Fix OSS-Fuzz #371445205: Heap-use-after-free in attr_free

zend_hash_get_current_key() does not return a string with incremented
refcount, so it shouldn't get released. This release cause

Fix OSS-Fuzz #371445205: Heap-use-after-free in attr_free

zend_hash_get_current_key() does not return a string with incremented
refcount, so it shouldn't get released. This release caused a UAF later
when the attribute was destroyed. This wasn't noticed earlier because
object_init_with_constructor() was only ever tested with interned
strings.

Closes GH-16349.

show more ...

Fix GH-16316: DOMXPath breaks when not initialized properly

Closes GH-16330.

Fix calculation of aligned buffer size

As is, for requested size which are already aligned, we over-allocate,
so we fix this. We also fix the allocation for chunk size 1.

This

Fix calculation of aligned buffer size

As is, for requested size which are already aligned, we over-allocate,
so we fix this. We also fix the allocation for chunk size 1.

This issue has been reported by @kkmuffme.

Thanks to @iluuu1994 for improving the fix!

Closes GH-16161.

show more ...

Fix GH-16174: Empty string is an invalid expression for phpdbg-ev

Strings may be empty, so we must not assume they are not.

Closes GH-16177.

Fix out of bound writes to SafeArray data

Converting PHP arrays to Variants originally supported almost arbitrary
numeric arrays, possibly filling gaps with NULL values. This is broken

Fix out of bound writes to SafeArray data

Converting PHP arrays to Variants originally supported almost arbitrary
numeric arrays, possibly filling gaps with NULL values. This is broken
as of PHP 7.0.0[1] so that the SafeArray only has as many elements as
the PHP array. Thus, unless the array is a list, some elements may be
written outside of the SafeArray data.

To avoid breaking userland code after that long time, we do not restore
the original behavior, but instead only suppress the erroneous writes.

To avoid the need to split the regression test for 32bit and 64bit
Windows, we suppress the "max number 4294967295 of elements in safe
array exceeded" warning, which only occurs for 64bit versions.

[1] <https://github.com/php/php-src/commit/c865472ef0c431cf3c6ec153736881d13e8a6883>

Closes GH-16309.

show more ...

curl: Prevent a CurlMultiHandle from holding onto a CurlHandle if `add_handle` fails (#16302)

* curl: Prevent a CurlMultiHandle from holding onto a CurlHandle if `add_handle` fails

curl: Prevent a CurlMultiHandle from holding onto a CurlHandle if `add_handle` fails (#16302)

* curl: Prevent a CurlMultiHandle from holding onto a CurlHandle if `add_handle` fails

As a user I expect `curl_multi_add_handle` to not have any effect if it returns
an error and I specifically do not expect that it would be necessary to call
`curl_multi_remove_handle`.

* NEWS

show more ...

Fix GH-16292: Segmentation fault in ext/xmlreader/php_xmlreader.c:1282

3 issues:
1) RETURN_NULL() was used via the macro NODE_GET_OBJ(), but the function
returns false on failure

Fix GH-16292: Segmentation fault in ext/xmlreader/php_xmlreader.c:1282

3 issues:
1) RETURN_NULL() was used via the macro NODE_GET_OBJ(), but the function
returns false on failure and cannot return null according to its
stub.
2) The struct layout of the different implementors of libxml only
guarantees overlap between the node pointer and the document
reference, so accessing the std zend_object may not work.
3) DOC_GET_OBJ() wasn't using ZSTR_VAL().

Closes GH-16307.

show more ...

PHP-8.3 is now for PHP-8.3.14-dev

[ci skip] Update NEWS for PHP 8.4.0RC2

Fix various hooked object iterator issues

Fixes GH-16185
Closes GH-16281

NEWS for GH-16200

Fix GH-16261: Reference invariant broken in mb_convert_variables()

The behaviour is weird in the sense that the reference must get
unwrapped. What ended up happening is that when destroy

Fix GH-16261: Reference invariant broken in mb_convert_variables()

The behaviour is weird in the sense that the reference must get
unwrapped. What ended up happening is that when destroying the old
reference the sources list was not cleaned properly. We add handling for
that. Normally we would use use ZEND_TRY_ASSIGN_STRINGL but that doesn't
work here as it would keep the reference and change values through
references (see bug #26639).

Closes GH-16272.

show more ...

Fix GH-16259: Soap segfault when classmap instantiation fails

Instantiation failure checks were missing.

Closes GH-16273.

Fixed GH-16233: Observer segfault when calling user function in internal function via trampoline

In the test, I have an internal `__call` function for `_ZendTestMagicCallForward` that calls

Fixed GH-16233: Observer segfault when calling user function in internal function via trampoline

In the test, I have an internal `__call` function for `_ZendTestMagicCallForward` that calls the global function with name `$name` via `call_user_function`.
Note that observer writes the pointer to the previously observed frame in the last temporary of the new call frame (`*prev_observed_frame`).

The following happens:
First, we call `$test->callee`, this will be handled via a trampoline with T=2 for the two arguments. The call frame is allocated at this point. This call frame is not observed because it has `ZEND_ACC_CALL_VIA_TRAMPOLINE` set. Next we use `ZEND_CALL_TRAMPOLINE` to call the trampoline, this reuses the stack frame allocated earlier with T=2, but this time it is observed. The pointer to the previous frame is written outside of the call frame because `T` is too small (should be 3). We are now in the internal function `_ZendTestMagicCallForward::__call` where we call the global function `callee`. This will push a new call frame which will overlap `*prev_observed_frame`. This value gets overwritten by `zend_init_func_execute_data` when `EX(opline)` is set because `*prev_observed_frame` overlaps with `EX(opline)`. From now on, `*prev_observed_frame` is corrupted. When `zend_observer_fcall_end` is called this will result in reading wrong value `*prev_observed_frame` into `current_observed_frame`. This causes issues in `zend_observer_fcall_end_all` leading to the segfault we observe.

Despite function with `ZEND_ACC_CALL_VIA_TRAMPOLINE` not being observed, the reuse of call frames makes problems when `T` is not large enough.
To fix this, we make sure to add 1 to `T` if `ZEND_OBSERVER_ENABLED` is true.

Closes GH-16252.

show more ...

NEWS for GH-16196

NEWS for GH-16196

NEWS for GH-16196

Fix GH-16162: No ReflectionProperty::IS_VIRTUAL

Closes GH-16166

Fix GH-16257 imagescale underflow on RGB channels.

backport of https://github.com/libgd/libgd/commit/948bb0a5c2010a24227e4b44a90e8b8aa9bda8ce

close GH-16257

PDO_MYSQL: Properly quote binary strings

Closes GH-15949

Fix GH-15395: php-fpm: zend_mm_heap corrupted with cgi-fcgi request

Closes GH-16227

Co-authored-by: David Carlier <devnexen@gmail.com>

Fix GH-16267 socket_strerror overflow on argument value.

only socket_strerror provides user-supplied value to sockets_strerror
handler.

close GH-16270

Fix GH-16234 jewishtojd overflow on year argument.

close GH-16243

Fix GH-16256: Assertion failure in ext/soap/php_encoding.c:460

The class map must be an associative array, not a packed array.

Closes GH-16269.

Fix Soap leaking http_msg on error

Testing all cases is not so easy to do as we would need a server that
redirects from e.g. http to https while SSL is not available.

Closes GH-

Fix Soap leaking http_msg on error

Testing all cases is not so easy to do as we would need a server that
redirects from e.g. http to https while SSL is not available.

Closes GH-16254.

show more ...