History log of /php-src/NEWS (Results 126 – 150 of 15454)
Revision (<<< Hide revision tags) (Show revision tags >>>) Date Author Comments
(<<< Hide modified files)
(Show modified files >>>)
# e0b1b693 10-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix OSS-Fuzz #371445205: Heap-use-after-free in attr_free

zend_hash_get_current_key() does not return a string with incremented
refcount, so it shouldn't get released. This release cause

Fix OSS-Fuzz #371445205: Heap-use-after-free in attr_free

zend_hash_get_current_key() does not return a string with incremented
refcount, so it shouldn't get released. This release caused a UAF later
when the attribute was destroyed. This wasn't noticed earlier because
object_init_with_constructor() was only ever tested with interned
strings.

Closes GH-16349.

show more ...


# 1d0fbdf4 09-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16316: DOMXPath breaks when not initialized properly

Closes GH-16330.


# a1d4595d 03-Oct-2024 Christoph M. Becker

Fix calculation of aligned buffer size

As is, for requested size which are already aligned, we over-allocate,
so we fix this. We also fix the allocation for chunk size 1.

This

Fix calculation of aligned buffer size

As is, for requested size which are already aligned, we over-allocate,
so we fix this. We also fix the allocation for chunk size 1.

This issue has been reported by @kkmuffme.

Thanks to @iluuu1994 for improving the fix!

Closes GH-16161.

show more ...


# 6bcba24e 02-Oct-2024 Christoph M. Becker

Fix GH-16174: Empty string is an invalid expression for phpdbg-ev

Strings may be empty, so we must not assume they are not.

Closes GH-16177.


# 1ee56bdd 08-Oct-2024 Christoph M. Becker

Fix out of bound writes to SafeArray data

Converting PHP arrays to Variants originally supported almost arbitrary
numeric arrays, possibly filling gaps with NULL values. This is broken

Fix out of bound writes to SafeArray data

Converting PHP arrays to Variants originally supported almost arbitrary
numeric arrays, possibly filling gaps with NULL values. This is broken
as of PHP 7.0.0[1] so that the SafeArray only has as many elements as
the PHP array. Thus, unless the array is a list, some elements may be
written outside of the SafeArray data.

To avoid breaking userland code after that long time, we do not restore
the original behavior, but instead only suppress the erroneous writes.

To avoid the need to split the regression test for 32bit and 64bit
Windows, we suppress the "max number 4294967295 of elements in safe
array exceeded" warning, which only occurs for 64bit versions.

[1] <https://github.com/php/php-src/commit/c865472ef0c431cf3c6ec153736881d13e8a6883>

Closes GH-16309.

show more ...


# e49d732a 09-Oct-2024 Tim Düsterhus

curl: Prevent a CurlMultiHandle from holding onto a CurlHandle if `add_handle` fails (#16302)

* curl: Prevent a CurlMultiHandle from holding onto a CurlHandle if `add_handle` fails

curl: Prevent a CurlMultiHandle from holding onto a CurlHandle if `add_handle` fails (#16302)

* curl: Prevent a CurlMultiHandle from holding onto a CurlHandle if `add_handle` fails

As a user I expect `curl_multi_add_handle` to not have any effect if it returns
an error and I specifically do not expect that it would be necessary to call
`curl_multi_remove_handle`.

* NEWS

show more ...


# 5c124939 08-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16292: Segmentation fault in ext/xmlreader/php_xmlreader.c:1282

3 issues:
1) RETURN_NULL() was used via the macro NODE_GET_OBJ(), but the function
returns false on failure

Fix GH-16292: Segmentation fault in ext/xmlreader/php_xmlreader.c:1282

3 issues:
1) RETURN_NULL() was used via the macro NODE_GET_OBJ(), but the function
returns false on failure and cannot return null according to its
stub.
2) The struct layout of the different implementors of libxml only
guarantees overlap between the node pointer and the document
reference, so accessing the std zend_object may not work.
3) DOC_GET_OBJ() wasn't using ZSTR_VAL().

Closes GH-16307.

show more ...


# 6f868bd6 08-Oct-2024 Jakub Zelenka

PHP-8.3 is now for PHP-8.3.14-dev


# 7f2d1928 08-Oct-2024 Calvin Buckley

[ci skip] Update NEWS for PHP 8.4.0RC2


# d76ef137 03-Oct-2024 Ilija Tovilo

Fix various hooked object iterator issues

Fixes GH-16185
Closes GH-16281


# 6f70cd3f 07-Oct-2024 Arnaud Le Blanc

NEWS for GH-16200


# bf70d9ba 06-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16261: Reference invariant broken in mb_convert_variables()

The behaviour is weird in the sense that the reference must get
unwrapped. What ended up happening is that when destroy

Fix GH-16261: Reference invariant broken in mb_convert_variables()

The behaviour is weird in the sense that the reference must get
unwrapped. What ended up happening is that when destroying the old
reference the sources list was not cleaned properly. We add handling for
that. Normally we would use use ZEND_TRY_ASSIGN_STRINGL but that doesn't
work here as it would keep the reference and change values through
references (see bug #26639).

Closes GH-16272.

show more ...


# 71222f79 06-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16259: Soap segfault when classmap instantiation fails

Instantiation failure checks were missing.

Closes GH-16273.


# e715dd0a 05-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fixed GH-16233: Observer segfault when calling user function in internal function via trampoline

In the test, I have an internal `__call` function for `_ZendTestMagicCallForward` that calls

Fixed GH-16233: Observer segfault when calling user function in internal function via trampoline

In the test, I have an internal `__call` function for `_ZendTestMagicCallForward` that calls the global function with name `$name` via `call_user_function`.
Note that observer writes the pointer to the previously observed frame in the last temporary of the new call frame (`*prev_observed_frame`).

The following happens:
First, we call `$test->callee`, this will be handled via a trampoline with T=2 for the two arguments. The call frame is allocated at this point. This call frame is not observed because it has `ZEND_ACC_CALL_VIA_TRAMPOLINE` set. Next we use `ZEND_CALL_TRAMPOLINE` to call the trampoline, this reuses the stack frame allocated earlier with T=2, but this time it is observed. The pointer to the previous frame is written outside of the call frame because `T` is too small (should be 3). We are now in the internal function `_ZendTestMagicCallForward::__call` where we call the global function `callee`. This will push a new call frame which will overlap `*prev_observed_frame`. This value gets overwritten by `zend_init_func_execute_data` when `EX(opline)` is set because `*prev_observed_frame` overlaps with `EX(opline)`. From now on, `*prev_observed_frame` is corrupted. When `zend_observer_fcall_end` is called this will result in reading wrong value `*prev_observed_frame` into `current_observed_frame`. This causes issues in `zend_observer_fcall_end_all` leading to the segfault we observe.

Despite function with `ZEND_ACC_CALL_VIA_TRAMPOLINE` not being observed, the reuse of call frames makes problems when `T` is not large enough.
To fix this, we make sure to add 1 to `T` if `ZEND_OBSERVER_ENABLED` is true.

Closes GH-16252.

show more ...


# befe4044 07-Oct-2024 Arnaud Le Blanc

NEWS for GH-16196


# a774704a 07-Oct-2024 Arnaud Le Blanc

NEWS for GH-16196


# df4db5c1 07-Oct-2024 Arnaud Le Blanc

NEWS for GH-16196


# 76e5d82e 02-Oct-2024 Daniel Scherzer

Fix GH-16162: No ReflectionProperty::IS_VIRTUAL

Closes GH-16166


# a2bdfeff 06-Oct-2024 David Carlier

Fix GH-16257 imagescale underflow on RGB channels.

backport of https://github.com/libgd/libgd/commit/948bb0a5c2010a24227e4b44a90e8b8aa9bda8ce

close GH-16257


# cba92bea 24-Sep-2024 Matteo Beccati

PDO_MYSQL: Properly quote binary strings

Closes GH-15949


# 5a47f270 04-Oct-2024 Jakub Zelenka

Fix GH-15395: php-fpm: zend_mm_heap corrupted with cgi-fcgi request

Closes GH-16227

Co-authored-by: David Carlier <devnexen@gmail.com>


# 8537aa68 06-Oct-2024 David Carlier

Fix GH-16267 socket_strerror overflow on argument value.

only socket_strerror provides user-supplied value to sockets_strerror
handler.

close GH-16270


# e3015de7 05-Oct-2024 David Carlier

Fix GH-16234 jewishtojd overflow on year argument.

close GH-16243


# 922b9d67 06-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16256: Assertion failure in ext/soap/php_encoding.c:460

The class map must be an associative array, not a packed array.

Closes GH-16269.


# a9dada29 05-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix Soap leaking http_msg on error

Testing all cases is not so easy to do as we would need a server that
redirects from e.g. http to https while SSL is not available.

Closes GH-

Fix Soap leaking http_msg on error

Testing all cases is not so easy to do as we would need a server that
redirects from e.g. http to https while SSL is not available.

Closes GH-16254.

show more ...


12345678910>>...619