for AND and one for
OR that I found through symbolic execution.

In this example test, the previous range inferred for test_or was [-27..-1]
instead of [-20..-1].
And the previous range inferred for test_and was [-32..-25]
instead of [-28..-25].

Closes GH-11170.

show more ...

Endless recursion when using + on array in foreach

This reverts commit 84b4020eb4a8ebc45cb80164d4589cbf818f47f2.

Fixes GH-11171

Propagate STREAM_DISABLE_OPEN_BASEDIR src flag to php_stream_stat_path_ex

Otherwise we can get open_basedir warnings from the stat call while still
performing the actual copy.

F

Propagate STREAM_DISABLE_OPEN_BASEDIR src flag to php_stream_stat_path_ex

Otherwise we can get open_basedir warnings from the stat call while still
performing the actual copy.

Fixes GH-11138
Closes GH-11156

show more ...

Fix ZPP of pg_lo_export()

Closes GH-11132

Fix incorrect match default branch optimization

Fixes GH-11134
Closes GH-11135

PHP-8.1 is now for PHP 8.1.20-dev

Fix incorrect CG(memoize_mode) state after bailout in ??=

Fixes GH-11108
Closes GH-11109

[ci skip] NEWS for 11071

Support enums in array_unique

Fixes GH-9775
Closes GH-11015

Fix GH-11028: Heap Buffer Overflow in zval_undefined_cv.

For analysis see https://github.com/php/php-src/issues/11028#issuecomment-1508460440

Closes GH-11083.

[ci skip] UPDATE NEWS

ElliotNB helped me a lot debugging this by constantly testing the
patches. It is only fair that he is mentioned too, as I couldn't have
solved it without his he

[ci skip] UPDATE NEWS

ElliotNB helped me a lot debugging this by constantly testing the
patches. It is only fair that he is mentioned too, as I couldn't have
solved it without his help.

show more ...

Fix GH-10737: PHP 8.1.16 segfaults on line 597 of sapi/apache2handler/sapi_apache2.c

The TSRM keeps a hashtable mapping the thread IDs to the thread resource pointers.
It's possible that

Fix GH-10737: PHP 8.1.16 segfaults on line 597 of sapi/apache2handler/sapi_apache2.c

The TSRM keeps a hashtable mapping the thread IDs to the thread resource pointers.
It's possible that the thread disappears without us knowing, and then another thread
gets spawned some time later with the same ID as the disappeared thread.
Note that since it's a new thread the TSRM key pointer and cached pointer will be NULL.

The Apache request handler `php_handler()` will try to fetch some fields from the SAPI globals.
It uses a lazy thread resource allocation by calling `ts_resource(0);`.
This allocates a thread resource and sets up the TSRM pointers if they haven't been set up yet.

At least, that's what's supposed to happen. But since we are in a situation where the thread ID
still has the resources of the *old* thread associated in the hashtable,
the loop in `ts_resource_ex` will find that thread resource and assume the thread has been setup
already. But this is not the case since this thread is actually a new thread, just reusing the ID
of the old one, without any relation whatsoever to the old thread.
Because of this assumption, the TSRM pointers will not be setup, leading to a
NULL pointer dereference when trying to access the SAPI globals.

We can easily detect this scenario: if we're in the fallback path, and the pointer is NULL,
and we're looking for our own thread resource, we know we're actually reusing a thread ID.
In that case, we'll free up the old thread resources gracefully (gracefully because
there might still be resources open like database connection which need to be
shut down cleanly). After freeing the resources, we'll create the new resources for
this thread as if the stale resources never existed in the first place.
From that point forward, it is as if that situation never occurred.
The fact that this situation happens isn't that bad because a child process containing
threads will eventually be respawned anyway by the SAPI, so the stale thread resources
won't remain forever.

Note that we can't simply assign our own TSRM pointers to the existing
thread resource for our ID, since it was actually from a different thread
(just with the same ID!). Furthermore, the dynamically loaded extensions
have their own pointer, which is only set when their constructor is
called, so we'd have to call their constructor anyway...
I also tried to call the dtor and then the ctor again for those resources
on the pre-existing thread resource to reuse storage, but that didn't work properly
because other code doesn't expect something like that to happen, which breaks assumptions,
and this in turn caused Valgrind to (rightfully) complain about memory bugs.

Note 2: I also had to fix a bug in the core globals destruction because it
always assumed that the thread destroying them was the owning thread,
which on TSRM shutdown isn't always the case. A similar bug was fixed
recently with the JIT globals.

Closes GH-10863.

show more ...

Fix GH-9397: exif read : warnings and errors : Potentially invalid endianess, Illegal IFD size and Undefined index

Don't misinterpret DJI info maker note as DJI maker note.

The DJI

Fix GH-9397: exif read : warnings and errors : Potentially invalid endianess, Illegal IFD size and Undefined index

Don't misinterpret DJI info maker note as DJI maker note.

The DJI and DJI info maker note both share the "DJI" make string.
This caused the current code to try to interpret the DJI info maker note
as a DJI maker note. However, the DJI info maker note requires custom
parsing. Therefore, the misinterpretation actually caused the current
code to believe that there was an unrecoverable error in the IFD for the
maker note by returning false in the maker note parser. This in turn
caused the inability to parse other EXIF metadata.

This patch adds the identification of the DJI info maker note so that it
cannot be misinterpreted. Since we don't implement custom parsing, it
achieves this by setting the tag list to a special marker value (in this
case the NULL pointer). When this marker value is detected, the function
will just skip parsing the maker note and return true. Therefore, the
other code will believe that the IFD is not corrupt.

This approach is similar to handing an unrecognised maker note type
(see the loop on top of exif_process_IFD_in_MAKERNOTE() which also
returns true and treats it as a string). The end result of this patch
is that the DJI info maker note is considered as unknown to the caller of
exif_process_IFD_in_MAKERNOTE(), and therefore that the other EXIF
metadata can be parsed successfully.

Also fix debug output typos in exif.

Closes GH-10470.

show more ...

Fix incorrect error handling in dom_zvals_to_fragment()

Discovered this pre-existing problem while testing GH-10682.
Note: this problem existed *before* that PR.

* Not all paths

Fix incorrect error handling in dom_zvals_to_fragment()

Discovered this pre-existing problem while testing GH-10682.
Note: this problem existed *before* that PR.

* Not all paths throw a hierarchy request error
* xmlFreeNode must be used instead of xmlFree for the fragment to also
free its children.
* Free up nodes that couldn't be added when xmlAddChild fails.

I unified the error handling code that's exactly the same with a goto to
prevent at least some of such problems in the future.

Closes GH-10981.

show more ...

Fix add_function_array() assertion when op2 contains op1

Fixes GH-10085
Closes GH-10975
Co-authored-by: Dmitry Stogov <dmitry@zend.com>

Fix GH-10990: mail() throws TypeError after iterating over $additional_headers array by reference

We should dereference the values, otherwise references don't work.

Closes GH-10991.

Fix GH-8841: php-cli core dump calling a badly formed function

It's actually not php-cli specific, nor SAPI specific.
We should delay the registration of the function into the function t

Fix GH-8841: php-cli core dump calling a badly formed function

It's actually not php-cli specific, nor SAPI specific.
We should delay the registration of the function into the function table
until after the compilation was successful, otherwise the function is
mistakingly registered and a NULL dereference will happen when trying to
call it.

I based my test of Nikita's test, so credits to him for the test:
https://github.com/php/php-src/pull/8933#issuecomment-1259881008

Closes GH-10989.

show more ...

Fix incorrect zval type_flags in preg_replace_callback_array() for immutable arrays

The ZVAL_ARR macro always set the zval type_info to IS_ARRAY_EX, even if the
hash table is immutable.

Fix incorrect zval type_flags in preg_replace_callback_array() for immutable arrays

The ZVAL_ARR macro always set the zval type_info to IS_ARRAY_EX, even if the
hash table is immutable. Since in preg_replace_callback_array() we can return
the passed array directly, and that passed array can be immutable, we need to
reset the type_flags to keep the VM from performing ref-counting on the array.

Fixes GH-10968
Closes GH-10970

show more ...

Unary minus const expression consistency

- of 0.0 should result in -0.0

Closes GH-10978

[ci skip] NEWS

Fix bug #80602: Segfault when using DOMChildNode::before()

This furthermore fixes the logic error explained in
https://github.com/php/php-src/pull/8729#issuecomment-1161737132

C

Fix bug #80602: Segfault when using DOMChildNode::before()

This furthermore fixes the logic error explained in
https://github.com/php/php-src/pull/8729#issuecomment-1161737132

Closes GH-10682.

show more ...

PHP-8.1 is now for PHP 8.1.19-dev

Fix undefined behaviour in unpack()

atoi()'s return value is actually undefined when an underflow or
overflow occurs. For example on 32-bit on my system the overflow test
which input

Fix undefined behaviour in unpack()

atoi()'s return value is actually undefined when an underflow or
overflow occurs. For example on 32-bit on my system the overflow test
which inputs "h2147483648" results in repetitions==2147483647 and on
64-bit this gives repetitions==-2147483648. The reason the test works on
32-bit is because there's a second undefined behaviour problem:
in case 'h' when repetitions==2147483647, we add 1 and divide by 2.
This is signed-wrap undefined behaviour and accidentally triggers the
overflow check like we wanted to.

Avoid all this trouble and use strtol with explicit error checking.

This also fixes a semantic bug where repetitions==INT_MAX would result
in the overflow check to trigger, even though there is no overflow.

Closes GH-10943.

show more ...