History log of /php-src/NEWS (Results 101 – 125 of 15454)
Revision (<<< Hide revision tags) (Show revision tags >>>) Date Author Comments
(<<< Hide modified files)
(Show modified files >>>)
# 2bdf2f91 14-Oct-2024 Christoph M. Becker

Fix GH-16433: Large values for openssl_csr_sign() $days overflow

The `offset_sec` parameter of `X509_gmtime_adj()` expects a `long`, but
the `$days` parameter of `openssl_csr_sign()` a `

Fix GH-16433: Large values for openssl_csr_sign() $days overflow

The `offset_sec` parameter of `X509_gmtime_adj()` expects a `long`, but
the `$days` parameter of `openssl_csr_sign()` a `zend_long`. We must
avoid signed integer overflow (UB), but also must not silently truncate.
Thus we check the given `$days` for the permissible range, and bail out
otherwise.

Closes GH-16437.

show more ...


# ab595c07 13-Oct-2024 Christoph M. Becker

Fix GH-16411: gmp_export() can cause overflow

We need not only to avoid the signed overflow while calculating
`bits_per_word` (reported issue), but also the unsigned overflow when
ca

Fix GH-16411: gmp_export() can cause overflow

We need not only to avoid the signed overflow while calculating
`bits_per_word` (reported issue), but also the unsigned overflow when
calculating `count`. While the former has a fixed threshold, the
latter does not, since it also depends on the size in base 2. Thus we
use a somewhat unconventional error message.

Closes GH-16418.

show more ...


# 1d94fb86 14-Oct-2024 Arnaud Le Blanc

Fix handling of invalid iterator in zend_weakmap_iterator_get_current_key()

Fixes GH-16371
Closes GH-16436


# d613c0ed 14-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16429: Segmentation fault (access null pointer) in SoapClient

If get_iterator() fails, we should not destroy the object.
Also changes the check to a NULL check to be more defensiv

Fix GH-16429: Segmentation fault (access null pointer) in SoapClient

If get_iterator() fails, we should not destroy the object.
Also changes the check to a NULL check to be more defensive, and to
match the VM.

Closes GH-16441.

show more ...


# ec8a24f7 14-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16397: Segmentation fault when comparing FFI object (#16401)

`compare` is a required handler [1], but this handler was set to NULL.
Throw an exception when trying to compare FFI o

Fix GH-16397: Segmentation fault when comparing FFI object (#16401)

`compare` is a required handler [1], but this handler was set to NULL.
Throw an exception when trying to compare FFI objects.

[1] https://github.com/php/php-src/blob/35c8a010c6633a2a1ba7c16a0cf83affa07b819e/Zend/zend_object_handlers.h#L231C1-L231C64

Closes GH-16401.

show more ...


# b5c09b1a 08-Oct-2024 Ilija Tovilo

Fix exception in assert() callback with bail enabled

Fixes GH-16293
Closes GH-16304


# b817a4f7 14-Oct-2024 Christoph M. Becker

Fix GH-16427: Unchecked libavif return values

Prior to libavif 1.1.0, `avifAlloc()` was infallible (it called
`abort()` on OOM conditions); thus, several API functions which used
`av

Fix GH-16427: Unchecked libavif return values

Prior to libavif 1.1.0, `avifAlloc()` was infallible (it called
`abort()` on OOM conditions); thus, several API functions which used
`avifAlloc()` did not report failure. That changed as of libavif
1.0.0[1], so checking and handling failure conditions can now be done.
However, due to `avifAlloc()` being fallible as of libavif 1.1.0, this
error checking and handling is mandatory to avoid more serious issues.

[1] <https://github.com/AOMediaCodec/libavif/blob/eb02b2ec52df5c0f50b71fbc51321c5ce435aaca/CHANGELOG.md?plain=1#L273-L281>

Closes GH-16434.

show more ...


# 323c9f49 14-Oct-2024 David Carlier

[skip ci] UPGRADING/NEWS changes


# 06efe44c 13-Oct-2024 Ilija Tovilo

Skip shebang in cli-server router script

Fixes GH-16373
Closes GH-16403


# c5745f40 13-Oct-2024 Ilija Tovilo

Fix array to string conversion warning emitted in optimizer

Fixes GH-16408
Closes GH-16380


# 3843f0ec 13-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16409: Segfault in exif_thumbnail when not dealing with a real file

Closes GH-16416.


# d70b7811 12-Oct-2024 David Carlier

ext/gmp: gmp_pow fix FPE with large values.

even without sanitizers, it is reproducible but with the following

```
<?php
$g = gmp_init(256);
var_dump(gmp_pow($g, PHP_INT

ext/gmp: gmp_pow fix FPE with large values.

even without sanitizers, it is reproducible but with the following

```
<?php
$g = gmp_init(256);
var_dump(gmp_pow($g, PHP_INT_MAX));
```

we get this

```
AddressSanitizer:DEADLYSIGNAL
=================================================================
==286922==ERROR: AddressSanitizer: FPE on unknown address 0x03e8000460ca (pc 0x7faf6c69de5c bp 0x400000000000004 sp 0x7ffe9843c740 T0)
#0 0x7faf6c69de5c in __pthread_kill_implementation nptl/pthread_kill.c:44
#1 0x7faf6c649c81 in __GI_raise ../sysdeps/posix/raise.c:26
#2 0x7faf6db9386c in __gmp_exception (/lib/x86_64-linux-gnu/libgmp.so.10+0xd86c) (BuildId: 1af68a49fe041a5bb48a2915c3d47541f713bb38)
#3 0x7faf6db938d3 in __gmp_overflow_in_mpz (/lib/x86_64-linux-gnu/libgmp.so.10+0xd8d3) (BuildId: 1af68a49fe041a5bb48a2915c3d47541f713bb38)
#4 0x7faf6dbac95c in __gmpz_realloc (/lib/x86_64-linux-gnu/libgmp.so.10+0x2695c) (BuildId: 1af68a49fe041a5bb48a2915c3d47541f713bb38)
#5 0x7faf6dba9038 in __gmpz_n_pow_ui (/lib/x86_64-linux-gnu/libgmp.so.10+0x23038) (BuildId: 1af68a49fe041a5bb48a2915c3d47541f713bb38)
#6 0x5565ae1ccd9f in zif_gmp_pow /home/dcarlier/Contribs/php-src/ext/gmp/gmp.c:1286
#7 0x5565aee96ea9 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/dcarlier/Contribs/php-src/Zend/zend_vm_execute.h:1312
#8 0x5565af144320 in execute_ex /home/dcarlier/Contribs/php-src/Zend/zend_vm_execute.h:56075
#9 0x5565af160f07 in zend_execute /home/dcarlier/Contribs/php-src/Zend/zend_vm_execute.h:60439
#10 0x5565aed6fafe in zend_execute_scripts /home/dcarlier/Contribs/php-src/Zend/zend.c:1842
#11 0x5565aeae70a8 in php_execute_script /home/dcarlier/Contribs/php-src/main/main.c:2578
#12 0x5565af532f4e in do_cli /home/dcarlier/Contribs/php-src/sapi/cli/php_cli.c:964
#13 0x5565af535877 in main /home/dcarlier/Contribs/php-src/sapi/cli/php_cli.c:1334
#14 0x7faf6c633d67 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#15 0x7faf6c633e24 in __libc_start_main_impl ../csu/libc-start.c:360
#16 0x5565adc04040 in _start (/home/dcarlier/Contribs/php-src/sapi/cli/php+0x2604040) (BuildId: 949049955bdf8b7197390b1978a1dfc3ef6fdf38)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE nptl/pthread_kill.c:44 in __pthread_kill_implementation
==286922==ABORTING
```

show more ...


# 84a8fea2 08-Oct-2024 David Carlier

Fix GH-16290: session cookie_lifetime ini value overflow.

close GH-16295


# d94be24f 10-Oct-2024 Christoph M. Becker

Fix GH-16326: Memory management is broken for bad dictionaries

We must not `efree()` `zend_string`s, since they may have a refcount
greater than one, and may even be interned.

W

Fix GH-16326: Memory management is broken for bad dictionaries

We must not `efree()` `zend_string`s, since they may have a refcount
greater than one, and may even be interned.

We also must not confuse `zend_string *` with `zend_string **`.

And we should play it safe by using `safe_emalloc()` to avoid
theoretical integer overflows.

We also simplify a bit, according to suggestions of @TimWolla.

Closes GH-16335.

show more ...


# 6ff4a2d7 10-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16318: Recursive array segfaults soap encoding

This adds recursion protection to the array encoders.

Closes GH-16347.


# e583890a 12-Oct-2024 David Carlier

Fix socket_recvfrom overflow on buffer size.

when passing PHP_INT_MAX for the $length param we get this (with ubsan)

`ext/sockets/sockets.c:1409:36: runtime error: signed integer ov

Fix socket_recvfrom overflow on buffer size.

when passing PHP_INT_MAX for the $length param we get this (with ubsan)

`ext/sockets/sockets.c:1409:36: runtime error: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long int'`

close GH-16382

show more ...


# 549bcdb7 11-Oct-2024 Christoph M. Becker

Fix GH-16357: openssl may modify member types of certificate arrays

We must not use `try_convert_to_string()` on members of unseparated
array arguments; instead of separating, we use `zv

Fix GH-16357: openssl may modify member types of certificate arrays

We must not use `try_convert_to_string()` on members of unseparated
array arguments; instead of separating, we use `zval_try_get_string()`.

Closes GH-16370.

show more ...


# 42f87765 11-Oct-2024 David Carlier

Fix GH-16359 curl write callback crash on FCC usage w/o user function.

close GH-16362


# 3ed01d45 11-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Add missing hierarchy checks to replaceChild

You can break the hierarchy for attribute nodes, use the helper function
introduced recently [1] to fix this issue.

[1] 066d18f2

Add missing hierarchy checks to replaceChild

You can break the hierarchy for attribute nodes, use the helper function
introduced recently [1] to fix this issue.

[1] 066d18f2

Closes GH-16377.

show more ...


# a56ff4fe 10-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16337: Use-after-free in SplHeap

We introduce a new flag to indicate when a heap or priority queue is
write-locked. In principle we could've used SPL_HEAP_CORRUPTED too, but
t

Fix GH-16337: Use-after-free in SplHeap

We introduce a new flag to indicate when a heap or priority queue is
write-locked. In principle we could've used SPL_HEAP_CORRUPTED too, but
that won't be descriptive to users (and it's a lie too).

Closes GH-16346.

show more ...


# 7cdd1302 12-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16385: Unexpected null returned by session_set_cookie_params

Two issues:
1) The check happened before ZPP checks
2) The `return;` statement caused NULL to be returned while th

Fix GH-16385: Unexpected null returned by session_set_cookie_params

Two issues:
1) The check happened before ZPP checks
2) The `return;` statement caused NULL to be returned while this
function can only return booleans. An exception seems not acceptable
in stable versions, but a warning may do.

Closes GH-16386.

show more ...


# f2859a40 09-Oct-2024 David Carlier

Fix GH-16322: imageaffine overflow on affine argument.

close GH-16334


# b14076a4 09-Oct-2024 Christoph M. Becker

Fix property access of PHP objects wrapped in variant

First, we fix the long standing issue that property access throws a
`com_exception` ("0x80020003: member not found), because the `HR

Fix property access of PHP objects wrapped in variant

First, we fix the long standing issue that property access throws a
`com_exception` ("0x80020003: member not found), because the `HRESULT`
was not properly set after accessing the property.

Next, we fix an issue introduced as of PHP 7.0.0, where the string
length for write access had been properly adapted, but the string
length for read access had been overlooked.

Then we fix an issue introduced as of PHP 8.0.0, where new `HashTable`s
no longer set `nNextFreeElement` to zero, but to `ZEND_LONG_MIN`. This
doesn't work well with the `DISPID` lookup, which is a `LONG`.

Finally we fix a potential double-free due to erroneously destroying
the return value of `zend_read_property()`.

Closes GH-16331.

show more ...


# c34d4fbb 11-Oct-2024 David Carlier

Fix GH-16360 mb_substr overflow on start and length arguments.

occurs when they are negated to start working from the end instead
when set with ZEND_LONG_MIN.


# e2e2b3ab 10-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16168: php 8.1 and earlier crash immediately when compiled with Xcode 16 clang on macOS 15

The inline assembly uses labels with the prefix `.L`. On Linux systems
this is the local

Fix GH-16168: php 8.1 and earlier crash immediately when compiled with Xcode 16 clang on macOS 15

The inline assembly uses labels with the prefix `.L`. On Linux systems
this is the local label prefix. It appears that macOS uses `L` as a
local prefix, which means that the prefix used in the inline assembly is not
local for macOS systems [1].
When combined with inlining, this causes the compiler to get confused
and merge a part of the inline assembly between different functions,
causing control flow to jump from one function to another function.
This is avoided on PHP 8.2 and up by the fact that it
uses `zend_never_inline NOIPA`, but nothing guarantees that compiler
changes won't affect this as well.

To solve this issue, we instead use local labels. These will make the
compiler pick the correct prefix, preventing the issue.

Additionally, while here, we also change the computation of `delta`.
It is undefined behaviour to compute the pointer difference between
two different objects. To circumvent this, we cast first to `uintptr_t`.

This change is cleanly backportable to 8.1 for vendors to pick up.

[1] https://github.com/php/php-src/issues/16168#issuecomment-2404792553

With the help of investigation and testing of @ryandesign.

Closes GH-16348.

show more ...


12345678910>>...619