#
a0a7361b |
| 21-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16533: Segfault when adding attribute to parent that is not an element Attributes are only valid as children of elements. This bug goes back all the way. Closes GH-16537.
|
#
d3b0efe9 |
| 18-Oct-2024 |
Christoph M. Becker |
Fix GH-16390: dba_open() can segfault for "pathless" streams `dba_open()` accepts arbitrary stream wrapper paths, but unless no locking (`-`) is specified, we try to determine the underl
Fix GH-16390: dba_open() can segfault for "pathless" streams `dba_open()` accepts arbitrary stream wrapper paths, but unless no locking (`-`) is specified, we try to determine the underlying file path. If that fails, we need to error out. Closes GH-16498.
show more ...
|
#
9ca68e03 |
| 19-Oct-2024 |
David Carlier |
Fix GH-16501: gmp_random_bits overflow. we do the same calculation in advance as mpz_realloc overflow check to avoid abort. close GH-16503
|
#
b2b294a2 |
| 18-Oct-2024 |
Derick Rethans |
Fixed bug GH-16037 (Assertion failure in ext/date/php_date.c)
|
#
9bc34182 |
| 17-Oct-2024 |
Christoph M. Becker |
Fix GH-16454: Unhandled INF in date_sunset() with tiny $utcOffset After normalization, `N` is supposed to be in range [0, 24], but for very large and very small `$utcOffset` this is not
Fix GH-16454: Unhandled INF in date_sunset() with tiny $utcOffset After normalization, `N` is supposed to be in range [0, 24], but for very large and very small `$utcOffset` this is not necessarily the case, since the normalization might yied `-inf` or `inf`. If that happens, we let the function fail silently, since it is highly unlikely that such `$utcOffset`s are passed in practice. Closes GH-16483.
show more ...
|
#
41af9335 |
| 17-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16473: dom_import_simplexml stub is wrong It's been wrong since PHP 8.0 at least, and the signature was inherited in 8.4-dev to the new DOM methods. Closes GH-16489.
|
#
6a8d0a05 |
| 16-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16406: Assertion failure in ext/phar/phar.c:2808 When copying entries during conversion in phar_convert_to_other(), the header offset is not reset. This didn't matter in the past
Fix GH-16406: Assertion failure in ext/phar/phar.c:2808 When copying entries during conversion in phar_convert_to_other(), the header offset is not reset. This didn't matter in the past as it wasn't used anyway in the particular use-case, but since 1bb2a4f9 this is actually used and sanity-checked. Closes GH-16470.
show more ...
|
#
5cb38e9d |
| 10-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix various document ref pointer mismanagements - Properly handle attributes - Fix potential NULL dereference if the intern document pointer is NULL Fixes GH-16336. Fixes GH
Fix various document ref pointer mismanagements - Properly handle attributes - Fix potential NULL dereference if the intern document pointer is NULL Fixes GH-16336. Fixes GH-16338. Closes GH-16345.
show more ...
|
#
7fe168d8 |
| 17-Oct-2024 |
Ilija Tovilo |
Fix uaf in SplFixedArray::unset() Fixes GH-16478 Closes GH-16481
|
#
12c987fa |
| 17-Oct-2024 |
Ilija Tovilo |
Fix use-after-free in SplObjectStorage::setInfo() Fixes GH-16479 Closes GH-16482
|
#
8820a103 |
| 16-Oct-2024 |
Ilija Tovilo |
Fix uaf in SplDoublyLinkedList::offsetSet() Write to the new offset before calling the destructor of the previous value. Fixes GH-16464 Closes GH-16466
|
#
a8bbc845 |
| 16-Oct-2024 |
Ilija Tovilo |
Disallow asymmetric visibility on static properties This check was forgotten in the original implementation. Relaxing this restriction shouldn't be hard, but needs some work. We either n
Disallow asymmetric visibility on static properties This check was forgotten in the original implementation. Relaxing this restriction shouldn't be hard, but needs some work. We either need to prevent merging of cache slots for R/RW/W, or we need to introduce an additional check when writing to the property indirectly. This check is currently present only for direct writes. Closes GH-16462
show more ...
|
#
d70f3ba9 |
| 16-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16465: Heap buffer overflow in DOMNode->getElementByTagName If the input contains NUL bytes then the length doesn't match the actual duplicated string's length. Note that libxml c
Fix GH-16465: Heap buffer overflow in DOMNode->getElementByTagName If the input contains NUL bytes then the length doesn't match the actual duplicated string's length. Note that libxml can't handle this properly anyway so we just reject NUL bytes and too long strings. Closes GH-16467.
show more ...
|
#
cb6025cd |
| 16-Oct-2024 |
Tim Düsterhus |
curl: Add `curl_multi_get_handles()` (#16363) see https://curl.se/libcurl/c/curl_multi_get_handles.html
|
#
2bdf2f91 |
| 14-Oct-2024 |
Christoph M. Becker |
Fix GH-16433: Large values for openssl_csr_sign() $days overflow The `offset_sec` parameter of `X509_gmtime_adj()` expects a `long`, but the `$days` parameter of `openssl_csr_sign()` a `
Fix GH-16433: Large values for openssl_csr_sign() $days overflow The `offset_sec` parameter of `X509_gmtime_adj()` expects a `long`, but the `$days` parameter of `openssl_csr_sign()` a `zend_long`. We must avoid signed integer overflow (UB), but also must not silently truncate. Thus we check the given `$days` for the permissible range, and bail out otherwise. Closes GH-16437.
show more ...
|
#
ab595c07 |
| 13-Oct-2024 |
Christoph M. Becker |
Fix GH-16411: gmp_export() can cause overflow We need not only to avoid the signed overflow while calculating `bits_per_word` (reported issue), but also the unsigned overflow when ca
Fix GH-16411: gmp_export() can cause overflow We need not only to avoid the signed overflow while calculating `bits_per_word` (reported issue), but also the unsigned overflow when calculating `count`. While the former has a fixed threshold, the latter does not, since it also depends on the size in base 2. Thus we use a somewhat unconventional error message. Closes GH-16418.
show more ...
|
#
1d94fb86 |
| 14-Oct-2024 |
Arnaud Le Blanc |
Fix handling of invalid iterator in zend_weakmap_iterator_get_current_key() Fixes GH-16371 Closes GH-16436
|
#
d613c0ed |
| 14-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16429: Segmentation fault (access null pointer) in SoapClient If get_iterator() fails, we should not destroy the object. Also changes the check to a NULL check to be more defensiv
Fix GH-16429: Segmentation fault (access null pointer) in SoapClient If get_iterator() fails, we should not destroy the object. Also changes the check to a NULL check to be more defensive, and to match the VM. Closes GH-16441.
show more ...
|
#
ec8a24f7 |
| 14-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16397: Segmentation fault when comparing FFI object (#16401) `compare` is a required handler [1], but this handler was set to NULL. Throw an exception when trying to compare FFI o
Fix GH-16397: Segmentation fault when comparing FFI object (#16401) `compare` is a required handler [1], but this handler was set to NULL. Throw an exception when trying to compare FFI objects. [1] https://github.com/php/php-src/blob/35c8a010c6633a2a1ba7c16a0cf83affa07b819e/Zend/zend_object_handlers.h#L231C1-L231C64 Closes GH-16401.
show more ...
|
#
b5c09b1a |
| 08-Oct-2024 |
Ilija Tovilo |
Fix exception in assert() callback with bail enabled Fixes GH-16293 Closes GH-16304
|
#
b817a4f7 |
| 14-Oct-2024 |
Christoph M. Becker |
Fix GH-16427: Unchecked libavif return values Prior to libavif 1.1.0, `avifAlloc()` was infallible (it called `abort()` on OOM conditions); thus, several API functions which used `av
Fix GH-16427: Unchecked libavif return values Prior to libavif 1.1.0, `avifAlloc()` was infallible (it called `abort()` on OOM conditions); thus, several API functions which used `avifAlloc()` did not report failure. That changed as of libavif 1.0.0[1], so checking and handling failure conditions can now be done. However, due to `avifAlloc()` being fallible as of libavif 1.1.0, this error checking and handling is mandatory to avoid more serious issues. [1] <https://github.com/AOMediaCodec/libavif/blob/eb02b2ec52df5c0f50b71fbc51321c5ce435aaca/CHANGELOG.md?plain=1#L273-L281> Closes GH-16434.
show more ...
|
#
323c9f49 |
| 14-Oct-2024 |
David Carlier |
[skip ci] UPGRADING/NEWS changes
|
#
06efe44c |
| 13-Oct-2024 |
Ilija Tovilo |
Skip shebang in cli-server router script Fixes GH-16373 Closes GH-16403
|
#
c5745f40 |
| 13-Oct-2024 |
Ilija Tovilo |
Fix array to string conversion warning emitted in optimizer Fixes GH-16408 Closes GH-16380
|
#
3843f0ec |
| 13-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16409: Segfault in exif_thumbnail when not dealing with a real file Closes GH-16416.
|