#
e0b1b693 |
| 10-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix OSS-Fuzz #371445205: Heap-use-after-free in attr_free zend_hash_get_current_key() does not return a string with incremented refcount, so it shouldn't get released. This release cause
Fix OSS-Fuzz #371445205: Heap-use-after-free in attr_free zend_hash_get_current_key() does not return a string with incremented refcount, so it shouldn't get released. This release caused a UAF later when the attribute was destroyed. This wasn't noticed earlier because object_init_with_constructor() was only ever tested with interned strings. Closes GH-16349.
show more ...
|
#
1d0fbdf4 |
| 09-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16316: DOMXPath breaks when not initialized properly Closes GH-16330.
|
#
a1d4595d |
| 03-Oct-2024 |
Christoph M. Becker |
Fix calculation of aligned buffer size As is, for requested size which are already aligned, we over-allocate, so we fix this. We also fix the allocation for chunk size 1. This
Fix calculation of aligned buffer size As is, for requested size which are already aligned, we over-allocate, so we fix this. We also fix the allocation for chunk size 1. This issue has been reported by @kkmuffme. Thanks to @iluuu1994 for improving the fix! Closes GH-16161.
show more ...
|
#
6bcba24e |
| 02-Oct-2024 |
Christoph M. Becker |
Fix GH-16174: Empty string is an invalid expression for phpdbg-ev Strings may be empty, so we must not assume they are not. Closes GH-16177.
|
#
1ee56bdd |
| 08-Oct-2024 |
Christoph M. Becker |
Fix out of bound writes to SafeArray data Converting PHP arrays to Variants originally supported almost arbitrary numeric arrays, possibly filling gaps with NULL values. This is broken
Fix out of bound writes to SafeArray data Converting PHP arrays to Variants originally supported almost arbitrary numeric arrays, possibly filling gaps with NULL values. This is broken as of PHP 7.0.0[1] so that the SafeArray only has as many elements as the PHP array. Thus, unless the array is a list, some elements may be written outside of the SafeArray data. To avoid breaking userland code after that long time, we do not restore the original behavior, but instead only suppress the erroneous writes. To avoid the need to split the regression test for 32bit and 64bit Windows, we suppress the "max number 4294967295 of elements in safe array exceeded" warning, which only occurs for 64bit versions. [1] <https://github.com/php/php-src/commit/c865472ef0c431cf3c6ec153736881d13e8a6883> Closes GH-16309.
show more ...
|
#
e49d732a |
| 09-Oct-2024 |
Tim Düsterhus |
curl: Prevent a CurlMultiHandle from holding onto a CurlHandle if `add_handle` fails (#16302) * curl: Prevent a CurlMultiHandle from holding onto a CurlHandle if `add_handle` fails
curl: Prevent a CurlMultiHandle from holding onto a CurlHandle if `add_handle` fails (#16302) * curl: Prevent a CurlMultiHandle from holding onto a CurlHandle if `add_handle` fails As a user I expect `curl_multi_add_handle` to not have any effect if it returns an error and I specifically do not expect that it would be necessary to call `curl_multi_remove_handle`. * NEWS
show more ...
|
#
5c124939 |
| 08-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16292: Segmentation fault in ext/xmlreader/php_xmlreader.c:1282 3 issues: 1) RETURN_NULL() was used via the macro NODE_GET_OBJ(), but the function returns false on failure
Fix GH-16292: Segmentation fault in ext/xmlreader/php_xmlreader.c:1282 3 issues: 1) RETURN_NULL() was used via the macro NODE_GET_OBJ(), but the function returns false on failure and cannot return null according to its stub. 2) The struct layout of the different implementors of libxml only guarantees overlap between the node pointer and the document reference, so accessing the std zend_object may not work. 3) DOC_GET_OBJ() wasn't using ZSTR_VAL(). Closes GH-16307.
show more ...
|
#
6f868bd6 |
| 08-Oct-2024 |
Jakub Zelenka |
PHP-8.3 is now for PHP-8.3.14-dev
|
#
7f2d1928 |
| 08-Oct-2024 |
Calvin Buckley |
[ci skip] Update NEWS for PHP 8.4.0RC2
|
#
d76ef137 |
| 03-Oct-2024 |
Ilija Tovilo |
Fix various hooked object iterator issues Fixes GH-16185 Closes GH-16281
|
#
6f70cd3f |
| 07-Oct-2024 |
Arnaud Le Blanc |
NEWS for GH-16200
|
#
bf70d9ba |
| 06-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16261: Reference invariant broken in mb_convert_variables() The behaviour is weird in the sense that the reference must get unwrapped. What ended up happening is that when destroy
Fix GH-16261: Reference invariant broken in mb_convert_variables() The behaviour is weird in the sense that the reference must get unwrapped. What ended up happening is that when destroying the old reference the sources list was not cleaned properly. We add handling for that. Normally we would use use ZEND_TRY_ASSIGN_STRINGL but that doesn't work here as it would keep the reference and change values through references (see bug #26639). Closes GH-16272.
show more ...
|
#
71222f79 |
| 06-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16259: Soap segfault when classmap instantiation fails Instantiation failure checks were missing. Closes GH-16273.
|
#
e715dd0a |
| 05-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fixed GH-16233: Observer segfault when calling user function in internal function via trampoline In the test, I have an internal `__call` function for `_ZendTestMagicCallForward` that calls
Fixed GH-16233: Observer segfault when calling user function in internal function via trampoline In the test, I have an internal `__call` function for `_ZendTestMagicCallForward` that calls the global function with name `$name` via `call_user_function`. Note that observer writes the pointer to the previously observed frame in the last temporary of the new call frame (`*prev_observed_frame`). The following happens: First, we call `$test->callee`, this will be handled via a trampoline with T=2 for the two arguments. The call frame is allocated at this point. This call frame is not observed because it has `ZEND_ACC_CALL_VIA_TRAMPOLINE` set. Next we use `ZEND_CALL_TRAMPOLINE` to call the trampoline, this reuses the stack frame allocated earlier with T=2, but this time it is observed. The pointer to the previous frame is written outside of the call frame because `T` is too small (should be 3). We are now in the internal function `_ZendTestMagicCallForward::__call` where we call the global function `callee`. This will push a new call frame which will overlap `*prev_observed_frame`. This value gets overwritten by `zend_init_func_execute_data` when `EX(opline)` is set because `*prev_observed_frame` overlaps with `EX(opline)`. From now on, `*prev_observed_frame` is corrupted. When `zend_observer_fcall_end` is called this will result in reading wrong value `*prev_observed_frame` into `current_observed_frame`. This causes issues in `zend_observer_fcall_end_all` leading to the segfault we observe. Despite function with `ZEND_ACC_CALL_VIA_TRAMPOLINE` not being observed, the reuse of call frames makes problems when `T` is not large enough. To fix this, we make sure to add 1 to `T` if `ZEND_OBSERVER_ENABLED` is true. Closes GH-16252.
show more ...
|
#
befe4044 |
| 07-Oct-2024 |
Arnaud Le Blanc |
NEWS for GH-16196
|
#
a774704a |
| 07-Oct-2024 |
Arnaud Le Blanc |
NEWS for GH-16196
|
#
df4db5c1 |
| 07-Oct-2024 |
Arnaud Le Blanc |
NEWS for GH-16196
|
#
76e5d82e |
| 02-Oct-2024 |
Daniel Scherzer |
Fix GH-16162: No ReflectionProperty::IS_VIRTUAL Closes GH-16166
|
#
a2bdfeff |
| 06-Oct-2024 |
David Carlier |
Fix GH-16257 imagescale underflow on RGB channels. backport of https://github.com/libgd/libgd/commit/948bb0a5c2010a24227e4b44a90e8b8aa9bda8ce close GH-16257
|
#
cba92bea |
| 24-Sep-2024 |
Matteo Beccati |
PDO_MYSQL: Properly quote binary strings Closes GH-15949
|
#
5a47f270 |
| 04-Oct-2024 |
Jakub Zelenka |
Fix GH-15395: php-fpm: zend_mm_heap corrupted with cgi-fcgi request Closes GH-16227 Co-authored-by: David Carlier <devnexen@gmail.com>
|
#
8537aa68 |
| 06-Oct-2024 |
David Carlier |
Fix GH-16267 socket_strerror overflow on argument value. only socket_strerror provides user-supplied value to sockets_strerror handler. close GH-16270
|
#
e3015de7 |
| 05-Oct-2024 |
David Carlier |
Fix GH-16234 jewishtojd overflow on year argument. close GH-16243
|
#
922b9d67 |
| 06-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16256: Assertion failure in ext/soap/php_encoding.c:460 The class map must be an associative array, not a packed array. Closes GH-16269.
|
#
a9dada29 |
| 05-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix Soap leaking http_msg on error Testing all cases is not so easy to do as we would need a server that redirects from e.g. http to https while SSL is not available. Closes GH-
Fix Soap leaking http_msg on error Testing all cases is not so easy to do as we would need a server that redirects from e.g. http to https while SSL is not available. Closes GH-16254.
show more ...
|