| #
1ff277de |
| 25-Jun-2024 |
Arnaud Le Blanc |
Fix is_zend_ptr() for huge blocks (#14626)
is_zend_ptr() expected zend_mm_heap.huge_list to be circular, but it's in fact NULL-terminated. It could crash when at least one huge block exists
Fix is_zend_ptr() for huge blocks (#14626)
is_zend_ptr() expected zend_mm_heap.huge_list to be circular, but it's in fact NULL-terminated. It could crash when at least one huge block exists and the ptr did not belong to any block.
show more ...
|
| #
bc558bf7 |
| 09-Jun-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-11078: PHP Fatal error triggers pointer being freed was not allocated and malloc: double free for ptr errors
Although the issue was demonstrated using Curl, the issue is purely in
Fix GH-11078: PHP Fatal error triggers pointer being freed was not allocated and malloc: double free for ptr errors
Although the issue was demonstrated using Curl, the issue is purely in
the streams layer of PHP.
Full analysis is written in GH-11078 [1], but here is the brief version:
Here's what actually happens:
1) We're creating a FILE handle from a stream using the casting mechanism.
This will create a cookie-based FILE handle using funopen.
2) We're reading stream data using fread from the userspace stream. This will
temporarily set a buffer into a field _bf.base [2]. This buffer is now equal
to the upload buffer that Curl allocated and note that that buffer is owned
by Curl.
3) The fatal error occurs and we bail out from the fread function, notice how
the reset code is never executed and so the buffer will still point to
Curl's upload buffer instead of FILE's own buffer [3].
4) The resources are destroyed, this includes our opened stream and because the
FILE handle is cached, it gets destroyed as well.
In fact, the stream code calls through fclose on purpose in this case.
5) The fclose code frees the _bs.base buffer [4].
However, this is not the buffer that FILE owns but the one that Curl owns
because it isn't reset properly due to the bailout!
6) The objects are getting destroyed, and so the curl free logic is invoked.
When Curl tries to gracefully clean up, it tries to free the buffer.
But that buffer is actually already freed mistakingly by the C library!
This also explains why we can't reproduce it on Linux: this bizarre buffer
swapping only happens on macOS and BSD, not on Linux.
To solve this, we switch to an unbuffered mode for cookie-based FILEs.
This avoids any stateful problems related to buffers especially when the
bailout mechanism triggers. As streams have their own buffering
mechanism, I don't expect this to impact performance.
[1] https://github.com/php/php-src/issues/11078#issuecomment-2155616843
[2] https://github.com/apple-open-source-mirror/Libc/blob/5e566be7a7047360adfb35ffc44c6a019a854bea/stdio/FreeBSD/fread.c#L102-L103
[3] https://github.com/apple-open-source-mirror/Libc/blob/5e566be7a7047360adfb35ffc44c6a019a854bea/stdio/FreeBSD/fread.c#L117
[4] https://github.com/apple-open-source-mirror/Libc/blob/5e566be7a7047360adfb35ffc44c6a019a854bea/stdio/FreeBSD/fclose.c#L66-L67
Closes GH-14524.
show more ...
|
| #
ebd1a366 |
| 13-May-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-14215: Cannot use FFI::load on CRLF header file with apache2handler
Some modules may reset _fmode, which causes mangling of line endings.
Always be explicit like we do in other pl
Fix GH-14215: Cannot use FFI::load on CRLF header file with apache2handler
Some modules may reset _fmode, which causes mangling of line endings.
Always be explicit like we do in other places where the native open call
is used.
Closes GH-14218.
show more ...
|
| #
f203edd3 |
| 30-Nov-2023 |
Ilija Tovilo |
Fix leak of call->extra_named_params on internal __call
Fixes GH-12835
Closes GH-12836
|
| #
78fba9cb |
| 08-Nov-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-12628: The gh11374 test fails on Alpinelinux
Closes GH-12636.
|
| #
d4e40dc0 |
| 31-Oct-2023 |
Máté Kocsis |
Fix GH-12558 Escape \N in generated stubs (#12562)
|
| #
13d3564a |
| 28-Aug-2023 |
Remi Collet |
Fix #12063 convert PHP single-quote to C double-quote string
|
| #
c934e241 |
| 26-Dec-2022 |
Máté Kocsis |
Fix GH-9967 Add support for generating custom function, class const, and property attributes in stubs
|
| #
3e0e7e3f |
| 24-Aug-2023 |
ju1ius |
releases property attributes of internal classes (#11980)
* adds test case for internal class property attribute
* releases property attributes of internal classes
|
| #
7f1c3bf0 |
| 18-Aug-2023 |
ju1ius |
Adds support for DNF types in internal functions and properties (#11969)
Note that this does not add support for items generated by gen_stubs,
only for items registered dynamically via
Adds support for DNF types in internal functions and properties (#11969)
Note that this does not add support for items generated by gen_stubs,
only for items registered dynamically via the Zend API.
Closes GH-10120
show more ...
|
| #
02a80c5b |
| 14-Aug-2023 |
George Peter Banyard |
Fix various bugs related to DNF types
- GH-11958: DNF types in trait properties do not get bound properly
- GH-11883: Memory leak in zend_type_release() for non-arena allocated DNF typ
Fix various bugs related to DNF types
- GH-11958: DNF types in trait properties do not get bound properly
- GH-11883: Memory leak in zend_type_release() for non-arena allocated DNF types
- Internal trait bound to userland class would not be arena allocated
- Property DNF types were not properly deep copied during lazy loading
Co-authored-by: Ilija Tovilo <ilija.tovilo@me.com>
Co-authored-by: ju1ius <jules.bernable@gmail.com>
show more ...
|
| #
65a02f48 |
| 02-Aug-2023 |
George Peter Banyard |
ext/zend_test: Move object handler test objects to their own file (#11852)
|
| #
e61dbe54 |
| 01-Aug-2023 |
Ilija Tovilo |
Fix zend/test arginfo stub hash
|
| #
62228a25 |
| 31-Jul-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Disable global state test on Windows
It looks like the config.w32 uses CHECK_HEADER_ADD_INCLUDE to add the include
path to libxml into the search path.
That doesn't happen in zend-te
Disable global state test on Windows
It looks like the config.w32 uses CHECK_HEADER_ADD_INCLUDE to add the include
path to libxml into the search path.
That doesn't happen in zend-test.
To add to the Windows trouble, libxml is statically linked in, ext/libxml can
only be built statically but ext/zend-test can be built both statically and
dynamically.
So the regression tests won't work in all possible configurations anyway on Windows.
All of this is no problem on Linux because it just uses dynamic linking
and pkg-config, without any magic.
Signed-off-by: Ben Ramsey <ramsey@php.net>
show more ...
|
| #
855dd276 |
| 31-Jul-2023 |
Derick Rethans |
Fixed another broken merge (sorry)
|
| #
dcc42955 |
| 31-Jul-2023 |
Derick Rethans |
Fixed artifacts from merging
|
| #
c283c3ab |
| 15-Jul-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Sanitize libxml2 globals before parsing
Fixes GHSA-3qrf-m4j2-pcrr.
To parse a document with libxml2, you first need to create a parsing context.
The parsing context contains par
Sanitize libxml2 globals before parsing
Fixes GHSA-3qrf-m4j2-pcrr.
To parse a document with libxml2, you first need to create a parsing context.
The parsing context contains parsing options (e.g. XML_NOENT to substitute
entities) that the application (in this case PHP) can set.
Unfortunately, libxml2 also supports providing default set options.
For example, if you call xmlSubstituteEntitiesDefault(1) then the XML_NOENT
option will be added to the parsing options every time you create a parsing
context **even if the application never requested XML_NOENT**.
Third party extensions can override these globals, in particular the
substitute entity global. This causes entity substitution to be
unexpectedly active.
Fix it by setting the parsing options to a sane known value.
For API calls that depend on global state we introduce
PHP_LIBXML_SANITIZE_GLOBALS() and PHP_LIBXML_RESTORE_GLOBALS().
For other APIs that work directly with a context we introduce
php_libxml_sanitize_parse_ctxt_options().
show more ...
|
| #
9bcdf219 |
| 31-Mar-2023 |
Ilija Tovilo |
Resolve open_basedir paths on ini update
Closes GH-10987
|
| #
d8696f92 |
| 17-Jul-2023 |
George Peter Banyard |
[RFC] Path to Saner Increment/Decrement operators (#10358)
* Add behavioural tests for incdec operators
* Add support to ++/-- for objects castable to _IS_NUMBER
* Add str_
[RFC] Path to Saner Increment/Decrement operators (#10358)
* Add behavioural tests for incdec operators
* Add support to ++/-- for objects castable to _IS_NUMBER
* Add str_increment() function
* Add str_decrement() function
RFC: https://wiki.php.net/rfc/saner-inc-dec-operators
Co-authored-by: Ilija Tovilo <ilija.tovilo@me.com>
Co-authored-by: Arnaud Le Blanc <arnaud.lb@gmail.com>
show more ...
|
| #
7b355e8d |
| 04-Jul-2023 |
Ilija Tovilo |
Revert "Merge branch 'PHP-8.2'"
This reverts commit 45a3f178dc226b69f5d72f10285bc2ad139b2c1c, reversing
changes made to b2a54bc6af4bf645b5bb2601621c12b31bfbff0c.
|
| #
ef4f0883 |
| 04-Jul-2023 |
Ilija Tovilo |
Revert "Fix GH-9967 Add support for generating custom function, class const, and property attributes in stubs"
This reverts commit d7ab0ff0c81bf672c3d4ac73e1b2cbd158296eef.
|
| #
d7ab0ff0 |
| 03-Jul-2023 |
Máté Kocsis |
Fix GH-9967 Add support for generating custom function, class const, and property attributes in stubs
|
| #
3906bccc |
| 27-Jun-2023 |
Máté Kocsis |
Add support for typed class constants in stubs
|
| #
80e90ad7 |
| 07-Mar-2023 |
George Peter Banyard |
Add number or str ZPP macros
|
| #
b3e33be4 |
| 21-Mar-2023 |
Ilija Tovilo |
Forward shutdown exceptions to user error handlers
Fixes GH-10695
Closes GH-110905
|
