Fix GH-16533: Segfault when adding attribute to parent that is not an element

Attributes are only valid as children of elements. This bug goes back
all the way.

Closes GH-16537.

Fix GH-16390: dba_open() can segfault for "pathless" streams

`dba_open()` accepts arbitrary stream wrapper paths, but unless no
locking (`-`) is specified, we try to determine the underl

Fix GH-16390: dba_open() can segfault for "pathless" streams

`dba_open()` accepts arbitrary stream wrapper paths, but unless no
locking (`-`) is specified, we try to determine the underlying file
path. If that fails, we need to error out.

Closes GH-16498.

show more ...

Fix GH-16501: gmp_random_bits overflow.

we do the same calculation in advance as mpz_realloc overflow check to
avoid abort.

close GH-16503

Fixed bug GH-16037 (Assertion failure in ext/date/php_date.c)

Fix GH-16454: Unhandled INF in date_sunset() with tiny $utcOffset

After normalization, `N` is supposed to be in range [0, 24], but for
very large and very small `$utcOffset` this is not

Fix GH-16454: Unhandled INF in date_sunset() with tiny $utcOffset

After normalization, `N` is supposed to be in range [0, 24], but for
very large and very small `$utcOffset` this is not necessarily the
case, since the normalization might yied `-inf` or `inf`. If that
happens, we let the function fail silently, since it is highly unlikely
that such `$utcOffset`s are passed in practice.

Closes GH-16483.

show more ...

Fix GH-16473: dom_import_simplexml stub is wrong

It's been wrong since PHP 8.0 at least, and the signature was inherited
in 8.4-dev to the new DOM methods.

Closes GH-16489.

Fix GH-16406: Assertion failure in ext/phar/phar.c:2808

When copying entries during conversion in phar_convert_to_other(), the
header offset is not reset. This didn't matter in the past

Fix GH-16406: Assertion failure in ext/phar/phar.c:2808

When copying entries during conversion in phar_convert_to_other(), the
header offset is not reset. This didn't matter in the past as it wasn't
used anyway in the particular use-case, but since 1bb2a4f9 this is
actually used and sanity-checked.

Closes GH-16470.

show more ...

Fix various document ref pointer mismanagements

- Properly handle attributes
- Fix potential NULL dereference if the intern document pointer is NULL

Fixes GH-16336.
Fixes GH

Fix various document ref pointer mismanagements

- Properly handle attributes
- Fix potential NULL dereference if the intern document pointer is NULL

Fixes GH-16336.
Fixes GH-16338.
Closes GH-16345.

show more ...

Fix uaf in SplFixedArray::unset()

Fixes GH-16478
Closes GH-16481

Fix use-after-free in SplObjectStorage::setInfo()

Fixes GH-16479
Closes GH-16482

Fix uaf in SplDoublyLinkedList::offsetSet()

Write to the new offset before calling the destructor of the previous value.

Fixes GH-16464
Closes GH-16466

Disallow asymmetric visibility on static properties

This check was forgotten in the original implementation. Relaxing this
restriction shouldn't be hard, but needs some work. We either n

Disallow asymmetric visibility on static properties

This check was forgotten in the original implementation. Relaxing this
restriction shouldn't be hard, but needs some work. We either need to prevent
merging of cache slots for R/RW/W, or we need to introduce an additional check
when writing to the property indirectly. This check is currently present only
for direct writes.

Closes GH-16462

show more ...

Fix GH-16465: Heap buffer overflow in DOMNode->getElementByTagName

If the input contains NUL bytes then the length doesn't match the actual
duplicated string's length. Note that libxml c

Fix GH-16465: Heap buffer overflow in DOMNode->getElementByTagName

If the input contains NUL bytes then the length doesn't match the actual
duplicated string's length. Note that libxml can't handle this properly
anyway so we just reject NUL bytes and too long strings.

Closes GH-16467.

show more ...

curl: Add `curl_multi_get_handles()` (#16363)

see https://curl.se/libcurl/c/curl_multi_get_handles.html

Fix GH-16433: Large values for openssl_csr_sign() $days overflow

The `offset_sec` parameter of `X509_gmtime_adj()` expects a `long`, but
the `$days` parameter of `openssl_csr_sign()` a `

Fix GH-16433: Large values for openssl_csr_sign() $days overflow

The `offset_sec` parameter of `X509_gmtime_adj()` expects a `long`, but
the `$days` parameter of `openssl_csr_sign()` a `zend_long`. We must
avoid signed integer overflow (UB), but also must not silently truncate.
Thus we check the given `$days` for the permissible range, and bail out
otherwise.

Closes GH-16437.

show more ...

Fix GH-16411: gmp_export() can cause overflow

We need not only to avoid the signed overflow while calculating
`bits_per_word` (reported issue), but also the unsigned overflow when
ca

Fix GH-16411: gmp_export() can cause overflow

We need not only to avoid the signed overflow while calculating
`bits_per_word` (reported issue), but also the unsigned overflow when
calculating `count`. While the former has a fixed threshold, the
latter does not, since it also depends on the size in base 2. Thus we
use a somewhat unconventional error message.

Closes GH-16418.

show more ...

Fix handling of invalid iterator in zend_weakmap_iterator_get_current_key()

Fixes GH-16371
Closes GH-16436

Fix GH-16429: Segmentation fault (access null pointer) in SoapClient

If get_iterator() fails, we should not destroy the object.
Also changes the check to a NULL check to be more defensiv

Fix GH-16429: Segmentation fault (access null pointer) in SoapClient

If get_iterator() fails, we should not destroy the object.
Also changes the check to a NULL check to be more defensive, and to
match the VM.

Closes GH-16441.

show more ...

Fix GH-16397: Segmentation fault when comparing FFI object (#16401)

`compare` is a required handler [1], but this handler was set to NULL.
Throw an exception when trying to compare FFI o

Fix GH-16397: Segmentation fault when comparing FFI object (#16401)

`compare` is a required handler [1], but this handler was set to NULL.
Throw an exception when trying to compare FFI objects.

[1] https://github.com/php/php-src/blob/35c8a010c6633a2a1ba7c16a0cf83affa07b819e/Zend/zend_object_handlers.h#L231C1-L231C64

Closes GH-16401.

show more ...

Fix exception in assert() callback with bail enabled

Fixes GH-16293
Closes GH-16304

Fix GH-16427: Unchecked libavif return values

Prior to libavif 1.1.0, `avifAlloc()` was infallible (it called
`abort()` on OOM conditions); thus, several API functions which used
`av

Fix GH-16427: Unchecked libavif return values

Prior to libavif 1.1.0, `avifAlloc()` was infallible (it called
`abort()` on OOM conditions); thus, several API functions which used
`avifAlloc()` did not report failure. That changed as of libavif
1.0.0[1], so checking and handling failure conditions can now be done.
However, due to `avifAlloc()` being fallible as of libavif 1.1.0, this
error checking and handling is mandatory to avoid more serious issues.

[1] <https://github.com/AOMediaCodec/libavif/blob/eb02b2ec52df5c0f50b71fbc51321c5ce435aaca/CHANGELOG.md?plain=1#L273-L281>

Closes GH-16434.

show more ...

[skip ci] UPGRADING/NEWS changes

Skip shebang in cli-server router script

Fixes GH-16373
Closes GH-16403

Fix array to string conversion warning emitted in optimizer

Fixes GH-16408
Closes GH-16380

Fix GH-16409: Segfault in exif_thumbnail when not dealing with a real file

Closes GH-16416.