History log of /php-src/NEWS (Results 26 – 50 of 15393)
Revision (<<< Hide revision tags) (Show revision tags >>>) Date Author Comments
(<<< Hide modified files)
(Show modified files >>>)
# a0a7361b 21-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16533: Segfault when adding attribute to parent that is not an element

Attributes are only valid as children of elements. This bug goes back
all the way.

Closes GH-16537.


# d3b0efe9 18-Oct-2024 Christoph M. Becker

Fix GH-16390: dba_open() can segfault for "pathless" streams

`dba_open()` accepts arbitrary stream wrapper paths, but unless no
locking (`-`) is specified, we try to determine the underl

Fix GH-16390: dba_open() can segfault for "pathless" streams

`dba_open()` accepts arbitrary stream wrapper paths, but unless no
locking (`-`) is specified, we try to determine the underlying file
path. If that fails, we need to error out.

Closes GH-16498.

show more ...


# 9ca68e03 19-Oct-2024 David Carlier

Fix GH-16501: gmp_random_bits overflow.

we do the same calculation in advance as mpz_realloc overflow check to
avoid abort.

close GH-16503


# b2b294a2 18-Oct-2024 Derick Rethans

Fixed bug GH-16037 (Assertion failure in ext/date/php_date.c)


# 9bc34182 17-Oct-2024 Christoph M. Becker

Fix GH-16454: Unhandled INF in date_sunset() with tiny $utcOffset

After normalization, `N` is supposed to be in range [0, 24], but for
very large and very small `$utcOffset` this is not

Fix GH-16454: Unhandled INF in date_sunset() with tiny $utcOffset

After normalization, `N` is supposed to be in range [0, 24], but for
very large and very small `$utcOffset` this is not necessarily the
case, since the normalization might yied `-inf` or `inf`. If that
happens, we let the function fail silently, since it is highly unlikely
that such `$utcOffset`s are passed in practice.

Closes GH-16483.

show more ...


# 41af9335 17-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16473: dom_import_simplexml stub is wrong

It's been wrong since PHP 8.0 at least, and the signature was inherited
in 8.4-dev to the new DOM methods.

Closes GH-16489.


# 6a8d0a05 16-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16406: Assertion failure in ext/phar/phar.c:2808

When copying entries during conversion in phar_convert_to_other(), the
header offset is not reset. This didn't matter in the past

Fix GH-16406: Assertion failure in ext/phar/phar.c:2808

When copying entries during conversion in phar_convert_to_other(), the
header offset is not reset. This didn't matter in the past as it wasn't
used anyway in the particular use-case, but since 1bb2a4f9 this is
actually used and sanity-checked.

Closes GH-16470.

show more ...


# 5cb38e9d 10-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix various document ref pointer mismanagements

- Properly handle attributes
- Fix potential NULL dereference if the intern document pointer is NULL

Fixes GH-16336.
Fixes GH

Fix various document ref pointer mismanagements

- Properly handle attributes
- Fix potential NULL dereference if the intern document pointer is NULL

Fixes GH-16336.
Fixes GH-16338.
Closes GH-16345.

show more ...


# 7fe168d8 17-Oct-2024 Ilija Tovilo

Fix uaf in SplFixedArray::unset()

Fixes GH-16478
Closes GH-16481


# 12c987fa 17-Oct-2024 Ilija Tovilo

Fix use-after-free in SplObjectStorage::setInfo()

Fixes GH-16479
Closes GH-16482


# 8820a103 16-Oct-2024 Ilija Tovilo

Fix uaf in SplDoublyLinkedList::offsetSet()

Write to the new offset before calling the destructor of the previous value.

Fixes GH-16464
Closes GH-16466


# a8bbc845 16-Oct-2024 Ilija Tovilo

Disallow asymmetric visibility on static properties

This check was forgotten in the original implementation. Relaxing this
restriction shouldn't be hard, but needs some work. We either n

Disallow asymmetric visibility on static properties

This check was forgotten in the original implementation. Relaxing this
restriction shouldn't be hard, but needs some work. We either need to prevent
merging of cache slots for R/RW/W, or we need to introduce an additional check
when writing to the property indirectly. This check is currently present only
for direct writes.

Closes GH-16462

show more ...


# d70f3ba9 16-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16465: Heap buffer overflow in DOMNode->getElementByTagName

If the input contains NUL bytes then the length doesn't match the actual
duplicated string's length. Note that libxml c

Fix GH-16465: Heap buffer overflow in DOMNode->getElementByTagName

If the input contains NUL bytes then the length doesn't match the actual
duplicated string's length. Note that libxml can't handle this properly
anyway so we just reject NUL bytes and too long strings.

Closes GH-16467.

show more ...


# cb6025cd 16-Oct-2024 Tim Düsterhus

curl: Add `curl_multi_get_handles()` (#16363)

see https://curl.se/libcurl/c/curl_multi_get_handles.html


# 2bdf2f91 14-Oct-2024 Christoph M. Becker

Fix GH-16433: Large values for openssl_csr_sign() $days overflow

The `offset_sec` parameter of `X509_gmtime_adj()` expects a `long`, but
the `$days` parameter of `openssl_csr_sign()` a `

Fix GH-16433: Large values for openssl_csr_sign() $days overflow

The `offset_sec` parameter of `X509_gmtime_adj()` expects a `long`, but
the `$days` parameter of `openssl_csr_sign()` a `zend_long`. We must
avoid signed integer overflow (UB), but also must not silently truncate.
Thus we check the given `$days` for the permissible range, and bail out
otherwise.

Closes GH-16437.

show more ...


# ab595c07 13-Oct-2024 Christoph M. Becker

Fix GH-16411: gmp_export() can cause overflow

We need not only to avoid the signed overflow while calculating
`bits_per_word` (reported issue), but also the unsigned overflow when
ca

Fix GH-16411: gmp_export() can cause overflow

We need not only to avoid the signed overflow while calculating
`bits_per_word` (reported issue), but also the unsigned overflow when
calculating `count`. While the former has a fixed threshold, the
latter does not, since it also depends on the size in base 2. Thus we
use a somewhat unconventional error message.

Closes GH-16418.

show more ...


# 1d94fb86 14-Oct-2024 Arnaud Le Blanc

Fix handling of invalid iterator in zend_weakmap_iterator_get_current_key()

Fixes GH-16371
Closes GH-16436


# d613c0ed 14-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16429: Segmentation fault (access null pointer) in SoapClient

If get_iterator() fails, we should not destroy the object.
Also changes the check to a NULL check to be more defensiv

Fix GH-16429: Segmentation fault (access null pointer) in SoapClient

If get_iterator() fails, we should not destroy the object.
Also changes the check to a NULL check to be more defensive, and to
match the VM.

Closes GH-16441.

show more ...


# ec8a24f7 14-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16397: Segmentation fault when comparing FFI object (#16401)

`compare` is a required handler [1], but this handler was set to NULL.
Throw an exception when trying to compare FFI o

Fix GH-16397: Segmentation fault when comparing FFI object (#16401)

`compare` is a required handler [1], but this handler was set to NULL.
Throw an exception when trying to compare FFI objects.

[1] https://github.com/php/php-src/blob/35c8a010c6633a2a1ba7c16a0cf83affa07b819e/Zend/zend_object_handlers.h#L231C1-L231C64

Closes GH-16401.

show more ...


# b5c09b1a 08-Oct-2024 Ilija Tovilo

Fix exception in assert() callback with bail enabled

Fixes GH-16293
Closes GH-16304


# b817a4f7 14-Oct-2024 Christoph M. Becker

Fix GH-16427: Unchecked libavif return values

Prior to libavif 1.1.0, `avifAlloc()` was infallible (it called
`abort()` on OOM conditions); thus, several API functions which used
`av

Fix GH-16427: Unchecked libavif return values

Prior to libavif 1.1.0, `avifAlloc()` was infallible (it called
`abort()` on OOM conditions); thus, several API functions which used
`avifAlloc()` did not report failure. That changed as of libavif
1.0.0[1], so checking and handling failure conditions can now be done.
However, due to `avifAlloc()` being fallible as of libavif 1.1.0, this
error checking and handling is mandatory to avoid more serious issues.

[1] <https://github.com/AOMediaCodec/libavif/blob/eb02b2ec52df5c0f50b71fbc51321c5ce435aaca/CHANGELOG.md?plain=1#L273-L281>

Closes GH-16434.

show more ...


# 323c9f49 14-Oct-2024 David Carlier

[skip ci] UPGRADING/NEWS changes


# 06efe44c 13-Oct-2024 Ilija Tovilo

Skip shebang in cli-server router script

Fixes GH-16373
Closes GH-16403


# c5745f40 13-Oct-2024 Ilija Tovilo

Fix array to string conversion warning emitted in optimizer

Fixes GH-16408
Closes GH-16380


# 3843f0ec 13-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16409: Segfault in exif_thumbnail when not dealing with a real file

Closes GH-16416.


12345678910>>...616