Fix GH-16465: Heap buffer overflow in DOMNode->getElementByTagName

If the input contains NUL bytes then the length doesn't match the actual
duplicated string's length. Note that libxml c

Fix GH-16465: Heap buffer overflow in DOMNode->getElementByTagName

If the input contains NUL bytes then the length doesn't match the actual
duplicated string's length. Note that libxml can't handle this properly
anyway so we just reject NUL bytes and too long strings.

Closes GH-16467.

show more ...

Fix GH-16433: Large values for openssl_csr_sign() $days overflow

The `offset_sec` parameter of `X509_gmtime_adj()` expects a `long`, but
the `$days` parameter of `openssl_csr_sign()` a `

Fix GH-16433: Large values for openssl_csr_sign() $days overflow

The `offset_sec` parameter of `X509_gmtime_adj()` expects a `long`, but
the `$days` parameter of `openssl_csr_sign()` a `zend_long`. We must
avoid signed integer overflow (UB), but also must not silently truncate.
Thus we check the given `$days` for the permissible range, and bail out
otherwise.

Closes GH-16437.

show more ...

Fix GH-16411: gmp_export() can cause overflow

We need not only to avoid the signed overflow while calculating
`bits_per_word` (reported issue), but also the unsigned overflow when
ca

Fix GH-16411: gmp_export() can cause overflow

We need not only to avoid the signed overflow while calculating
`bits_per_word` (reported issue), but also the unsigned overflow when
calculating `count`. While the former has a fixed threshold, the
latter does not, since it also depends on the size in base 2. Thus we
use a somewhat unconventional error message.

Closes GH-16418.

show more ...

Fix handling of invalid iterator in zend_weakmap_iterator_get_current_key()

Fixes GH-16371
Closes GH-16436

Fix GH-16429: Segmentation fault (access null pointer) in SoapClient

If get_iterator() fails, we should not destroy the object.
Also changes the check to a NULL check to be more defensiv

Fix GH-16429: Segmentation fault (access null pointer) in SoapClient

If get_iterator() fails, we should not destroy the object.
Also changes the check to a NULL check to be more defensive, and to
match the VM.

Closes GH-16441.

show more ...

Fix GH-16397: Segmentation fault when comparing FFI object (#16401)

`compare` is a required handler [1], but this handler was set to NULL.
Throw an exception when trying to compare FFI o

Fix GH-16397: Segmentation fault when comparing FFI object (#16401)

`compare` is a required handler [1], but this handler was set to NULL.
Throw an exception when trying to compare FFI objects.

[1] https://github.com/php/php-src/blob/35c8a010c6633a2a1ba7c16a0cf83affa07b819e/Zend/zend_object_handlers.h#L231C1-L231C64

Closes GH-16401.

show more ...

Fix exception in assert() callback with bail enabled

Fixes GH-16293
Closes GH-16304

Fix GH-16427: Unchecked libavif return values

Prior to libavif 1.1.0, `avifAlloc()` was infallible (it called
`abort()` on OOM conditions); thus, several API functions which used
`av

Fix GH-16427: Unchecked libavif return values

Prior to libavif 1.1.0, `avifAlloc()` was infallible (it called
`abort()` on OOM conditions); thus, several API functions which used
`avifAlloc()` did not report failure. That changed as of libavif
1.0.0[1], so checking and handling failure conditions can now be done.
However, due to `avifAlloc()` being fallible as of libavif 1.1.0, this
error checking and handling is mandatory to avoid more serious issues.

[1] <https://github.com/AOMediaCodec/libavif/blob/eb02b2ec52df5c0f50b71fbc51321c5ce435aaca/CHANGELOG.md?plain=1#L273-L281>

Closes GH-16434.

show more ...

Skip shebang in cli-server router script

Fixes GH-16373
Closes GH-16403

Fix array to string conversion warning emitted in optimizer

Fixes GH-16408
Closes GH-16380

Fix GH-16409: Segfault in exif_thumbnail when not dealing with a real file

Closes GH-16416.

ext/gmp: gmp_pow fix FPE with large values.

even without sanitizers, it is reproducible but with the following

```
<?php
$g = gmp_init(256);
var_dump(gmp_pow($g, PHP_INT

ext/gmp: gmp_pow fix FPE with large values.

even without sanitizers, it is reproducible but with the following

```
<?php
$g = gmp_init(256);
var_dump(gmp_pow($g, PHP_INT_MAX));
```

we get this

```
AddressSanitizer:DEADLYSIGNAL
=================================================================
==286922==ERROR: AddressSanitizer: FPE on unknown address 0x03e8000460ca (pc 0x7faf6c69de5c bp 0x400000000000004 sp 0x7ffe9843c740 T0)
#0 0x7faf6c69de5c in __pthread_kill_implementation nptl/pthread_kill.c:44
#1 0x7faf6c649c81 in __GI_raise ../sysdeps/posix/raise.c:26
#2 0x7faf6db9386c in __gmp_exception (/lib/x86_64-linux-gnu/libgmp.so.10+0xd86c) (BuildId: 1af68a49fe041a5bb48a2915c3d47541f713bb38)
#3 0x7faf6db938d3 in __gmp_overflow_in_mpz (/lib/x86_64-linux-gnu/libgmp.so.10+0xd8d3) (BuildId: 1af68a49fe041a5bb48a2915c3d47541f713bb38)
#4 0x7faf6dbac95c in __gmpz_realloc (/lib/x86_64-linux-gnu/libgmp.so.10+0x2695c) (BuildId: 1af68a49fe041a5bb48a2915c3d47541f713bb38)
#5 0x7faf6dba9038 in __gmpz_n_pow_ui (/lib/x86_64-linux-gnu/libgmp.so.10+0x23038) (BuildId: 1af68a49fe041a5bb48a2915c3d47541f713bb38)
#6 0x5565ae1ccd9f in zif_gmp_pow /home/dcarlier/Contribs/php-src/ext/gmp/gmp.c:1286
#7 0x5565aee96ea9 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/dcarlier/Contribs/php-src/Zend/zend_vm_execute.h:1312
#8 0x5565af144320 in execute_ex /home/dcarlier/Contribs/php-src/Zend/zend_vm_execute.h:56075
#9 0x5565af160f07 in zend_execute /home/dcarlier/Contribs/php-src/Zend/zend_vm_execute.h:60439
#10 0x5565aed6fafe in zend_execute_scripts /home/dcarlier/Contribs/php-src/Zend/zend.c:1842
#11 0x5565aeae70a8 in php_execute_script /home/dcarlier/Contribs/php-src/main/main.c:2578
#12 0x5565af532f4e in do_cli /home/dcarlier/Contribs/php-src/sapi/cli/php_cli.c:964
#13 0x5565af535877 in main /home/dcarlier/Contribs/php-src/sapi/cli/php_cli.c:1334
#14 0x7faf6c633d67 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#15 0x7faf6c633e24 in __libc_start_main_impl ../csu/libc-start.c:360
#16 0x5565adc04040 in _start (/home/dcarlier/Contribs/php-src/sapi/cli/php+0x2604040) (BuildId: 949049955bdf8b7197390b1978a1dfc3ef6fdf38)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE nptl/pthread_kill.c:44 in __pthread_kill_implementation
==286922==ABORTING
```

show more ...

Fix GH-16290: session cookie_lifetime ini value overflow.

close GH-16295

Fix GH-16326: Memory management is broken for bad dictionaries

We must not `efree()` `zend_string`s, since they may have a refcount
greater than one, and may even be interned.

W

Fix GH-16326: Memory management is broken for bad dictionaries

We must not `efree()` `zend_string`s, since they may have a refcount
greater than one, and may even be interned.

We also must not confuse `zend_string *` with `zend_string **`.

And we should play it safe by using `safe_emalloc()` to avoid
theoretical integer overflows.

We also simplify a bit, according to suggestions of @TimWolla.

Closes GH-16335.

show more ...

Fix GH-16318: Recursive array segfaults soap encoding

This adds recursion protection to the array encoders.

Closes GH-16347.

Fix socket_recvfrom overflow on buffer size.

when passing PHP_INT_MAX for the $length param we get this (with ubsan)

`ext/sockets/sockets.c:1409:36: runtime error: signed integer ov

Fix socket_recvfrom overflow on buffer size.

when passing PHP_INT_MAX for the $length param we get this (with ubsan)

`ext/sockets/sockets.c:1409:36: runtime error: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long int'`

close GH-16382

show more ...

Fix GH-16357: openssl may modify member types of certificate arrays

We must not use `try_convert_to_string()` on members of unseparated
array arguments; instead of separating, we use `zv

Fix GH-16357: openssl may modify member types of certificate arrays

We must not use `try_convert_to_string()` on members of unseparated
array arguments; instead of separating, we use `zval_try_get_string()`.

Closes GH-16370.

show more ...

Fix GH-16359 curl write callback crash on FCC usage w/o user function.

close GH-16362

Add missing hierarchy checks to replaceChild

You can break the hierarchy for attribute nodes, use the helper function
introduced recently [1] to fix this issue.

[1] 066d18f2

Add missing hierarchy checks to replaceChild

You can break the hierarchy for attribute nodes, use the helper function
introduced recently [1] to fix this issue.

[1] 066d18f2

Closes GH-16377.

show more ...

Fix GH-16337: Use-after-free in SplHeap

We introduce a new flag to indicate when a heap or priority queue is
write-locked. In principle we could've used SPL_HEAP_CORRUPTED too, but
t

Fix GH-16337: Use-after-free in SplHeap

We introduce a new flag to indicate when a heap or priority queue is
write-locked. In principle we could've used SPL_HEAP_CORRUPTED too, but
that won't be descriptive to users (and it's a lie too).

Closes GH-16346.

show more ...

Fix GH-16385: Unexpected null returned by session_set_cookie_params

Two issues:
1) The check happened before ZPP checks
2) The `return;` statement caused NULL to be returned while th

Fix GH-16385: Unexpected null returned by session_set_cookie_params

Two issues:
1) The check happened before ZPP checks
2) The `return;` statement caused NULL to be returned while this
function can only return booleans. An exception seems not acceptable
in stable versions, but a warning may do.

Closes GH-16386.

show more ...

Fix GH-16322: imageaffine overflow on affine argument.

close GH-16334

Fix GH-16360 mb_substr overflow on start and length arguments.

occurs when they are negated to start working from the end instead
when set with ZEND_LONG_MIN.

Fix GH-16168: php 8.1 and earlier crash immediately when compiled with Xcode 16 clang on macOS 15

The inline assembly uses labels with the prefix `.L`. On Linux systems
this is the local

Fix GH-16168: php 8.1 and earlier crash immediately when compiled with Xcode 16 clang on macOS 15

The inline assembly uses labels with the prefix `.L`. On Linux systems
this is the local label prefix. It appears that macOS uses `L` as a
local prefix, which means that the prefix used in the inline assembly is not
local for macOS systems [1].
When combined with inlining, this causes the compiler to get confused
and merge a part of the inline assembly between different functions,
causing control flow to jump from one function to another function.
This is avoided on PHP 8.2 and up by the fact that it
uses `zend_never_inline NOIPA`, but nothing guarantees that compiler
changes won't affect this as well.

To solve this issue, we instead use local labels. These will make the
compiler pick the correct prefix, preventing the issue.

Additionally, while here, we also change the computation of `delta`.
It is undefined behaviour to compute the pointer difference between
two different objects. To circumvent this, we cast first to `uintptr_t`.

This change is cleanly backportable to 8.1 for vendors to pick up.

[1] https://github.com/php/php-src/issues/16168#issuecomment-2404792553

With the help of investigation and testing of @ryandesign.

Closes GH-16348.

show more ...

Fix OSS-Fuzz #371445205: Heap-use-after-free in attr_free

zend_hash_get_current_key() does not return a string with incremented
refcount, so it shouldn't get released. This release cause

Fix OSS-Fuzz #371445205: Heap-use-after-free in attr_free

zend_hash_get_current_key() does not return a string with incremented
refcount, so it shouldn't get released. This release caused a UAF later
when the attribute was destroyed. This wasn't noticed earlier because
object_init_with_constructor() was only ever tested with interned
strings.

Closes GH-16349.

show more ...