Fix edge-case in DOM parsing decoding

There are three connected subtle issues:
1) The fast path didn't correctly handle the case where the decoder
requests more data. This caused

Fix edge-case in DOM parsing decoding

There are three connected subtle issues:
1) The fast path didn't correctly handle the case where the decoder
requests more data. This caused a bogus additional replacement
sequence to be outputted when encountering an incomplete sequence at
the edges of a buffer.
2) The finishing of decoding incorrectly assumed that the fast path
cannot be in a state where the last few bytes were an incomplete
sequence, but this is not true as shown by test 08.
3) The finishing of decoding could output bytes twice because it called
into dom_process_parse_chunk() twice without clearing the decoded
data. However, calling twice is not even necessary as the entire
buffer cannot be filled up entirely.

Closes GH-16226.

show more ...

Fix GH-16237: Segmentation fault when cloning SoapServer

Bisect points to 94ee4f9, however this only reveals the problem.
Cloning an object on a lower branch and trying to call its metho

Fix GH-16237: Segmentation fault when cloning SoapServer

Bisect points to 94ee4f9, however this only reveals the problem.
Cloning an object on a lower branch and trying to call its methods
crashes as well. Cloning the object shouldn't be possible in the first
place because there's an engine constraint that when we have a new
object handler we should also have a clone handler. This constraint is
not fulfilled here.

Closes GH-16245.

show more ...

Fix GH-16228 overflow on easter_days/easter_date year argument.

close GH-16241

Fix GH-16232: bitshift overflow on wbmp file content reading.

backport from https://github.com/libgd/libgd/commit/a8f1d5cab0cad2bca2ed88a49c3f3de8585ff19b

close GH-16239

Fix GH-16231 jdtounix overflow on argument value.

Close GH-16240

Fix GH-16187: ReflectionClass::__toString() with packed properties hash table

Closes GH-16192.

Fix GH-16137: "Deduplicate" http headers values but Set-Cookie.

Those are meant to have 1 or plus values separated by a comma even
if the client set them separately.

close GH-1

Fix GH-16137: "Deduplicate" http headers values but Set-Cookie.

Those are meant to have 1 or plus values separated by a comma even
if the client set them separately.

close GH-16154

show more ...

Fix GH-16184: UBSan address overflowed in ext/pcre/php_pcre.c

libpcre2 can return the special value -1 for a non-match.
In this case we get pointer overflow, although it doesn't matter i

Fix GH-16184: UBSan address overflowed in ext/pcre/php_pcre.c

libpcre2 can return the special value -1 for a non-match.
In this case we get pointer overflow, although it doesn't matter in
practice because the pointer will be in bounds and the copy length will
be 0. Still, we should fix the UBSAN warning.

Closes GH-16205.

show more ...

Fix bugs GH-16150 and GH-16152: intern document mismanagement

The reference counts of the internal document pointer are mismanaged.
In the case of fragments the refcount may be increased

Fix bugs GH-16150 and GH-16152: intern document mismanagement

The reference counts of the internal document pointer are mismanaged.
In the case of fragments the refcount may be increased too much, while
for other cases the document reference may not be applied to all
children.

This bug existed for a long time and this doesn't reproduce (easily)
on 8.2 due to other bugs. Furthermore 8.2 will enter security mode soon,
and this change may be too risky.

Fixes GH-16150.
Fixed GH-16152.
Closes GH-16178.

show more ...

Fix GH-16190: Using reflection to call Dom\Node::__construct causes assertion failure

Closes GH-16193.

Fix GH-16199: GREP_HEADER() is broken

This also fixes the libxml version check when the libxml/xmlversion.h
is located elsewhere than libxml2 include directory.

Closes GH-15619.

[ci skip] NEWS for GH-16055

[ci skip] NEWS for GH-15960

Fix GH-16189: underflow on preg_match/preg_match_all start_offset.

close GH-16191

Fix GH-16181: phpdbg: exit in exception handler reports fatal error

When running PHP code, we must not handle `UnwindExit` exceptions, but
rather have to ignore them.

Closes GH-

Fix GH-16181: phpdbg: exit in exception handler reports fatal error

When running PHP code, we must not handle `UnwindExit` exceptions, but
rather have to ignore them.

Closes GH-16182.

show more ...

Fix GH-15169: stack overflow when var serialization in ext/standard/var

Adding a stack check here as I consider serialization to be a more
sensitive place where erroring out with an exce

Fix GH-15169: stack overflow when var serialization in ext/standard/var

Adding a stack check here as I consider serialization to be a more
sensitive place where erroring out with an exception seems appropriate.

Closes GH-16159.

show more ...

[ci skip] NEWS for GH-16061

[ci skip] NEWS for GH-16061

[ci skip] NEWS for GH-16061

[ci skip] NEWS for GH-16025

[ci skip] NEWS for GH-16025

[ci skip] NEWS for GH-16025

[ci skip] NEWS for GH-16004

[ci skip] NEWS for GH-16026

Fix GH-16151: Assertion failure in ext/dom/parentnode/tree.c

Unfortunately, old DOM allows attributes to be used as parent nodes.
Only text nodes and entities are allowed as children for

Fix GH-16151: Assertion failure in ext/dom/parentnode/tree.c

Unfortunately, old DOM allows attributes to be used as parent nodes.
Only text nodes and entities are allowed as children for these types of
nodes, because that's the constraint DOM and libxml give us.

Closes GH-16156.

show more ...