#
f9cbeaa0 |
| 26-Mar-2023 |
Michael Orlitzky |
ext/imap/config.m4: -Werror=implicit-function-declaration compatibility. The recent clang-16 throws errors for implicitly defined functions by default. In many ./configure tests, an unde
ext/imap/config.m4: -Werror=implicit-function-declaration compatibility. The recent clang-16 throws errors for implicitly defined functions by default. In many ./configure tests, an undefined function (which is "implicitly defined" when you try to call it) is undefined because it really does not exist. But in one case, utf8_to_mutf7() is undefined because we forgot to include the header that defines it. This commit updates the test for utf8_to_mutf7: * We now include the header (c-client.h) that defines it. * A "checking... yes/no" message was added to the test. * The test was switched from PHP_IMAP_TEST_BUILD to AC_COMPILE_IFELSE. This was the easiest way to avoid a return-type mismatch that runs afoul of -Werror=implicit-int. * CPPFLAGS is temporarily amended with the -I flag needed to find c-client.h. Fixes GH-10947. Closes GH-10948 Signed-off-by: George Peter Banyard <girgias@php.net>
show more ...
|
#
4e0bd036 |
| 23-Mar-2023 |
Ilija Tovilo |
Reset EG(trampoline).op_array.last_var that FFI may modify Closes GH-10916
|
#
21e0305f |
| 23-Mar-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-10908: Bus error with PDO Firebird on RPI with 64 bit kernel and 32 bit userland The alignment of sqldata is in most cases only the basic alignment, so the code type-puns it to a
Fix GH-10908: Bus error with PDO Firebird on RPI with 64 bit kernel and 32 bit userland The alignment of sqldata is in most cases only the basic alignment, so the code type-puns it to a larger type, it *can* crash due to the misaligned access. This is only an issue for types > 4 bytes because every sensible system requires an alignment of at least 4 bytes for allocated data. Even though this patch uses memcpy, the compiler is smart enough to optimise it to something more efficient, especially on x86. This is just the usual approach to solve these alignment problems. Actually, unaligned memory access is undefined behaviour, so even on x86 platforms, where the bug doesn't cause a crash, this can be problematic. Furthermore, even though the issue talks about a 64-bit kernel and 32-bit userspace, this doesn't necessarily need to be the case to trigger this crash. Test was Co-authored-by: rvk01 Closes GH-10920.
show more ...
|
#
57029ce9 |
| 24-Mar-2023 |
Ilija Tovilo |
Fix buffer-overflow in php_fgetcsv() with \0 delimiter and enclosure Fixes oss-fuzz #57392 Closes GH-10923
|
#
c2f3a605 |
| 25-Mar-2023 |
Ilija Tovilo |
[skip ci] Add NEWS entry
|
#
8930bf8c |
| 22-Mar-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-8979: Possible Memory Leak with SSL-enabled MySQL connections The stream context inside `mysqlnd_vio::enable_ssl()` is leaking. In particular: when `php_stream_context_set()` get
Fix GH-8979: Possible Memory Leak with SSL-enabled MySQL connections The stream context inside `mysqlnd_vio::enable_ssl()` is leaking. In particular: when `php_stream_context_set()` get called the refcount of `context` is increased by 1, which means that `context` will now have a refcount of 2. Later on we remove the context from the stream by calling `php_stream_context_set(stream, NULL)` but that leaves our `context` with a refcount of 1, and therefore it's never destroyed. In my test case this yielded a leak of 1456 bytes per connection (but could be more depending on your settings ofc). Annoyingly, Valgrind doesn't find it because the context is still in the `EG(regular_list)` and will thus be destroyed at the end of the request. However, I still think this bug needs to be fixed because as the users in the issue report already mentioned: there can be long-running PHP scripts. Fix it by decreasing the refcount to transfer the ownership. Closes GH-10909.
show more ...
|
#
cbac68df |
| 23-Mar-2023 |
Derick Rethans |
Fix GH-10583: DateTime modify with tz pattern should not update linked timezone
|
#
30141828 |
| 06-Feb-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-10521: ftp_get/ftp_nb_get resumepos offset is maximum 10GB The char arrays were too small for a long on 64-bit systems, which resulted in cutting off the string at the end with a
Fix GH-10521: ftp_get/ftp_nb_get resumepos offset is maximum 10GB The char arrays were too small for a long on 64-bit systems, which resulted in cutting off the string at the end with a NUL byte. Use a size of MAX_LENGTH_OF_LONG to fix this issue instead of a fixed size of 11 chars. Closes GH-10525.
show more ...
|
#
c4072437 |
| 19-Mar-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-10052: Browscap crashes PHP 8.1.12 on request shutdown (apache2) get_browser() implements a lazy parse system for the browscap INI configuration. There are two possible moments wh
Fix GH-10052: Browscap crashes PHP 8.1.12 on request shutdown (apache2) get_browser() implements a lazy parse system for the browscap INI configuration. There are two possible moments when a browscap configuration can be loaded: during module startup or during request. In case of module startup, the strings are persistent strings, while for the request they are not. The INI parser must therefore know whether to create persistent or non-persistent strings. It does this by looking at CG(ini_parser_unbuffered_errors). If that value is 1 it's persistent, otherwise non-persistent. Note that this also controls how the errors are reported: if it's 1 then the errors are sent to stderr, otherwise we get E_WARNINGs. Currently, a hardcoded value of 1 is always used for that CG value in browscap_read_file(). This means we'll always create persistent strings *and* we'll not report parse errors correctly as E_WARNINGs. We fix both the crash and the lack of warnings by passing the value of persistent instead of a hardcoded 1. This is also in line with how other INI parsing code is called in ext/standard: they also make sure that during request a value of 0 is passed. Closes GH-10883.
show more ...
|
#
122f1287 |
| 20-Mar-2023 |
Ilija Tovilo |
Fix GH-10885: Leaking stream_socket_server context `php_stream_context_set` already increases the refcount. Closes GH-10886
|
#
0d4d4718 |
| 12-Mar-2023 |
Jakub Zelenka |
Fix bug #74129: Incorrect SCRIPT_NAME with apache ProxyPassMatch This happens when there are spaces are in the path info. The reason is that Apache decodes the path info part in the SCRI
Fix bug #74129: Incorrect SCRIPT_NAME with apache ProxyPassMatch This happens when there are spaces are in the path info. The reason is that Apache decodes the path info part in the SCRIPT_NAME as per CGI RFC. FPM tries to strip path info from the SCRIPT_NAME but the comparison is done against SCRIPT_FILENAME which is not decoded. For that to work we have to decode it before comparison if there is any encoded character. Closes GH-10869
show more ...
|
#
b5726c2c |
| 17-Mar-2023 |
Ilija Tovilo |
Fix NUL byte in exception string terminating Exception::__toString() Fixes GH-10810 Closes GH-10873
|
#
f30e71cb |
| 26-Feb-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Destroy file_handle in fpm_main If it's not in the CG(open_files) list, we need to destroy the file handle ourselves. Co-authored-by: Jakub Zelenka <bukka@php.net> Clos
Destroy file_handle in fpm_main If it's not in the CG(open_files) list, we need to destroy the file handle ourselves. Co-authored-by: Jakub Zelenka <bukka@php.net> Closes GH-10707.
show more ...
|
#
06ae7500 |
| 15-Mar-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-8789 and GH-10015: Fix ZTS zend signal crashes due to NULL globals Fixes GH-8789. Fixes GH-10015. This is one small part of the underlying bug for GH-10737, as in my
Fix GH-8789 and GH-10015: Fix ZTS zend signal crashes due to NULL globals Fixes GH-8789. Fixes GH-10015. This is one small part of the underlying bug for GH-10737, as in my attempts to reproduce the issue I constantly hit this crash easily. (The fix for the other underlying issue for that bug will follow soon.) It's possible that a signal arrives at a thread that never handled a PHP request before. This causes the signal globals to dereference a NULL pointer because the TSRM pointers for the thread aren't set up to point to the thread resources yet. PR GH-9766 previously fixed this for master by ignoring the signal if the thread didn't handle a PHP request yet. While this fixes the crash bug, I think the solution is suboptimal for 3 reasons: 1) The signal is ignored and a message is printed saying there is a bug. However, this is not a bug at all. For example in Apache, the signal set up happens on child process creation, and the thread resource creation happens lazily when the first request is handled by the thread. Hence, the fact that the thread resources aren't set up yet is not actually buggy behaviour. 2) I believe since it was believed to be buggy behaviour, that fix was only applied to master, so 8.1 & 8.2 keep on crashing. 3) We can do better than ignoring the signal. By just acting in the same way as if the signals aren't active. This means we need to take the same path as if the TSRM had already shut down. Closes GH-10861.
show more ...
|
#
5adeed30 |
| 16-Mar-2023 |
David CARLIER |
ext/psql: pg_meta_data, extended mode, fix typo for pseudo typtype. Closes GH-10865.
|
#
c4c8d6ce |
| 01-Mar-2023 |
nielsdos <7771979+nielsdos@users.noreply.github.com> |
Fix missing and inconsistent error check on SQLAllocHandle * Missing check: SQLAllocHandle() for the environment wasn't checked in pdo_odbc_handle_factory(). Add a check similar to the
Fix missing and inconsistent error check on SQLAllocHandle * Missing check: SQLAllocHandle() for the environment wasn't checked in pdo_odbc_handle_factory(). Add a check similar to the other ones for SQLAllocHandle(). * Inconsistent check: one of the SQLAllocHandle() calls wasn't checked for SQL_SUCCESS_WITH_INFO. However, looking at the other uses and the documentation we should probably check this as well. Furthermore, since there was a mix of "SQLAllocHandle: reason" and "SQLAllocHandle (reason)" in the error reporting, I made them consistently use the first option as that seems to be the most used for error reporting in this file. Closes GH-10740.
show more ...
|
#
71c63723 |
| 18-Feb-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-10611: fpm_env_init_main leaks environ Closes GH-10618.
|
#
2c53d631 |
| 08-Mar-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-10801: Named arguments in CTE functions cause a segfault Fixes GH-10801 Named arguments are not supported by the constant evaluation routine, in the sense that they are i
Fix GH-10801: Named arguments in CTE functions cause a segfault Fixes GH-10801 Named arguments are not supported by the constant evaluation routine, in the sense that they are ignored. This causes two issues: - It causes a crash because not all oplines belonging to the call are removed, which results in SEND_VA{L,R} which should've been removed. - It causes semantic issues (demonstrated in the test case). This case never worked anyway, leading to crashes or incorrect behaviour, so just prevent CTE of calls with named parameters for now. We can choose to support it later, but introducing support for this in a stable branch seems too dangerous. This patch does not change the removal of SEND_* opcodes in remove_call because the crash bug can't be triggered anymore with this patch as there are no named parameters anymore and no variadic CTE functions exist. Closes GH-10811.
show more ...
|
#
49b2ff5d |
| 02-Mar-2023 |
NathanFreeman <1056159381@qq.com> |
Fix GH-10519: Array Data Address Reference Issue We need to carry around a reference to the underlying Bucket to be able to modify it by reference. Closes GH-10749 Signed-o
Fix GH-10519: Array Data Address Reference Issue We need to carry around a reference to the underlying Bucket to be able to modify it by reference. Closes GH-10749 Signed-off-by: George Peter Banyard <girgias@php.net>
show more ...
|
#
85df512a |
| 06-Mar-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-8065: opcache.consistency_checks > 0 causes segfaults in PHP >= 8.1.5 in fpm context Disable opcache.consistency_checks. This feature does not work right now and leads to mem
Fix GH-8065: opcache.consistency_checks > 0 causes segfaults in PHP >= 8.1.5 in fpm context Disable opcache.consistency_checks. This feature does not work right now and leads to memory leaks and other problems. For analysis and discussion see GH-8065. In GH-10624 it was decided to disable the feature to prevent problems for end users. If end users which to get some consistency guarantees, they can rely on opcache.protect_memory. Closes GH-10798.
show more ...
|
#
ff62d117 |
| 04-Mar-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-8646: Memory leak PHP FPM 8.1 Fixes GH-8646 See https://github.com/php/php-src/issues/8646 for thorough discussion. Interned strings that hold class entries can get a cor
Fix GH-8646: Memory leak PHP FPM 8.1 Fixes GH-8646 See https://github.com/php/php-src/issues/8646 for thorough discussion. Interned strings that hold class entries can get a corresponding slot in map_ptr for the CE cache. map_ptr works like a bump allocator: there is a counter which increases to allocate the next slot in the map. For class name strings in non-opcache we have: - on startup: permanent + interned - on request: interned For class name strings in opcache we have: - on startup: permanent + interned - on request: either not interned at all, which we can ignore because they won't get a CE cache entry or they were already permanent + interned or we get a new permanent + interned string in the opcache persistence code Notice that the map_ptr layout always has the permanent strings first, and the request strings after. In non-opcache, a request string may get a slot in map_ptr, and that interned request string gets destroyed at the end of the request. The corresponding map_ptr slot can thereafter never be used again. This causes map_ptr to keep reallocating to larger and larger sizes. We solve it as follows: We can check whether we had any interned request strings, which only happens in non-opcache. If we have any, we reset map_ptr to the last permanent string. We can't lose any permanent strings because of map_ptr's layout. Closes GH-10783.
show more ...
|
#
7202fe16 |
| 27-Feb-2023 |
Ilija Tovilo |
Fix GH-10709: UAF in recursive AST evaluation Fixes https://oss-fuzz.com/testcase-detail/6445949468934144 Closes GH-10718
|
#
22c9e7e2 |
| 04-Mar-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Add missing error check on PEM_write_bio_PKCS7() Closes GH-10752.
|
#
30ebecb1 |
| 03-Mar-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Add missing error checks on EVP_MD_CTX_create() and EVP_VerifyInit() The first one returns NULL on error, and the second one returns 0 on error. These weren't checked. Closes GH
Add missing error checks on EVP_MD_CTX_create() and EVP_VerifyInit() The first one returns NULL on error, and the second one returns 0 on error. These weren't checked. Closes GH-10762.
show more ...
|
#
e633be3e |
| 03-Mar-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-10766: PharData archive created with Phar::Zip format does not keep files metadata (datetime) Due to an incorrect check, the datetime was never actually set. To test this we need
Fix GH-10766: PharData archive created with Phar::Zip format does not keep files metadata (datetime) Due to an incorrect check, the datetime was never actually set. To test this we need to write the file using phar, but read the file using a different method to not get a cached, or a value that's been transformed twice and is therefore accidentally correct. Closes GH-10769
show more ...
|