Fix GH-16314 "Pdo\Mysql object is uninitialized" when opening a persistent connection (#16369)

Fixed a bug where size_t underflows (#16696)

fixes #16262
closes #16696

Added early return case when result is 0 (#16697)

fixes #16265
closes #16697

Fix GH-16590: UAF in session_encode()

The `PS_ENCODE_LOOP` does not protect the session hash table that it
iterates over. Change it by temporarily creating a copy.

Closes GH-166

Fix GH-16590: UAF in session_encode()

The `PS_ENCODE_LOOP` does not protect the session hash table that it
iterates over. Change it by temporarily creating a copy.

Closes GH-16640.

show more ...

Fix various memory leaks on error conditions in openssl_x509_parse()

Closes GH-16690.

Add NEWS entry

Fix array going away during sorting

Fixes GH-16648
Closes GH-16654

Fix GH-16592 msg_send() crashes when the type does not serialize as expected.

It is assumed that the serialization always had initialised its buffer
zend_string, but in the case of a typ

Fix GH-16592 msg_send() crashes when the type does not serialize as expected.

It is assumed that the serialization always had initialised its buffer
zend_string, but in the case of a type not serialising, it is null.

close GH-16599

show more ...

Fix GH-16628: FPM logs are getting corrupted with this log statement

zlog_buf_prefix() can return a larger length than what actually was
written due to its use of snprintf(). The code in

Fix GH-16628: FPM logs are getting corrupted with this log statement

zlog_buf_prefix() can return a larger length than what actually was
written due to its use of snprintf(). The code in
zlog_stream_prefix_ex() does not take this into account, other callers
do. What ends up happening then is that stream->length is set to the
length as if snprintf() was able to write all bytes, causing
stream->length to become larger than stream->buf.size, causing a
segfault.

In case the buffer was too small we try with a larger buffer up to a
limit of zlog_limit. This makes sure that the stream length will remain
bounded by the buffer size.

This also adds assertions to make the programmer intent clear and catch
this more easily in debug builds.

Closes GH-16680.

show more ...

Fix GH-16601: Memory leak in Reflection constructors

Additionally fixes wrong behaviour in ReflectionParameter when you first
have a construction that uses an object and the subsequent d

Fix GH-16601: Memory leak in Reflection constructors

Additionally fixes wrong behaviour in ReflectionParameter when you first
have a construction that uses an object and the subsequent doesn't.

Closes GH-16672.

show more ...

ext/gmp: Fix segfault when null is encountered on an overloaded operator

And various other issues like inconsistent type errors

Closes GH-16015

Fix GH-14732: date_sun_info() fails for non-finite values

`timelib_astro_rise_set_altitude()` is not prepared to deal with non-
finite values (`nan`, `inf` and `-inf`) for `lon` and `lat

Fix GH-14732: date_sun_info() fails for non-finite values

`timelib_astro_rise_set_altitude()` is not prepared to deal with non-
finite values (`nan`, `inf` and `-inf`) for `lon` and `lat`; instead
these trigger undefined behavior. Thus we catch non-finite values
before even calling that timelib function; for `date_sun_info()` we
trigger `ValueError`s; for `date_sunrise()` and `date_sunset()` we
silently return `false`, since these functions will be sunsetted
anyway.

Closes GH-16497.

show more ...

Fix GH-16604: Memory leaks in SPL constructors

Closes GH-16673.

Fix GH-16450: PDO_ODBC can inject garbage into field values

A previous bug fix[1] relied on ODBC drivers to properly count down the
`StrLen_or_IndPtr` argument for consecutive calls to `

Fix GH-16450: PDO_ODBC can inject garbage into field values

A previous bug fix[1] relied on ODBC drivers to properly count down the
`StrLen_or_IndPtr` argument for consecutive calls to `SQLGetData()`.
Apparently, not all drivers handle this correctly, so we cannot assert
they do. Instead we fall back to the old behavior for drivers which
would violate the assertion.

A test against SQLServer (which we currently use in CI) would not make
sense, since the respective drivers do not exhibit that behavior.
Instead we target the regression test especially to a MS Access
database.

Since there is apparently no way to easily create an MS Access database
programmatically, we commit a minimal empty DB which is used for the
regression test, and could also be used by other test cases.

[1] <bccca0b53aa60a62e2988c750fc73c02d109e642>

Closes GH-16587.

show more ...

Add ReflectionProperty::isLazy()

Closes GH-16342

Fix assertion failure in zend_std_read_property

We asserted that Z_PROP_FLAG_P(retval) was exactly IS_PROP_UNINIT, but this is a
bit field and it may contain irrelevant bits. For instanc

Fix assertion failure in zend_std_read_property

We asserted that Z_PROP_FLAG_P(retval) was exactly IS_PROP_UNINIT, but this is a
bit field and it may contain irrelevant bits. For instance it may contain
IS_PROP_REINITABLE during clone, or IS_PROP_LAZY if the object is lazy.

Fixes GH-16615
Closes GH-16639

show more ...

Fix GH-14687 segfault on debugging a freed SplObjectIterator instance.

close GH-14711

Fix GH-16595: Another UAF in DOM -> cloneNode

We need to perform all sanity checks before doing any modification.
I don't have a reliable and easy test for this on 8.2, but I have one

Fix GH-16595: Another UAF in DOM -> cloneNode

We need to perform all sanity checks before doing any modification.
I don't have a reliable and easy test for this on 8.2, but I have one
for 8.4.

Closes GH-16598.

show more ...

Fix GH-16593: Assertion failure in DOM->replaceChild

This is already forbidden by libxml, but this condition isn't properly
checked; so the return value and lack of error makes it seem l

Fix GH-16593: Assertion failure in DOM->replaceChild

This is already forbidden by libxml, but this condition isn't properly
checked; so the return value and lack of error makes it seem like it
worked while it actually didn't. Furthermore, this can break assumptions
and assertions later on.

Closes GH-16596.

show more ...

Fix GH-16594: Assertion failure in DOM -> before

The invalid parent condition can actually happen because PHP's DOM is
allows to get children of e.g. attributes; something normally not

Fix GH-16594: Assertion failure in DOM -> before

The invalid parent condition can actually happen because PHP's DOM is
allows to get children of e.g. attributes; something normally not
possible.

Closes GH-16597.

show more ...

Fix GH-16572: Incorrect result with reflection in low-trigger JIT

When a recursive call happens with invalid arguments, the maximum valid
arguments are computed and stored in `num_args`,

Fix GH-16572: Incorrect result with reflection in low-trigger JIT

When a recursive call happens with invalid arguments, the maximum valid
arguments are computed and stored in `num_args`, but the RECV entry
block we jump to is `call_num_args` instead. This can skip argument
validation checks. Fix this by using `num_args` instead.

Closes GH-16575.

show more ...

Fix GH-16577: EG(strtod_state).freelist leaks with opcache.preload

This happens because on ZTS we execute `executor_globals_ctor` which reset the
`freelist` and `p5s` pointers, while on

Fix GH-16577: EG(strtod_state).freelist leaks with opcache.preload

This happens because on ZTS we execute `executor_globals_ctor` which reset the
`freelist` and `p5s` pointers, while on NTS we don't.
On NTS we can reuse the caches but on ZTS we can't, the easiest fix is
to call `zend_shutdown_strtod` when preloading is shut down.
This regressed in GH-13974 and therefore only exists in PHP 8.4 and
higher.

Closes GH-16602.

show more ...

Fix GH-16589: UAF in SplDoublyLinked->serialize()

Closes GH-16611.

Fix GH-16591: Assertion error in shm_put_var

Closes GH-16610.

Suggested-by: "Christoph M. Becker" <cmbecker69@gmx.de>

Fix GH-16477 (Segmentation fault when calling __debugInfo() after failed SplFileObject::__constructor)

Closes GH-16480
Closes GH-16604