Fix GH-8646: Memory leak PHP FPM 8.1

Fixes GH-8646
See https://github.com/php/php-src/issues/8646 for thorough discussion.

Interned strings that hold class entries can get a cor

Fix GH-8646: Memory leak PHP FPM 8.1

Fixes GH-8646
See https://github.com/php/php-src/issues/8646 for thorough discussion.

Interned strings that hold class entries can get a corresponding slot in map_ptr for the CE cache.
map_ptr works like a bump allocator: there is a counter which increases to allocate the next slot in the map.

For class name strings in non-opcache we have:
- on startup: permanent + interned
- on request: interned
For class name strings in opcache we have:
- on startup: permanent + interned
- on request: either not interned at all, which we can ignore because they won't get a CE cache entry
or they were already permanent + interned
or we get a new permanent + interned string in the opcache persistence code

Notice that the map_ptr layout always has the permanent strings first, and the request strings after.
In non-opcache, a request string may get a slot in map_ptr, and that interned request string
gets destroyed at the end of the request. The corresponding map_ptr slot can thereafter never be used again.
This causes map_ptr to keep reallocating to larger and larger sizes.

We solve it as follows:
We can check whether we had any interned request strings, which only happens in non-opcache.
If we have any, we reset map_ptr to the last permanent string.
We can't lose any permanent strings because of map_ptr's layout.

Closes GH-10783.

show more ...

Fix GH-10709: UAF in recursive AST evaluation

Fixes https://oss-fuzz.com/testcase-detail/6445949468934144
Closes GH-10718

Add missing error check on PEM_write_bio_PKCS7()

Closes GH-10752.

Add missing error checks on EVP_MD_CTX_create() and EVP_VerifyInit()

The first one returns NULL on error, and the second one returns 0 on
error. These weren't checked.

Closes GH

Add missing error checks on EVP_MD_CTX_create() and EVP_VerifyInit()

The first one returns NULL on error, and the second one returns 0 on
error. These weren't checked.

Closes GH-10762.

show more ...

Fix GH-10766: PharData archive created with Phar::Zip format does not keep files metadata (datetime)

Due to an incorrect check, the datetime was never actually set.
To test this we need

Fix GH-10766: PharData archive created with Phar::Zip format does not keep files metadata (datetime)

Due to an incorrect check, the datetime was never actually set.
To test this we need to write the file using phar, but read the file
using a different method to not get a cached, or a value that's been
transformed twice and is therefore accidentally correct.

Closes GH-10769

show more ...

Propagate success status of ftp_close() to userland

The docs say that this function returns true on success, and false on
error. This function always returns true in the current implemen

Propagate success status of ftp_close() to userland

The docs say that this function returns true on success, and false on
error. This function always returns true in the current implementation
because the success return value from ftp_close() is never propagated to
userland. This affects one test: since the test server exits after an
invalid login, the ftp close correctly fails (because the server has
gone away).

show more ...

Fix GH-10728: opcache capstone header's inclusion.

Remove capstone include folder.
For most of the supported systems it worked fine somehow despite
the pkg-config --cflags, but is a

Fix GH-10728: opcache capstone header's inclusion.

Remove capstone include folder.
For most of the supported systems it worked fine somehow despite
the pkg-config --cflags, but is always include it even on Linux.

Closes GH-10732.

show more ...

[ci skip] NEWS

Fix missing readonly modification error with inc/dec in JIT

Closes GH-10746

PHP-8.1 is now for PHP 8.1.18-dev

Fix GH-10715: phpdbg heap buffer overflow -- by misuse of the option "--run"

Fixes GH-10715

When a string starting with a NUL character is passed to
phpdbg_vprint(), the vasprin

Fix GH-10715: phpdbg heap buffer overflow -- by misuse of the option "--run"

Fixes GH-10715

When a string starting with a NUL character is passed to
phpdbg_vprint(), the vasprintf() will return that 0 characters have been
printed. This causes msglen == 0. When phpdbg_process_print() is called
with a message of length 0, the -1 to check for '\n' will perform an out
of bounds read. Since nothing is printed anyway for msglen == 0, it
seems best to just skip the printing routine for this case.

Closes GH-10720.

show more ...

Fix incorrect error checking in php_openssl_set_server_dh_param()

SSL_CTX_set_tmp_dh() and SSL_CTX_set0_tmp_dh_pkey() return 1 on success
and 0 on error. But only < 0 was checked which m

Fix incorrect error checking in php_openssl_set_server_dh_param()

SSL_CTX_set_tmp_dh() and SSL_CTX_set0_tmp_dh_pkey() return 1 on success
and 0 on error. But only < 0 was checked which means that errors were
never caught.

Closes GH-10705.

show more ...

Fix GH-10692: PHP crashes on Windows when an inexistent filename is executed

Fixes GH-10692

php_fopen_primary_script() does not initialize all fields of
zend_file_handle. So whe

Fix GH-10692: PHP crashes on Windows when an inexistent filename is executed

Fixes GH-10692

php_fopen_primary_script() does not initialize all fields of
zend_file_handle. So when it fails and when fastcgi is true, the
zend_destroy_file_handle() function will try to free uninitialized
pointers, causing a segmentation fault. Fix it by zero-initializing file
handles just like the zend_stream_init_fp() counterpart does.

Closes GH-10697.

show more ...

[skip ci] Add github reference to bug fix in NEWS

Fix GH-10570: Assertion `(key)->h != 0 && "Hash must be known"' failed.

Fixes GH-10570, see GH-10570 for analysis.

Closes GH-10572

Fix incorrect type for return value of zend_update_static_property_ex()

zend_update_static_property_ex() returns a zend_result, but the return
value is stored here in a bool. A bool is u

Fix incorrect type for return value of zend_update_static_property_ex()

zend_update_static_property_ex() returns a zend_result, but the return
value is stored here in a bool. A bool is unsigned on my system, so in
case zend_update_static_property_ex() returns FAILURE (== -1) this gets
converted to 1 instead. This is not a valid zend_result value. This
means that (transitive) callers could mistakingly think the function
succeeded while it did in fact not succeed. Fix it by changing the type
to zend_result.

Closes GH-10691.

show more ...

Fixed bug GH-10270 Unable to return CURL_READFUNC_PAUSE in readfunc callback

Closes GH-10607

Signed-off-by: George Peter Banyard <girgias@php.net>

Fix GH-10672 (pg_lo_open segfaults in the strict_types mode)

We need to use the proper ZPP qualifier for zend_string

Closes GH-10677

Fix segfault when using ReflectionFiber (fixes #10439)

Closes GH-10478

Fix incorrect string length for output_handler in zlib ini code

The length of "output_handler" is supposed to be passed, but as sizeof
is used, the resulting number includes the NUL char

Fix incorrect string length for output_handler in zlib ini code

The length of "output_handler" is supposed to be passed, but as sizeof
is used, the resulting number includes the NUL character, so the length
is off-by-one. Subtract one to pass the correct length.

Closes GH-10667.

show more ...

Fix GH-10647: Spoofchecker isSuspicious/areConfusable methods
error code's argument.

Closes GH-10653.

Propagate errors correctly in ps_files_cleanup_dir()

In SessionHandler::gc, we use a virtual call to PS(default_mod)->s_gc to
call the gc implementation. That return value is checked aga

Propagate errors correctly in ps_files_cleanup_dir()

In SessionHandler::gc, we use a virtual call to PS(default_mod)->s_gc to
call the gc implementation. That return value is checked against
FAILURE (-1).
One of the call targets of PS(default_mod)->s_gc is ps_gc_files().
ps_gc_files() calls to ps_files_cleanup_dir(). The latter function has
some error checks and outputs a notice if something goes wrong. In cases
of errors, the function returns 0. This means that the check in
SessionHandler::gc will misinterpret this as a success and report that 0
files have been *successfully* cleaned up. Fix it by returning -1 to
indicate something *did* go wrong.

Closes GH-10644.

show more ...

Fix incorrect error check in browsecap for pcre2_match()

pcre2_match() returns error codes < 0, but only the "no match" error
code was handled. Fix it by changing the check to >= 0.

Fix incorrect error check in browsecap for pcre2_match()

pcre2_match() returns error codes < 0, but only the "no match" error
code was handled. Fix it by changing the check to >= 0.

Closes GH-10632

Signed-off-by: George Peter Banyard <girgias@php.net>

show more ...

Add missing error check on tidyLoadConfig

Parse errors were not reported for the default config, they were only
reported when explicitly another config was loaded.
This means that us

Add missing error check on tidyLoadConfig

Parse errors were not reported for the default config, they were only
reported when explicitly another config was loaded.
This means that users may not be aware of errors in their configuration
and therefore the behaviour of Tidy might not be what they intended.
This patch fixes that issue by using a common function. In fact, the
check for -1 might be enough for the current implementation of Tidy, but
the Tidy docs say that any value other than 0 indicates an error.
So future errors might not be caught when just using an error code of -1.
Therefore, this also changes the error code checks of == -1 to < 0 and
== 1 to > 0.

Closes GH-10636

Signed-off-by: George Peter Banyard <girgias@php.net>

show more ...

Fix GH-10627: mb_convert_encoding crashes PHP on Windows

Fixes GH-10627

The php_mb_convert_encoding() function can return NULL on error, but
this case was not handled, which led

Fix GH-10627: mb_convert_encoding crashes PHP on Windows

Fixes GH-10627

The php_mb_convert_encoding() function can return NULL on error, but
this case was not handled, which led to a NULL pointer dereference and
hence a crash.

Closes GH-10628

Signed-off-by: George Peter Banyard <girgias@php.net>

show more ...