#
e643129b |
| 02-Nov-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16628: FPM logs are getting corrupted with this log statement zlog_buf_prefix() can return a larger length than what actually was written due to its use of snprintf(). The code in
Fix GH-16628: FPM logs are getting corrupted with this log statement zlog_buf_prefix() can return a larger length than what actually was written due to its use of snprintf(). The code in zlog_stream_prefix_ex() does not take this into account, other callers do. What ends up happening then is that stream->length is set to the length as if snprintf() was able to write all bytes, causing stream->length to become larger than stream->buf.size, causing a segfault. In case the buffer was too small we try with a larger buffer up to a limit of zlog_limit. This makes sure that the stream length will remain bounded by the buffer size. This also adds assertions to make the programmer intent clear and catch this more easily in debug builds. Closes GH-16680.
show more ...
|
#
e715dd0a |
| 05-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fixed GH-16233: Observer segfault when calling user function in internal function via trampoline In the test, I have an internal `__call` function for `_ZendTestMagicCallForward` that calls
Fixed GH-16233: Observer segfault when calling user function in internal function via trampoline In the test, I have an internal `__call` function for `_ZendTestMagicCallForward` that calls the global function with name `$name` via `call_user_function`. Note that observer writes the pointer to the previously observed frame in the last temporary of the new call frame (`*prev_observed_frame`). The following happens: First, we call `$test->callee`, this will be handled via a trampoline with T=2 for the two arguments. The call frame is allocated at this point. This call frame is not observed because it has `ZEND_ACC_CALL_VIA_TRAMPOLINE` set. Next we use `ZEND_CALL_TRAMPOLINE` to call the trampoline, this reuses the stack frame allocated earlier with T=2, but this time it is observed. The pointer to the previous frame is written outside of the call frame because `T` is too small (should be 3). We are now in the internal function `_ZendTestMagicCallForward::__call` where we call the global function `callee`. This will push a new call frame which will overlap `*prev_observed_frame`. This value gets overwritten by `zend_init_func_execute_data` when `EX(opline)` is set because `*prev_observed_frame` overlaps with `EX(opline)`. From now on, `*prev_observed_frame` is corrupted. When `zend_observer_fcall_end` is called this will result in reading wrong value `*prev_observed_frame` into `current_observed_frame`. This causes issues in `zend_observer_fcall_end_all` leading to the segfault we observe. Despite function with `ZEND_ACC_CALL_VIA_TRAMPOLINE` not being observed, the reuse of call frames makes problems when `T` is not large enough. To fix this, we make sure to add 1 to `T` if `ZEND_OBSERVER_ENABLED` is true. Closes GH-16252.
show more ...
|
#
1ff277de |
| 25-Jun-2024 |
Arnaud Le Blanc |
Fix is_zend_ptr() for huge blocks (#14626) is_zend_ptr() expected zend_mm_heap.huge_list to be circular, but it's in fact NULL-terminated. It could crash when at least one huge block exists
Fix is_zend_ptr() for huge blocks (#14626) is_zend_ptr() expected zend_mm_heap.huge_list to be circular, but it's in fact NULL-terminated. It could crash when at least one huge block exists and the ptr did not belong to any block.
show more ...
|
#
bc558bf7 |
| 09-Jun-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-11078: PHP Fatal error triggers pointer being freed was not allocated and malloc: double free for ptr errors Although the issue was demonstrated using Curl, the issue is purely in
Fix GH-11078: PHP Fatal error triggers pointer being freed was not allocated and malloc: double free for ptr errors Although the issue was demonstrated using Curl, the issue is purely in the streams layer of PHP. Full analysis is written in GH-11078 [1], but here is the brief version: Here's what actually happens: 1) We're creating a FILE handle from a stream using the casting mechanism. This will create a cookie-based FILE handle using funopen. 2) We're reading stream data using fread from the userspace stream. This will temporarily set a buffer into a field _bf.base [2]. This buffer is now equal to the upload buffer that Curl allocated and note that that buffer is owned by Curl. 3) The fatal error occurs and we bail out from the fread function, notice how the reset code is never executed and so the buffer will still point to Curl's upload buffer instead of FILE's own buffer [3]. 4) The resources are destroyed, this includes our opened stream and because the FILE handle is cached, it gets destroyed as well. In fact, the stream code calls through fclose on purpose in this case. 5) The fclose code frees the _bs.base buffer [4]. However, this is not the buffer that FILE owns but the one that Curl owns because it isn't reset properly due to the bailout! 6) The objects are getting destroyed, and so the curl free logic is invoked. When Curl tries to gracefully clean up, it tries to free the buffer. But that buffer is actually already freed mistakingly by the C library! This also explains why we can't reproduce it on Linux: this bizarre buffer swapping only happens on macOS and BSD, not on Linux. To solve this, we switch to an unbuffered mode for cookie-based FILEs. This avoids any stateful problems related to buffers especially when the bailout mechanism triggers. As streams have their own buffering mechanism, I don't expect this to impact performance. [1] https://github.com/php/php-src/issues/11078#issuecomment-2155616843 [2] https://github.com/apple-open-source-mirror/Libc/blob/5e566be7a7047360adfb35ffc44c6a019a854bea/stdio/FreeBSD/fread.c#L102-L103 [3] https://github.com/apple-open-source-mirror/Libc/blob/5e566be7a7047360adfb35ffc44c6a019a854bea/stdio/FreeBSD/fread.c#L117 [4] https://github.com/apple-open-source-mirror/Libc/blob/5e566be7a7047360adfb35ffc44c6a019a854bea/stdio/FreeBSD/fclose.c#L66-L67 Closes GH-14524.
show more ...
|
#
ebd1a366 |
| 13-May-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-14215: Cannot use FFI::load on CRLF header file with apache2handler Some modules may reset _fmode, which causes mangling of line endings. Always be explicit like we do in other pl
Fix GH-14215: Cannot use FFI::load on CRLF header file with apache2handler Some modules may reset _fmode, which causes mangling of line endings. Always be explicit like we do in other places where the native open call is used. Closes GH-14218.
show more ...
|
#
13d3564a |
| 28-Aug-2023 |
Remi Collet |
Fix #12063 convert PHP single-quote to C double-quote string
|
#
c934e241 |
| 26-Dec-2022 |
Máté Kocsis |
Fix GH-9967 Add support for generating custom function, class const, and property attributes in stubs
|
#
3e0e7e3f |
| 24-Aug-2023 |
ju1ius |
releases property attributes of internal classes (#11980) * adds test case for internal class property attribute * releases property attributes of internal classes
|
#
7f1c3bf0 |
| 18-Aug-2023 |
ju1ius |
Adds support for DNF types in internal functions and properties (#11969) Note that this does not add support for items generated by gen_stubs, only for items registered dynamically via
Adds support for DNF types in internal functions and properties (#11969) Note that this does not add support for items generated by gen_stubs, only for items registered dynamically via the Zend API. Closes GH-10120
show more ...
|
#
65a02f48 |
| 02-Aug-2023 |
George Peter Banyard |
ext/zend_test: Move object handler test objects to their own file (#11852)
|
#
9bcdf219 |
| 31-Mar-2023 |
Ilija Tovilo |
Resolve open_basedir paths on ini update Closes GH-10987
|
#
d8696f92 |
| 17-Jul-2023 |
George Peter Banyard |
[RFC] Path to Saner Increment/Decrement operators (#10358) * Add behavioural tests for incdec operators * Add support to ++/-- for objects castable to _IS_NUMBER * Add str_
[RFC] Path to Saner Increment/Decrement operators (#10358) * Add behavioural tests for incdec operators * Add support to ++/-- for objects castable to _IS_NUMBER * Add str_increment() function * Add str_decrement() function RFC: https://wiki.php.net/rfc/saner-inc-dec-operators Co-authored-by: Ilija Tovilo <ilija.tovilo@me.com> Co-authored-by: Arnaud Le Blanc <arnaud.lb@gmail.com>
show more ...
|
#
7b355e8d |
| 04-Jul-2023 |
Ilija Tovilo |
Revert "Merge branch 'PHP-8.2'" This reverts commit 45a3f178dc226b69f5d72f10285bc2ad139b2c1c, reversing changes made to b2a54bc6af4bf645b5bb2601621c12b31bfbff0c.
|
#
3906bccc |
| 27-Jun-2023 |
Máté Kocsis |
Add support for typed class constants in stubs
|
#
80e90ad7 |
| 07-Mar-2023 |
George Peter Banyard |
Add number or str ZPP macros
|
#
b3e33be4 |
| 21-Mar-2023 |
Ilija Tovilo |
Forward shutdown exceptions to user error handlers Fixes GH-10695 Closes GH-110905
|
#
2ef1930a |
| 06-Apr-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix number of elements after packed hash filling (#11022) After a hash filling routine the number of elements are set to the fill index. However, if the fill index is larger than the num
Fix number of elements after packed hash filling (#11022) After a hash filling routine the number of elements are set to the fill index. However, if the fill index is larger than the number of elements, the number of elements are no longer correct. This is observable at least via count() and var_dump(). E.g. the attached test case would incorrectly show int(17) instead of int(11). Solve this by only increasing the number of elements by the actual number that got added. Instead of adding a variable that increments per iteration, I wanted to save some cycles in the iteration and simply compute the number of added elements at the end. I discovered this behaviour while fixing GH-11016, where this filling routine is easily exposed to userland via a specialised VM path [1]. Since this seems to be more a general problem with the macros, and may be triggered outside of the VM handlers, I fixed it in the macros instead of modifying the VM to fixup the number of elements. [1] https://github.com/php/php-src/blob/b2c5acbb010f4bbc7ea9b53ba9bc81d672dd0f34/Zend/zend_vm_def.h#L6132-L6141
show more ...
|
#
3b066188 |
| 07-Mar-2023 |
George Peter Banyard |
RFC: Saner array_(sum|product)() (#10161) RFC: https://wiki.php.net/rfc/saner-array-sum-product Moreover, the internal fast_add_function() function was removed.
|
#
145602f3 |
| 28-Feb-2023 |
Bob Weinand |
Fix bug in zend_test assuming null not being the first type (I agree that null should come last, but then it should rather throw with a proper message than emit an undefined key warning.)
Fix bug in zend_test assuming null not being the first type (I agree that null should come last, but then it should rather throw with a proper message than emit an undefined key warning.) Signed-off-by: Bob Weinand <bobwei9@hotmail.com>
show more ...
|
#
0c9181b6 |
| 29-Jan-2023 |
George Peter Banyard |
Add function in zend_test to check UTF8 flag is added Also add test to check what strings are marked as having the flag
|
#
1fbe8559 |
| 19-Jan-2023 |
Bob Weinand |
Honor constant expressions instead of just taking the last constant encountered in stubs As an example: should be translated to: ZVAL_LONG(&attribute_Attribute_class_test_arg0, ZEND_
Honor constant expressions instead of just taking the last constant encountered in stubs As an example: should be translated to: ZVAL_LONG(&attribute_Attribute_class_test_arg0, ZEND_ATTRIBUTE_TARGET_FUNCTION | ZEND_ATTRIBUTE_TARGET_METHOD);
show more ...
|
#
3e48e52d |
| 29-Dec-2022 |
Tim Düsterhus |
Register parameter attributes via stub in ext/zend_test (#10183)
|
#
a11c8a30 |
| 16-Dec-2022 |
Arnaud Le Blanc |
Limit stack size (#9104)
|
#
f203edd3 |
| 30-Nov-2023 |
Ilija Tovilo |
Fix leak of call->extra_named_params on internal __call Fixes GH-12835 Closes GH-12836
|
#
78fba9cb |
| 08-Nov-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-12628: The gh11374 test fails on Alpinelinux Closes GH-12636.
|