Fix GH-16802: open_basedir bypass using curl extension

And fix a memleak while here.

Closes GH-16804.

Fix GH-16799: Assertion failure at Zend/zend_vm_execute.h:7469

zend_is_callable_ex() can unfortunately emit a deprecation, and then
a user error handler can throw an exception. This caus

Fix GH-16799: Assertion failure at Zend/zend_vm_execute.h:7469

zend_is_callable_ex() can unfortunately emit a deprecation, and then
a user error handler can throw an exception. This causes an assert
failure at ZEND_VM_NEXT_OPCODE(). We fix this by checking if there's an
exception after zend_is_callable_ex().

Closes GH-16803.

show more ...

Fix GH-16812: UAF on readline_info() after readline_write_history() call.

close GH-16813

Fix GH-16770: Tracing JIT type mismatch when returning UNDEF

When returning an UNDEF value, it actually becomes NULL.
The following code took this into account:
https://github.com/ph

Fix GH-16770: Tracing JIT type mismatch when returning UNDEF

When returning an UNDEF value, it actually becomes NULL.
The following code took this into account:
https://github.com/php/php-src/blob/28344e0445bc2abae8dc5f1376aa0ff350e6d66d/ext/opcache/jit/zend_jit_trace.c#L2196-L2199

But the stack does not update the type to NULL, causing a mismatch.

Closes GH-16784.

Co-authored-by: Dmitry Stogov <dmitry@zend.com>

show more ...

Fix GH-16771: imagecreatefromstring overflow on invalid format.

close GH-16776

Fix GH-16769: php_pcntl_set_user_signal_infos aborts when a signal is a reference.

close GH-16772

Fix the name of the initializer parameter of ReflectionClass::resetAsLazyGhost()

Closes GH-16758

Fix GH-16727: Opcache bad signal 139 crash in ZTS bookworm (frankenphp)

Reproducer: https://github.com/php/php-src/issues/16727#issuecomment-2466256317

The root cause is a data race

Fix GH-16727: Opcache bad signal 139 crash in ZTS bookworm (frankenphp)

Reproducer: https://github.com/php/php-src/issues/16727#issuecomment-2466256317

The root cause is a data race between two different threads:

1) We allocate a lower cased name for an anonymous class here:
https://github.com/php/php-src/blob/f97353f228e21dcc2db24d7edf08c1cb3678b0fd/Zend/zend_compile.c#L8109
2) This gets looked up as an interned string here:
https://github.com/php/php-src/blob/f97353f228e21dcc2db24d7edf08c1cb3678b0fd/Zend/zend_compile.c#L8112
Assuming that there are uppercase symbols in the string and therefore
`lcname != name` and that `lcname` is not yet in the interned string table,
the pointer value of `lcname` won't change.
3) Here we add the string into the interned string table:
https://github.com/php/php-src/blob/f97353f228e21dcc2db24d7edf08c1cb3678b0fd/Zend/zend_compile.c#L8223
However, in the meantime another thread could've added the string into the interned string table.
This means that the following code will run, indirectly called via the `LITERAL_STR` macro,
freeing `lcname`: https://github.com/php/php-src/blob/62e53e6f4965f37d379a3fd21f65a4210c5c86b5/ext/opcache/ZendAccelerator.c#L572-L575
4) In the reproducer we then access the freed `lcname` string here:
https://github.com/php/php-src/blob/f97353f228e21dcc2db24d7edf08c1cb3678b0fd/Zend/zend_compile.c#L8229

This is solved in my patch by retrieving the interned string pointer
and putting it in `lcname`.

Closes GH-16748.

show more ...

ext/standard: Sync parameter names for fpow() to be identical to pow()

Closes GH-16751

ext/hash: Fix GH-16711: Segfault in mhash()

Closes GH-16713

Fix GH-16695: phar:// tar parser and zero-length file header blocks

There are two issues:
1) There's an off-by-one in the check for the minimum file size for a
tar (i.e. `>` inste

Fix GH-16695: phar:// tar parser and zero-length file header blocks

There are two issues:
1) There's an off-by-one in the check for the minimum file size for a
tar (i.e. `>` instead of `>=`).
2) The loop in the tar parsing parses a header, and then unconditionally
reads the next one. However, that doesn't necessarily exist.
Instead, we remove the loop condition and check for the end of the
file before reading the next header. Note that we can't use
php_stream_eof as the flag may not be set yet when we're already at
the end.

Closes GH-16700.

show more ...

Fail early in *nix configuration build script

Adding two exit early safeguards in the *nix configuration build script:

1) Given the initial cd into the build tree fails (the project

Fail early in *nix configuration build script

Adding two exit early safeguards in the *nix configuration build script:

1) Given the initial cd into the build tree fails (the project root),
the `buildconf` script exits with non-zero status (failure).
2) Given the grep command does not exist or `configure.ac` AC_INIT [1]
expectations are unmet, the buildconf script exits non-zero.

Additionally quoting the pathname to cd into and the empty CD_PATH
parameter for portability, also for systems that are using a
non-portable pathname [2] for the build tree.

The initial CD safeguard has been applied to the `buildconf` and
four more scripts:

- build/genif.sh
- scripts/dev/credits
- scripts/dev/genfiles
- scripts/dev/makedist

Rationale:

Cd-ing into the project root should always prematurely exit w/ FAILURE
as a required precondition for its invocation has not been met. This
should never go unnoticed as it always requires user intervention.

Similar and more specifically to the PHP build on *nix systems, the
grep command is required early to obtain the `php_extra_version` from
configure.ac. Previously, if the grep command is missing (or failing
due to not matching the line with the AC_INIT macro [1]), the internal
dev parameter would always be zero (0) which can easily result in the
situation that the configure script is not being rebuilt. This is
cumbersome as the rebuild of a configure script is more likely required
with checked-out dev versions under change rather than an already
properly set-up build environment on a dedicated build or release
system. Missing the fact that either the grep utility is missing or
the expectation of having the AC_INIT macro in configure.ac is unmet
should never go unnoticed as it always requires user intervention.

[1]: https://www.gnu.org/software/autoconf/manual/autoconf-2.67/html_node/Initializing-configure.html
[2]: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_271

Closes GH-16717.

show more ...

Fix GH-16723: CURLMOPT_PUSHFUNCTION issues

We copy the source handler's FCCs to those of the destination.

We also fix the erroneous test assumption that the trampoline wouldn't

Fix GH-16723: CURLMOPT_PUSHFUNCTION issues

We copy the source handler's FCCs to those of the destination.

We also fix the erroneous test assumption that the trampoline wouldn't
be called.

Closes GH-16732.

show more ...

Fix memory leak in php_openssl_pkey_from_zval()

Closes GH-16691.

Fix various memory leaks related to openssl exports

Closes GH-16692.

Prevent unexpected array entry conversion when reading key

When passing an array, the key entry can get converted to a string if it
is an object, but this actually modifies the original

Prevent unexpected array entry conversion when reading key

When passing an array, the key entry can get converted to a string if it
is an object, but this actually modifies the original array entry.
The test originally outputted:

```
array(2) {
[0]=>
string(...) => ...
[1]=>
string(0) ""
}
```

This is unexpected. Use zval_try_get_string() to prevent this behaviour.

Closes GH-16693.

show more ...

ext/soap: fix `make check` being invoked in `ext/soap`

On NixOS we run `make` & `make check` inside `ext/soap` which broke the test
like this:

001+ Fatal error: Uncaught Soa

ext/soap: fix `make check` being invoked in `ext/soap`

On NixOS we run `make` & `make check` inside `ext/soap` which broke the test
like this:

001+ Fatal error: Uncaught SoapFault exception: [WSDL] SOAP-ERROR: Parsing WSDL: Couldn't load from 'ext/soap/tests/gh15711.wsdl' : failed to load "ext/soap/tests/gh15711.wsdl": No such file or directory
002+ in /build/php-8.3.13/ext/soap/tests/gh15711.php:29
003+ Stack trace:
004+ #0 /build/php-8.3.13/ext/soap/tests/gh15711.php(29): SoapClient->__construct('ext/soap/tests/...', Array)
005+ #1 {main}
006+ thrown in /build/php-8.3.13/ext/soap/tests/gh15711.php on line 29

Fix is to make the path dependant on `__DIR__` as it's the case in other
testcases including WSDLs.

Closes GH-16733.

show more ...

Fix 8.4 NEWS file

Fix GH-16432: PHP-FPM 8.2 SIGSEGV in fpm_get_status

Fix oss-fuzz report triggered by GH-15712 commit.

It triggered allocation overflow which, even fixed, in turn gives memory
leak on 32 bits but the allocator relies on signed integers.

Fix oss-fuzz report triggered by GH-15712 commit.

It triggered allocation overflow which, even fixed, in turn gives memory
leak on 32 bits but the allocator relies on signed integers.

close GH-15915

show more ...

Fix GH-16235 jdtogregorian overflow

close GH-16242

Added gc_handler to properly handle circular references. (#16703)

closes #16703

Co-authored-by: Christoph M. Becker <cmbecker69@gmx.de>

PHP-8.2 is now for PHP 8.2.27-dev

PHP-8.3 is now for PHP-8.3.15-dev

[ci skip] Update NEWS for PHP 8.4.0RC4