Fix GH-16628: FPM logs are getting corrupted with this log statement

zlog_buf_prefix() can return a larger length than what actually was
written due to its use of snprintf(). The code in

Fix GH-16628: FPM logs are getting corrupted with this log statement

zlog_buf_prefix() can return a larger length than what actually was
written due to its use of snprintf(). The code in
zlog_stream_prefix_ex() does not take this into account, other callers
do. What ends up happening then is that stream->length is set to the
length as if snprintf() was able to write all bytes, causing
stream->length to become larger than stream->buf.size, causing a
segfault.

In case the buffer was too small we try with a larger buffer up to a
limit of zlog_limit. This makes sure that the stream length will remain
bounded by the buffer size.

This also adds assertions to make the programmer intent clear and catch
this more easily in debug builds.

Closes GH-16680.

show more ...

Fix GH-16266: _ZendTestClass::test() segfaults on named parameter

We need to assign the proper number of arguments.

Closes GH-16271.

Workaround deprecation warning in zend_test on 8.1

RFC: Add `#[\Deprecated]` Attribute (#11293)

see https://wiki.php.net/rfc/deprecated_attribute

Co-authored-by: Tim Düsterhus <tim@tideways-gmbh.com>
Co-authored-by: Ilija Tovilo

RFC: Add `#[\Deprecated]` Attribute (#11293)

see https://wiki.php.net/rfc/deprecated_attribute

Co-authored-by: Tim Düsterhus <tim@tideways-gmbh.com>
Co-authored-by: Ilija Tovilo <ilija.tovilo@me.com>

show more ...

Add `gc` and `shutdown` callbacks to ZendMM custom handlers (#13432)

gen_stub: Intern the parameter name string for named arguments in internal attributes (#14595)

This is necessary because `zend_get_attribute_object()` will use the persistent
string with

gen_stub: Intern the parameter name string for named arguments in internal attributes (#14595)

This is necessary because `zend_get_attribute_object()` will use the persistent
string with the parameter name as the index for a newly created non-persistent
HashTable, which is not legal.

As parameter names are expected to be short-ish, reasonably common terms and
need to sit around in memory anyways, we might as well make them an interned
string, circumstepping the issue without needing to duplicate the parameter
name into a non-persistent string.

show more ...

Zend: Add object_init_with_constructor() API (#14440)

This will instantiate the object and execute its constructor with the given parameters.

ext/zend_test: Fix [-Wsign-compare] warnings

Sync HAVE_BUNDLED_PCRE #if/ifdef/defined (#14354)

Follow up of GH-5526 (-Wundef)

Drop zend_mm_set_custom_debug_handlers() (#13457)

Simplifies zend_mm_set_custom_debug_handlers to just use zend_mm_set_custom_handlers(), saving some conditionals when the Zend allocator is

Drop zend_mm_set_custom_debug_handlers() (#13457)

Simplifies zend_mm_set_custom_debug_handlers to just use zend_mm_set_custom_handlers(), saving some conditionals when the Zend allocator is not used.

show more ...

Implement "support doc comments for internal classes and functions" (#13266)

Fixes #13130

Fix zend_test extension name (#13321)

The zend_test extension was renamed from zend-test to zend_test in
dbe5725ff3c89b61d14dea3e97bc77331830220e. This only syncs few minor
remaining

Fix zend_test extension name (#13321)

The zend_test extension was renamed from zend-test to zend_test in
dbe5725ff3c89b61d14dea3e97bc77331830220e. This only syncs few minor
remainings.

show more ...

Use diagnostic macros for the warning

Use zend_error_noreturn for E_ERROR consistently

To be clear, these already don't return. zend_error_noreturn just hints at this
fact through the ZEND_NORETURN attribute.

Closes

Use zend_error_noreturn for E_ERROR consistently

To be clear, these already don't return. zend_error_noreturn just hints at this
fact through the ZEND_NORETURN attribute.

Closes GH-12204

show more ...

Fixed GH-16233: Observer segfault when calling user function in internal function via trampoline

In the test, I have an internal `__call` function for `_ZendTestMagicCallForward` that calls

Fixed GH-16233: Observer segfault when calling user function in internal function via trampoline

In the test, I have an internal `__call` function for `_ZendTestMagicCallForward` that calls the global function with name `$name` via `call_user_function`.
Note that observer writes the pointer to the previously observed frame in the last temporary of the new call frame (`*prev_observed_frame`).

The following happens:
First, we call `$test->callee`, this will be handled via a trampoline with T=2 for the two arguments. The call frame is allocated at this point. This call frame is not observed because it has `ZEND_ACC_CALL_VIA_TRAMPOLINE` set. Next we use `ZEND_CALL_TRAMPOLINE` to call the trampoline, this reuses the stack frame allocated earlier with T=2, but this time it is observed. The pointer to the previous frame is written outside of the call frame because `T` is too small (should be 3). We are now in the internal function `_ZendTestMagicCallForward::__call` where we call the global function `callee`. This will push a new call frame which will overlap `*prev_observed_frame`. This value gets overwritten by `zend_init_func_execute_data` when `EX(opline)` is set because `*prev_observed_frame` overlaps with `EX(opline)`. From now on, `*prev_observed_frame` is corrupted. When `zend_observer_fcall_end` is called this will result in reading wrong value `*prev_observed_frame` into `current_observed_frame`. This causes issues in `zend_observer_fcall_end_all` leading to the segfault we observe.

Despite function with `ZEND_ACC_CALL_VIA_TRAMPOLINE` not being observed, the reuse of call frames makes problems when `T` is not large enough.
To fix this, we make sure to add 1 to `T` if `ZEND_OBSERVER_ENABLED` is true.

Closes GH-16252.

show more ...

Fix is_zend_ptr() for huge blocks (#14626)

is_zend_ptr() expected zend_mm_heap.huge_list to be circular, but it's in fact NULL-terminated. It could crash when at least one huge block exists

Fix is_zend_ptr() for huge blocks (#14626)

is_zend_ptr() expected zend_mm_heap.huge_list to be circular, but it's in fact NULL-terminated. It could crash when at least one huge block exists and the ptr did not belong to any block.

show more ...

Fix GH-11078: PHP Fatal error triggers pointer being freed was not allocated and malloc: double free for ptr errors

Although the issue was demonstrated using Curl, the issue is purely in

Fix GH-11078: PHP Fatal error triggers pointer being freed was not allocated and malloc: double free for ptr errors

Although the issue was demonstrated using Curl, the issue is purely in
the streams layer of PHP.

Full analysis is written in GH-11078 [1], but here is the brief version:
Here's what actually happens:
1) We're creating a FILE handle from a stream using the casting mechanism.
This will create a cookie-based FILE handle using funopen.
2) We're reading stream data using fread from the userspace stream. This will
temporarily set a buffer into a field _bf.base [2]. This buffer is now equal
to the upload buffer that Curl allocated and note that that buffer is owned
by Curl.
3) The fatal error occurs and we bail out from the fread function, notice how
the reset code is never executed and so the buffer will still point to
Curl's upload buffer instead of FILE's own buffer [3].
4) The resources are destroyed, this includes our opened stream and because the
FILE handle is cached, it gets destroyed as well.
In fact, the stream code calls through fclose on purpose in this case.
5) The fclose code frees the _bs.base buffer [4].
However, this is not the buffer that FILE owns but the one that Curl owns
because it isn't reset properly due to the bailout!
6) The objects are getting destroyed, and so the curl free logic is invoked.
When Curl tries to gracefully clean up, it tries to free the buffer.
But that buffer is actually already freed mistakingly by the C library!

This also explains why we can't reproduce it on Linux: this bizarre buffer
swapping only happens on macOS and BSD, not on Linux.

To solve this, we switch to an unbuffered mode for cookie-based FILEs.
This avoids any stateful problems related to buffers especially when the
bailout mechanism triggers. As streams have their own buffering
mechanism, I don't expect this to impact performance.

[1] https://github.com/php/php-src/issues/11078#issuecomment-2155616843
[2] https://github.com/apple-open-source-mirror/Libc/blob/5e566be7a7047360adfb35ffc44c6a019a854bea/stdio/FreeBSD/fread.c#L102-L103
[3] https://github.com/apple-open-source-mirror/Libc/blob/5e566be7a7047360adfb35ffc44c6a019a854bea/stdio/FreeBSD/fread.c#L117
[4] https://github.com/apple-open-source-mirror/Libc/blob/5e566be7a7047360adfb35ffc44c6a019a854bea/stdio/FreeBSD/fclose.c#L66-L67

Closes GH-14524.

show more ...

Fix GH-14215: Cannot use FFI::load on CRLF header file with apache2handler

Some modules may reset _fmode, which causes mangling of line endings.
Always be explicit like we do in other pl

Fix GH-14215: Cannot use FFI::load on CRLF header file with apache2handler

Some modules may reset _fmode, which causes mangling of line endings.
Always be explicit like we do in other places where the native open call
is used.

Closes GH-14218.

show more ...

zend_test fix copy_file_range test for linux 32 bits

close GH-13708

zend test fix copy_file_range for musl.

normally should no longer need off64_t with glibc anyway.

Silence deprecations in zend-test

Forgot it here...

Fix leak of call->extra_named_params on internal __call

Fixes GH-12835
Closes GH-12836

Fix invalid opline in OOM handlers within ZEND_FUNC_GET_ARGS and ZEND_BIND_STATIC (#12768)

* fix segfault in `ZEND_BIND_STATIC`

In case a `ZEND_BIND_STATIC` is being executed, while

Fix invalid opline in OOM handlers within ZEND_FUNC_GET_ARGS and ZEND_BIND_STATIC (#12768)

* fix segfault in `ZEND_BIND_STATIC`

In case a `ZEND_BIND_STATIC` is being executed, while the current chunk is full,
the `zend_array_dup()` call will trigger a OOM in ZendMM which will crash, as
the opline might be a dangling pointer.

* add missing test

* `assert()`ing seems easier than trying to make the compiler to not optimize

* moved from function call to INI setting, so we can use this in other places as well

* make `assert()` work no NDEBUG builds

* document magic number

* fix segfault in `ZEND_FUNC_GET_ARGS`

In case a `ZEND_FUNC_GET_ARGS` is being executed, while the current chunk is
full, the `zend_new_array()` call will trigger a OOM in ZendMM which will crash,
as the opline might be a dangling pointer.

---------

Co-authored-by: Florian Engelhardt <florian@engelhardt.tc>

show more ...

Fix GH-12628: The gh11374 test fails on Alpinelinux

Closes GH-12636.

Fix GH-12558 Escape \N in generated stubs (#12562)