b1840737 | 10-May-2021 |
Christoph M. Becker |
Avoid OOB reads in create_name_with_username() `accel_uname_id` and `zend_system_id` are MD5 buffers which are not NUL terminated. Thus, we must not pass them to `snprintf()`.
Avoid OOB reads in create_name_with_username() `accel_uname_id` and `zend_system_id` are MD5 buffers which are not NUL terminated. Thus, we must not pass them to `snprintf()`. Closes GH-6968.
show more ...
|
96bf925c | 02-Jul-2021 |
Nikita Popov |
Fix return value of wrong fucntion by-ref assign We should be using the result of zend_assign_to_variable() here, which will deref prior to potential freeing. Fixes oss-fuzz #29
Fix return value of wrong fucntion by-ref assign We should be using the result of zend_assign_to_variable() here, which will deref prior to potential freeing. Fixes oss-fuzz #29899.
show more ...
|
bdc60fa7 | 02-Jul-2021 |
Nikita Popov |
Fixed bug #80173 The analysis in the bug report wasn't correct (at least not in this case -- there may still be a more general problem here), the issue was that write_property return
Fixed bug #80173 The analysis in the bug report wasn't correct (at least not in this case -- there may still be a more general problem here), the issue was that write_property returned the original variable_ptr rather than the zend_assign_to_variable() return value, which will DEREF the variable before overwriting it.
show more ...
|
36f5d719 | 01-Jul-2021 |
Nikita Popov |
Fix leak on foreach by ref assign to property In this case we ended up creating an ASSIGN_OBJ_REF with VAR result operand, which was not freed. Fix this by implementing assign_r
Fix leak on foreach by ref assign to property In this case we ended up creating an ASSIGN_OBJ_REF with VAR result operand, which was not freed. Fix this by implementing assign_ref_znode the same was as assign_znode, i.e. performing an assignment with result and then freeing the result, which will result mark the result as UNUSED. This is more robust than the special handling for result == NULL that was used before. This fixes one of the issues reported in bug #81190.
show more ...
|
334387bb | 01-Jul-2021 |
Christoph M. Becker |
Fix #52093: openssl_csr_sign truncates $serial We use `ASN1_INTEGER_set_int64()` if supported[1], to avoid the truncation of the integer. [1] <https://www.openssl.org/docs/man1.
Fix #52093: openssl_csr_sign truncates $serial We use `ASN1_INTEGER_set_int64()` if supported[1], to avoid the truncation of the integer. [1] <https://www.openssl.org/docs/man1.1.0/man3/ASN1_INTEGER_set_int64.html#HISTORY> Closes GH-7209.
show more ...
|
d7db5701 | 30-Jun-2021 |
Christoph M. Becker |
Fix #73630: Built-in Weberver - overwrite $_SERVER['request_uri'] The built-in Webserver's `on_path`, `on_query_string` and `on_url` callbacks may be called multiple times from the parse
Fix #73630: Built-in Weberver - overwrite $_SERVER['request_uri'] The built-in Webserver's `on_path`, `on_query_string` and `on_url` callbacks may be called multiple times from the parser; we must not simply replace the old values, but need to concatenate the new values instead. This appears to be tricky for `on_path` due to the path normalization, so we fail if the function is called again. The built-in Webserver logs errors during request parsing to stderr, but this is ignored by the php_cli_server framework, and apparently the Webserver does not send a resonse at all in such cases (instead of an 4xx). Thus we can only check that a request with an overly long path fails. Closes GH-7207.
show more ...
|
98a21d1d | 12-Feb-2021 |
Calvin Buckley |
Fix bug #80728: Don't reset the timeout on ini deactivate When the time limit for a script is changed, when the script ends, its INI value will be reset. This calls the event handler for
Fix bug #80728: Don't reset the timeout on ini deactivate When the time limit for a script is changed, when the script ends, its INI value will be reset. This calls the event handler for the timeout change, which will unset then reset the timeout. However, this is done even if the script is done executing, and say, the CGI or CLI web server process is idle. This is probably incorrect, but isn't a problem on most platforms, because PHP uses a timer that only ticks when the process is active (that is, executing code). Since when it's idle, it's blocking on listen/read, it won't tick because nothing executes. However, on platforms where only the real-time timer is supported, (Cygwin/PASE) it ticks regardless of if PHP is even executing. This means that the idle processes are subject to timeouts from the INI reset on script end. This makes it so the timer is never set if the state is deactivating. Testing with the CLI web server indicates the timer no longer spuriously activates under PASE. Closes GH-6683.
show more ...
|
7bab67c2 | 28-Jun-2021 |
Stanislav Malyshev |
Fix warning (cherry picked from commit 190013787bbc424c240413d914e3a038f974ccef) |
1a01f781 | 23-Jun-2021 |
Christoph M. Becker |
Fix #68471: IntlDateFormatter fails for "GMT+00:00" timezone GMT+00:00 is recognized by ICU, and is normalized to GMT. There are no issues when GMT+00:00 is passed to `IntlTimeZone::cre
Fix #68471: IntlDateFormatter fails for "GMT+00:00" timezone GMT+00:00 is recognized by ICU, and is normalized to GMT. There are no issues when GMT+00:00 is passed to `IntlTimeZone::createTimeZone()`, but passing it to IntlDateFormatter::__construct() causes a failure, since there is an additional check regarding the validity. While checking the validity of the result of `TimeZone::createTimeZone()`[1] is a good idea, comparing the IDs is overly restrictive. Instead we just check that the timezone is supported by ICU. [1] <https://unicode-org.github.io/icu-docs/apidoc/dev/icu4c/classicu_1_1TimeZone.html#a35da0507b62754ffe5d8d59c19775cdb> Closes GH-7190.
show more ...
|
2327e3d3 | 28-Jun-2021 |
Stanislav Malyshev |
Merge branch 'PHP-7.3' into PHP-7.4 * PHP-7.3: Update NEWS Fix #76448: Stack buffer overflow in firebird_info_cb Fix #76449: SIGSEGV in firebird_handle_doer Fix #7645
Merge branch 'PHP-7.3' into PHP-7.4 * PHP-7.3: Update NEWS Fix #76448: Stack buffer overflow in firebird_info_cb Fix #76449: SIGSEGV in firebird_handle_doer Fix #76450: SIGSEGV in firebird_stmt_execute Fix #76452: Crash while parsing blob data in firebird_fetch_blob Fix #81122: SSRF bypass in FILTER_VALIDATE_URL
show more ...
|
c68a6875 | 21-Jun-2021 |
Stanislav Malyshev |
Update NEWS |
67afa325 | 29-Apr-2021 |
Christoph M. Becker |
Fix #76448: Stack buffer overflow in firebird_info_cb We ensure not to overflow the stack allocated buffer by using `strlcat`. |
08da7c73 | 30-Apr-2021 |
Christoph M. Becker |
Fix #76449: SIGSEGV in firebird_handle_doer We need to verify that the `result_size` is not larger than our buffer, and also should make sure that the `len` which is passed to `isc_v
Fix #76449: SIGSEGV in firebird_handle_doer We need to verify that the `result_size` is not larger than our buffer, and also should make sure that the `len` which is passed to `isc_vax_integer()` has a permissible value; otherwise we bail out.
show more ...
|
bcbf8aa0 | 30-Apr-2021 |
Christoph M. Becker |
Fix #76450: SIGSEGV in firebird_stmt_execute We need to verify that the `result_size` is not larger than our buffer, and also should make sure that the `len` which is passed to `isc_
Fix #76450: SIGSEGV in firebird_stmt_execute We need to verify that the `result_size` is not larger than our buffer, and also should make sure that the `len` which is passed to `isc_vax_integer()` has a permissible value; otherwise we bail out.
show more ...
|
286162e9 | 05-May-2021 |
Christoph M. Becker |
Fix #76452: Crash while parsing blob data in firebird_fetch_blob We need to prevent integer overflow when calling `erealloc()` with `len+1`. |
a5538c62 | 14-Jun-2021 |
Christoph M. Becker |
Fix #81122: SSRF bypass in FILTER_VALIDATE_URL We need to ensure that the password detected by parse_url() is actually a valid password; we can re-use is_userinfo_valid() for that. |
4d8eb892 | 19-Jun-2021 |
Anatol Belski |
NEWS: Add bug #81101 note [ci skip] Signed-off-by: Anatol Belski <ab@php.net> |
1a1d86d5 | 06-Jun-2021 |
Anatol Belski |
pcre: Workaround bug #81101 The way to fix it is to disable certain match start optimizaions. The observed performance impact appears negligible ATM, compared to the functional regre
pcre: Workaround bug #81101 The way to fix it is to disable certain match start optimizaions. The observed performance impact appears negligible ATM, compared to the functional regression revealed. A possible side effect might occur if a pattern uses (*COMMIT) or (*MARK), which is however not a very broadly used syntax in PHP. Still this should be observed and handled by possibly adding a possibility to reverse PCRE2_NO_START_OPTIMIZE on the user side. One test shows a behavior change, where instead of int 0 the match would produce an error and return false. Except strict comparison is used, this should be acceptable. Signed-off-by: Anatol Belski <ab@php.net> (cherry picked from commit d188ca7688315e3d32d41a32e0ce7b1f9bffb4cf) Signed-off-by: Anatol Belski <ab@php.net>
show more ...
|
bc59b046 | 18-Jun-2021 |
Joe Watkins |
Fix bug #81163 indirect vars in __sleep |
99e7c5ce | 17-Jun-2021 |
Christoph M. Becker |
Fix test in case fallocate(1) is available, but fails That happens on Travis s390x for whatever reasons. Thus, instead of checking for `fallocate -h`, we attempt the real allocation and
Fix test in case fallocate(1) is available, but fails That happens on Travis s390x for whatever reasons. Thus, instead of checking for `fallocate -h`, we attempt the real allocation and skip if that fails.
show more ...
|
2555efad | 17-Jun-2021 |
Christoph M. Becker |
Fix #81145: copy() and stream_copy_to_stream() fail for +4GB files When mapping the file, we need to pass the proper `dwFileOffsetHigh` instead of `0`. Co-authored-by: Nikita Po
Fix #81145: copy() and stream_copy_to_stream() fail for +4GB files When mapping the file, we need to pass the proper `dwFileOffsetHigh` instead of `0`. Co-authored-by: Nikita Popov <nikita.ppv@gmail.com> Closes GH-7158.
show more ...
|
0f1b17e3 | 14-Jun-2021 |
Christoph M. Becker |
Fix #72809: Locale::lookup() wrong result with canonicalize option Canonicalization converts the locale to ICU format[1]. However, the lookup described in RFC 4647, section 3.4, is abou
Fix #72809: Locale::lookup() wrong result with canonicalize option Canonicalization converts the locale to ICU format[1]. However, the lookup described in RFC 4647, section 3.4, is about POSIX format. To make that lookup work for ICU format, we also need to cater to keyword separators. The results are somewhat unexpected, but apparently canonical lookup is explicitly supposed to return canonical language tags[2]. [1] <https://unicode-org.github.io/icu/userguide/locale/#canonicalization> [2] <https://github.com/php/php-src/blob/php-7.4.20/ext/intl/locale/locale_methods.c#L1504> Closes GH-7151.
show more ...
|
8370a084 | 15-Jun-2021 |
Derick Rethans |
Prepare for 7.4.22 |
d15e10d7 | 13-Jun-2021 |
Christoph M. Becker |
Fix test wrt. OPENSSL_CONF This test is supposed to verify the path of the default OpenSSL config file; it will fail, though, if OPENSSL_CONF is explicitly set, so we explicitly unse
Fix test wrt. OPENSSL_CONF This test is supposed to verify the path of the default OpenSSL config file; it will fail, though, if OPENSSL_CONF is explicitly set, so we explicitly unset this environment variable for this test.
show more ...
|
3f4bc94b | 10-Jun-2021 |
Nikita Popov |
Mitigation for bug #81096 This issue is properly fixed by GH-7121 on master. For older branches, disable the use of range information in SCCP, to reduce impact of potentially incorre
Mitigation for bug #81096 This issue is properly fixed by GH-7121 on master. For older branches, disable the use of range information in SCCP, to reduce impact of potentially incorrect ranges.
show more ...
|