#
2bdf2f91 |
| 14-Oct-2024 |
Christoph M. Becker |
Fix GH-16433: Large values for openssl_csr_sign() $days overflow The `offset_sec` parameter of `X509_gmtime_adj()` expects a `long`, but the `$days` parameter of `openssl_csr_sign()` a `
Fix GH-16433: Large values for openssl_csr_sign() $days overflow The `offset_sec` parameter of `X509_gmtime_adj()` expects a `long`, but the `$days` parameter of `openssl_csr_sign()` a `zend_long`. We must avoid signed integer overflow (UB), but also must not silently truncate. Thus we check the given `$days` for the permissible range, and bail out otherwise. Closes GH-16437.
show more ...
|
#
ab595c07 |
| 13-Oct-2024 |
Christoph M. Becker |
Fix GH-16411: gmp_export() can cause overflow We need not only to avoid the signed overflow while calculating `bits_per_word` (reported issue), but also the unsigned overflow when ca
Fix GH-16411: gmp_export() can cause overflow We need not only to avoid the signed overflow while calculating `bits_per_word` (reported issue), but also the unsigned overflow when calculating `count`. While the former has a fixed threshold, the latter does not, since it also depends on the size in base 2. Thus we use a somewhat unconventional error message. Closes GH-16418.
show more ...
|
#
1d94fb86 |
| 14-Oct-2024 |
Arnaud Le Blanc |
Fix handling of invalid iterator in zend_weakmap_iterator_get_current_key() Fixes GH-16371 Closes GH-16436
|
#
d613c0ed |
| 14-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16429: Segmentation fault (access null pointer) in SoapClient If get_iterator() fails, we should not destroy the object. Also changes the check to a NULL check to be more defensiv
Fix GH-16429: Segmentation fault (access null pointer) in SoapClient If get_iterator() fails, we should not destroy the object. Also changes the check to a NULL check to be more defensive, and to match the VM. Closes GH-16441.
show more ...
|
#
ec8a24f7 |
| 14-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16397: Segmentation fault when comparing FFI object (#16401) `compare` is a required handler [1], but this handler was set to NULL. Throw an exception when trying to compare FFI o
Fix GH-16397: Segmentation fault when comparing FFI object (#16401) `compare` is a required handler [1], but this handler was set to NULL. Throw an exception when trying to compare FFI objects. [1] https://github.com/php/php-src/blob/35c8a010c6633a2a1ba7c16a0cf83affa07b819e/Zend/zend_object_handlers.h#L231C1-L231C64 Closes GH-16401.
show more ...
|
#
b5c09b1a |
| 08-Oct-2024 |
Ilija Tovilo |
Fix exception in assert() callback with bail enabled Fixes GH-16293 Closes GH-16304
|
#
b817a4f7 |
| 14-Oct-2024 |
Christoph M. Becker |
Fix GH-16427: Unchecked libavif return values Prior to libavif 1.1.0, `avifAlloc()` was infallible (it called `abort()` on OOM conditions); thus, several API functions which used `av
Fix GH-16427: Unchecked libavif return values Prior to libavif 1.1.0, `avifAlloc()` was infallible (it called `abort()` on OOM conditions); thus, several API functions which used `avifAlloc()` did not report failure. That changed as of libavif 1.0.0[1], so checking and handling failure conditions can now be done. However, due to `avifAlloc()` being fallible as of libavif 1.1.0, this error checking and handling is mandatory to avoid more serious issues. [1] <https://github.com/AOMediaCodec/libavif/blob/eb02b2ec52df5c0f50b71fbc51321c5ce435aaca/CHANGELOG.md?plain=1#L273-L281> Closes GH-16434.
show more ...
|
#
323c9f49 |
| 14-Oct-2024 |
David Carlier |
[skip ci] UPGRADING/NEWS changes
|
#
06efe44c |
| 13-Oct-2024 |
Ilija Tovilo |
Skip shebang in cli-server router script Fixes GH-16373 Closes GH-16403
|
#
c5745f40 |
| 13-Oct-2024 |
Ilija Tovilo |
Fix array to string conversion warning emitted in optimizer Fixes GH-16408 Closes GH-16380
|
#
3843f0ec |
| 13-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16409: Segfault in exif_thumbnail when not dealing with a real file Closes GH-16416.
|
#
d70b7811 |
| 12-Oct-2024 |
David Carlier |
ext/gmp: gmp_pow fix FPE with large values. even without sanitizers, it is reproducible but with the following ``` <?php $g = gmp_init(256); var_dump(gmp_pow($g, PHP_INT
ext/gmp: gmp_pow fix FPE with large values. even without sanitizers, it is reproducible but with the following ``` <?php $g = gmp_init(256); var_dump(gmp_pow($g, PHP_INT_MAX)); ``` we get this ``` AddressSanitizer:DEADLYSIGNAL ================================================================= ==286922==ERROR: AddressSanitizer: FPE on unknown address 0x03e8000460ca (pc 0x7faf6c69de5c bp 0x400000000000004 sp 0x7ffe9843c740 T0) #0 0x7faf6c69de5c in __pthread_kill_implementation nptl/pthread_kill.c:44 #1 0x7faf6c649c81 in __GI_raise ../sysdeps/posix/raise.c:26 #2 0x7faf6db9386c in __gmp_exception (/lib/x86_64-linux-gnu/libgmp.so.10+0xd86c) (BuildId: 1af68a49fe041a5bb48a2915c3d47541f713bb38) #3 0x7faf6db938d3 in __gmp_overflow_in_mpz (/lib/x86_64-linux-gnu/libgmp.so.10+0xd8d3) (BuildId: 1af68a49fe041a5bb48a2915c3d47541f713bb38) #4 0x7faf6dbac95c in __gmpz_realloc (/lib/x86_64-linux-gnu/libgmp.so.10+0x2695c) (BuildId: 1af68a49fe041a5bb48a2915c3d47541f713bb38) #5 0x7faf6dba9038 in __gmpz_n_pow_ui (/lib/x86_64-linux-gnu/libgmp.so.10+0x23038) (BuildId: 1af68a49fe041a5bb48a2915c3d47541f713bb38) #6 0x5565ae1ccd9f in zif_gmp_pow /home/dcarlier/Contribs/php-src/ext/gmp/gmp.c:1286 #7 0x5565aee96ea9 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/dcarlier/Contribs/php-src/Zend/zend_vm_execute.h:1312 #8 0x5565af144320 in execute_ex /home/dcarlier/Contribs/php-src/Zend/zend_vm_execute.h:56075 #9 0x5565af160f07 in zend_execute /home/dcarlier/Contribs/php-src/Zend/zend_vm_execute.h:60439 #10 0x5565aed6fafe in zend_execute_scripts /home/dcarlier/Contribs/php-src/Zend/zend.c:1842 #11 0x5565aeae70a8 in php_execute_script /home/dcarlier/Contribs/php-src/main/main.c:2578 #12 0x5565af532f4e in do_cli /home/dcarlier/Contribs/php-src/sapi/cli/php_cli.c:964 #13 0x5565af535877 in main /home/dcarlier/Contribs/php-src/sapi/cli/php_cli.c:1334 #14 0x7faf6c633d67 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #15 0x7faf6c633e24 in __libc_start_main_impl ../csu/libc-start.c:360 #16 0x5565adc04040 in _start (/home/dcarlier/Contribs/php-src/sapi/cli/php+0x2604040) (BuildId: 949049955bdf8b7197390b1978a1dfc3ef6fdf38) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: FPE nptl/pthread_kill.c:44 in __pthread_kill_implementation ==286922==ABORTING ```
show more ...
|
#
84a8fea2 |
| 08-Oct-2024 |
David Carlier |
Fix GH-16290: session cookie_lifetime ini value overflow. close GH-16295
|
#
d94be24f |
| 10-Oct-2024 |
Christoph M. Becker |
Fix GH-16326: Memory management is broken for bad dictionaries We must not `efree()` `zend_string`s, since they may have a refcount greater than one, and may even be interned. W
Fix GH-16326: Memory management is broken for bad dictionaries We must not `efree()` `zend_string`s, since they may have a refcount greater than one, and may even be interned. We also must not confuse `zend_string *` with `zend_string **`. And we should play it safe by using `safe_emalloc()` to avoid theoretical integer overflows. We also simplify a bit, according to suggestions of @TimWolla. Closes GH-16335.
show more ...
|
#
6ff4a2d7 |
| 10-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16318: Recursive array segfaults soap encoding This adds recursion protection to the array encoders. Closes GH-16347.
|
#
e583890a |
| 12-Oct-2024 |
David Carlier |
Fix socket_recvfrom overflow on buffer size. when passing PHP_INT_MAX for the $length param we get this (with ubsan) `ext/sockets/sockets.c:1409:36: runtime error: signed integer ov
Fix socket_recvfrom overflow on buffer size. when passing PHP_INT_MAX for the $length param we get this (with ubsan) `ext/sockets/sockets.c:1409:36: runtime error: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long int'` close GH-16382
show more ...
|
#
549bcdb7 |
| 11-Oct-2024 |
Christoph M. Becker |
Fix GH-16357: openssl may modify member types of certificate arrays We must not use `try_convert_to_string()` on members of unseparated array arguments; instead of separating, we use `zv
Fix GH-16357: openssl may modify member types of certificate arrays We must not use `try_convert_to_string()` on members of unseparated array arguments; instead of separating, we use `zval_try_get_string()`. Closes GH-16370.
show more ...
|
#
42f87765 |
| 11-Oct-2024 |
David Carlier |
Fix GH-16359 curl write callback crash on FCC usage w/o user function. close GH-16362
|
#
3ed01d45 |
| 11-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Add missing hierarchy checks to replaceChild You can break the hierarchy for attribute nodes, use the helper function introduced recently [1] to fix this issue. [1] 066d18f2
Add missing hierarchy checks to replaceChild You can break the hierarchy for attribute nodes, use the helper function introduced recently [1] to fix this issue. [1] 066d18f2 Closes GH-16377.
show more ...
|
#
a56ff4fe |
| 10-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16337: Use-after-free in SplHeap We introduce a new flag to indicate when a heap or priority queue is write-locked. In principle we could've used SPL_HEAP_CORRUPTED too, but t
Fix GH-16337: Use-after-free in SplHeap We introduce a new flag to indicate when a heap or priority queue is write-locked. In principle we could've used SPL_HEAP_CORRUPTED too, but that won't be descriptive to users (and it's a lie too). Closes GH-16346.
show more ...
|
#
7cdd1302 |
| 12-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16385: Unexpected null returned by session_set_cookie_params Two issues: 1) The check happened before ZPP checks 2) The `return;` statement caused NULL to be returned while th
Fix GH-16385: Unexpected null returned by session_set_cookie_params Two issues: 1) The check happened before ZPP checks 2) The `return;` statement caused NULL to be returned while this function can only return booleans. An exception seems not acceptable in stable versions, but a warning may do. Closes GH-16386.
show more ...
|
#
f2859a40 |
| 09-Oct-2024 |
David Carlier |
Fix GH-16322: imageaffine overflow on affine argument. close GH-16334
|
#
b14076a4 |
| 09-Oct-2024 |
Christoph M. Becker |
Fix property access of PHP objects wrapped in variant First, we fix the long standing issue that property access throws a `com_exception` ("0x80020003: member not found), because the `HR
Fix property access of PHP objects wrapped in variant First, we fix the long standing issue that property access throws a `com_exception` ("0x80020003: member not found), because the `HRESULT` was not properly set after accessing the property. Next, we fix an issue introduced as of PHP 7.0.0, where the string length for write access had been properly adapted, but the string length for read access had been overlooked. Then we fix an issue introduced as of PHP 8.0.0, where new `HashTable`s no longer set `nNextFreeElement` to zero, but to `ZEND_LONG_MIN`. This doesn't work well with the `DISPID` lookup, which is a `LONG`. Finally we fix a potential double-free due to erroneously destroying the return value of `zend_read_property()`. Closes GH-16331.
show more ...
|
#
c34d4fbb |
| 11-Oct-2024 |
David Carlier |
Fix GH-16360 mb_substr overflow on start and length arguments. occurs when they are negated to start working from the end instead when set with ZEND_LONG_MIN.
|
#
e2e2b3ab |
| 10-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16168: php 8.1 and earlier crash immediately when compiled with Xcode 16 clang on macOS 15 The inline assembly uses labels with the prefix `.L`. On Linux systems this is the local
Fix GH-16168: php 8.1 and earlier crash immediately when compiled with Xcode 16 clang on macOS 15 The inline assembly uses labels with the prefix `.L`. On Linux systems this is the local label prefix. It appears that macOS uses `L` as a local prefix, which means that the prefix used in the inline assembly is not local for macOS systems [1]. When combined with inlining, this causes the compiler to get confused and merge a part of the inline assembly between different functions, causing control flow to jump from one function to another function. This is avoided on PHP 8.2 and up by the fact that it uses `zend_never_inline NOIPA`, but nothing guarantees that compiler changes won't affect this as well. To solve this issue, we instead use local labels. These will make the compiler pick the correct prefix, preventing the issue. Additionally, while here, we also change the computation of `delta`. It is undefined behaviour to compute the pointer difference between two different objects. To circumvent this, we cast first to `uintptr_t`. This change is cleanly backportable to 8.1 for vendors to pick up. [1] https://github.com/php/php-src/issues/16168#issuecomment-2404792553 With the help of investigation and testing of @ryandesign. Closes GH-16348.
show more ...
|