Fix GH-17225: NULL deref in spl_directory.c

NULL checks for the glob stream are inconsistently applied. To solve
this generally, factor it out to a helper function so it's less likely

Fix GH-17225: NULL deref in spl_directory.c

NULL checks for the glob stream are inconsistently applied. To solve
this generally, factor it out to a helper function so it's less likely
to be forgotten in the future.

Closes GH-17231.

show more ...

Fix GH-17224: UAF in importNode

Wrong document pointer is used for the namespace copy.

Closes GH-17230.

Fix GH-17216: Trampoline crash on error

The error handling is incomplete on argument cleanup.
1. The fci is not cleared which means that zend_free_trampoline() is
never called.

Fix GH-17216: Trampoline crash on error

The error handling is incomplete on argument cleanup.
1. The fci is not cleared which means that zend_free_trampoline() is
never called.
2. The cleaning for extra named arguments was missing, resulting in
memory leak.

Closes GH-17219.

show more ...

ext/sockets: further timeout handling changes. (#17210)

close GH-17210

Add observer temporary to dl'ed functions

When observer is enabled, we normally add an extra temporary to all
functions, to store the previously observed frame. However, this is done in

Add observer temporary to dl'ed functions

When observer is enabled, we normally add an extra temporary to all
functions, to store the previously observed frame. However, this is done in
zend_observer_post_startup() so it doesn't happen to dl'ed() functions.

One possible fix would be to move that from zend_observer_post_startup()
to zend_register_functions(), but this would be too early: Observer may
not be enabled when zend_register_functions() is called, and may still be
enabled later.

However, when zend_register_functions() is called at run-time (during dl()),
we know definitively whether observer is enabled.

Here I update zend_register_functions() to add a temporary to dl'ed()
functions when observer is enabled.

Fixes: GH-17211
Closes: GH-17220

show more ...

Fix GH-14709 overflow on recurrences for DatePeriod::__construct

close GH-14710

NEWS for GH-17168

ext/posix posix_ttyname/posix_isatty fd error handling update.

Set to `EBADF` errno for posix_ttyname when out of ranges.
posix_fpathconf now returns false on out of range file descripto

ext/posix posix_ttyname/posix_isatty fd error handling update.

Set to `EBADF` errno for posix_ttyname when out of ranges.
posix_fpathconf now returns false on out of range file descriptors.

close GH-17209

show more ...

Fix RC inference of op1 of FETCH_OBJ and INIT_METHOD_CALL

Fixes GH-17151
Closes GH-17152

Fix incorrect dynamic prop offset in hooked prop iterator

Fixes GH-17200
Closes GH-17203

Fix GH-17067: glob:// wrapper doesn't cater to CWD for ZTS builds

`glob(3)` doesn't know the virtual CWD of PHP, so we need to pass an
absolute path for ZTS builds. In lack of a reusabl

Fix GH-17067: glob:// wrapper doesn't cater to CWD for ZTS builds

`glob(3)` doesn't know the virtual CWD of PHP, so we need to pass an
absolute path for ZTS builds. In lack of a reusable routine, we copy
the code from `glob()` and adapt as needed.

Closes GH-17074.

show more ...

Fixed GH-16944: Refactor IP ranges by using the tables from RFC 6890

Fix GH-17198: SplFixedArray assertion failure with get_object_vars

Because the properties table contains both a numeric index and a string
index that map to 0 in a symbol table, this cau

Fix GH-17198: SplFixedArray assertion failure with get_object_vars

Because the properties table contains both a numeric index and a string
index that map to 0 in a symbol table, this causes an assertion failure.
Looking at the manual page of get_object_vars(), it seems that only real
properties must be included. Given that SplFixedArray's elements are not
accessible like properties, they should be excluded. This restores PHP
8.3 behaviour. The reason that this didn't cause problems on 8.3 is
because it used a different handler (get_properties).

Closes GH-17206.

show more ...

Fix GH-17201: Dom\TokenList issues with interned string replace

If a bucket previously had a non-interned string, and is now replaced
with an interned string, then the type flags still i

Fix GH-17201: Dom\TokenList issues with interned string replace

If a bucket previously had a non-interned string, and is now replaced
with an interned string, then the type flags still incorrectly state
it's a non-interned string. This leads to the refcount being edited for
interned strings, which in turn can lead to a crash when protect_memory
is set.

Closes GH-17207.

show more ...

[ci skip] News for GH-17101

ext/sockets: socket_set_option switch from convert_to_long to zval_get_long.
to be explicit when the expected type is not met. Check SO_LINGER values
for possible overflow.

close GH-

ext/sockets: socket_set_option switch from convert_to_long to zval_get_long.
to be explicit when the expected type is not met. Check SO_LINGER values
for possible overflow.

close GH-17135

show more ...

Fix GH-17140 (Assertion failure in JIT trace exit with ZEND_FETCH_DIM_FUNC_ARG)

ZEND_FETCH_DIM_FUNC_ARG should also be repeated on undefined access,
consistent to how ZEND_FETCH_DIM_R is

Fix GH-17140 (Assertion failure in JIT trace exit with ZEND_FETCH_DIM_FUNC_ARG)

ZEND_FETCH_DIM_FUNC_ARG should also be repeated on undefined access,
consistent to how ZEND_FETCH_DIM_R is handled. The opcode was just
missing from the assertion list.

Closes GH-17148.

Co-authored-by: Dmitry Stogov <dmitry@zend.com>

show more ...

Fix GH-16255: Unexpected nan value in ext/gd/libgd/gd_filter.c

Closes GH-17169.

Correctly round rounding mode with zero edge case (#17065)

Fixes #17064
Closes #17065

ext/pcntl: Fix memory leak in cleanup code of pcntl_exec()

Fix GH-17162: zend_array_try_init() with dtor can cause engine UAF

Closes GH-17167.

ext/pgsql fixing further calls with flexible arguments number.

continuation of GH-17161

close GH-17165

Fix GH-17137: Segmentation fault ext/phar/phar.c

Commit edae2431 attempted to fix a leak and double free, but didn't
properly understand what was going on, causing a reference count mist

Fix GH-17137: Segmentation fault ext/phar/phar.c

Commit edae2431 attempted to fix a leak and double free, but didn't
properly understand what was going on, causing a reference count mistake
and subsequent segfault in this case.

The first mistake of that commit is that the reference count should've
been increased because we're reusing a phar object. The error handling
path should've gotten changed instead to undo this refcount increase
instead of not refcounting at all (root cause of this bug).

The second mistake is that the alias isn't supposed to be transferred or
whatever, that just doesn't make sense. The reason the test
bug69958.phpt originally leaked is because in the non-reuse case we
borrowed the alias and otherwise we own the alias. If we own the alias
the alias information shouldn't get deleted anyway as that would desync
the alias map.

Fixing these will reveal a third issue in which the alias memory is not
always properly in sync with the persistence-ness of the phar, fix this
as well.

Closes GH-17150.

show more ...

Fix GH-17153: SimpleXML crash when using autovivification on document

In the case of a member string, `mynode` may also be a document, which
doesn't have a namespace.

Closes GH-

Fix GH-17153: SimpleXML crash when using autovivification on document

In the case of a member string, `mynode` may also be a document, which
doesn't have a namespace.

Closes GH-17156.

show more ...

Fix GH-17158: pg_fetch_result Shows Incorrect ArgumentCountError Message when Called With 1 Argument

Closes GH-17161.