#
cc39bc21 |
| 29-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16590: UAF in session_encode() The `PS_ENCODE_LOOP` does not protect the session hash table that it iterates over. Change it by temporarily creating a copy. Closes GH-166
Fix GH-16590: UAF in session_encode() The `PS_ENCODE_LOOP` does not protect the session hash table that it iterates over. Change it by temporarily creating a copy. Closes GH-16640.
show more ...
|
#
5ddb7566 |
| 03-Nov-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix various memory leaks on error conditions in openssl_x509_parse() Closes GH-16690.
|
#
418f820f |
| 04-Nov-2024 |
Ilija Tovilo |
Add NEWS entry
|
#
2bdce613 |
| 31-Oct-2024 |
Ilija Tovilo |
Fix array going away during sorting Fixes GH-16648 Closes GH-16654
|
#
90aac521 |
| 25-Oct-2024 |
David Carlier |
Fix GH-16592 msg_send() crashes when the type does not serialize as expected. It is assumed that the serialization always had initialised its buffer zend_string, but in the case of a typ
Fix GH-16592 msg_send() crashes when the type does not serialize as expected. It is assumed that the serialization always had initialised its buffer zend_string, but in the case of a type not serialising, it is null. close GH-16599
show more ...
|
#
e643129b |
| 02-Nov-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16628: FPM logs are getting corrupted with this log statement zlog_buf_prefix() can return a larger length than what actually was written due to its use of snprintf(). The code in
Fix GH-16628: FPM logs are getting corrupted with this log statement zlog_buf_prefix() can return a larger length than what actually was written due to its use of snprintf(). The code in zlog_stream_prefix_ex() does not take this into account, other callers do. What ends up happening then is that stream->length is set to the length as if snprintf() was able to write all bytes, causing stream->length to become larger than stream->buf.size, causing a segfault. In case the buffer was too small we try with a larger buffer up to a limit of zlog_limit. This makes sure that the stream length will remain bounded by the buffer size. This also adds assertions to make the programmer intent clear and catch this more easily in debug builds. Closes GH-16680.
show more ...
|
#
f0f666ba |
| 01-Nov-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16601: Memory leak in Reflection constructors Additionally fixes wrong behaviour in ReflectionParameter when you first have a construction that uses an object and the subsequent d
Fix GH-16601: Memory leak in Reflection constructors Additionally fixes wrong behaviour in ReflectionParameter when you first have a construction that uses an object and the subsequent doesn't. Closes GH-16672.
show more ...
|
#
52536475 |
| 23-Sep-2024 |
Gina Peter Banyard |
ext/gmp: Fix segfault when null is encountered on an overloaded operator And various other issues like inconsistent type errors Closes GH-16015
|
#
ca5fd055 |
| 02-Nov-2024 |
David Carlier |
ext/posix: adding POSIX_SC_OPEN_MAX constant. returns the number of file descriptors that a process can handle. e.g. useful after pcntl_fork() to close all the file descriptors up to
ext/posix: adding POSIX_SC_OPEN_MAX constant. returns the number of file descriptors that a process can handle. e.g. useful after pcntl_fork() to close all the file descriptors up to that boundary. close GH-16681
show more ...
|
#
f9453a88 |
| 18-Oct-2024 |
Christoph M. Becker |
Fix GH-14732: date_sun_info() fails for non-finite values `timelib_astro_rise_set_altitude()` is not prepared to deal with non- finite values (`nan`, `inf` and `-inf`) for `lon` and `lat
Fix GH-14732: date_sun_info() fails for non-finite values `timelib_astro_rise_set_altitude()` is not prepared to deal with non- finite values (`nan`, `inf` and `-inf`) for `lon` and `lat`; instead these trigger undefined behavior. Thus we catch non-finite values before even calling that timelib function; for `date_sun_info()` we trigger `ValueError`s; for `date_sunrise()` and `date_sunset()` we silently return `false`, since these functions will be sunsetted anyway. Closes GH-16497.
show more ...
|
#
886a5287 |
| 01-Nov-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16604: Memory leaks in SPL constructors Closes GH-16673.
|
#
c9eafc19 |
| 25-Oct-2024 |
Christoph M. Becker |
Fix GH-16450: PDO_ODBC can inject garbage into field values A previous bug fix[1] relied on ODBC drivers to properly count down the `StrLen_or_IndPtr` argument for consecutive calls to `
Fix GH-16450: PDO_ODBC can inject garbage into field values A previous bug fix[1] relied on ODBC drivers to properly count down the `StrLen_or_IndPtr` argument for consecutive calls to `SQLGetData()`. Apparently, not all drivers handle this correctly, so we cannot assert they do. Instead we fall back to the old behavior for drivers which would violate the assertion. A test against SQLServer (which we currently use in CI) would not make sense, since the respective drivers do not exhibit that behavior. Instead we target the regression test especially to a MS Access database. Since there is apparently no way to easily create an MS Access database programmatically, we commit a minimal empty DB which is used for the regression test, and could also be used by other test cases. [1] <bccca0b53aa60a62e2988c750fc73c02d109e642> Closes GH-16587.
show more ...
|
#
54a40f3b |
| 10-Oct-2024 |
Arnaud Le Blanc |
Add ReflectionProperty::isLazy() Closes GH-16342
|
#
3d3b22dd |
| 29-Oct-2024 |
Arnaud Le Blanc |
Fix assertion failure in zend_std_read_property We asserted that Z_PROP_FLAG_P(retval) was exactly IS_PROP_UNINIT, but this is a bit field and it may contain irrelevant bits. For instanc
Fix assertion failure in zend_std_read_property We asserted that Z_PROP_FLAG_P(retval) was exactly IS_PROP_UNINIT, but this is a bit field and it may contain irrelevant bits. For instance it may contain IS_PROP_REINITABLE during clone, or IS_PROP_LAZY if the object is lazy. Fixes GH-16615 Closes GH-16639
show more ...
|
#
eeec0939 |
| 29-Jun-2024 |
David Carlier |
Fix GH-14687 segfault on debugging a freed SplObjectIterator instance. close GH-14711
|
#
9d8983c0 |
| 25-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16595: Another UAF in DOM -> cloneNode We need to perform all sanity checks before doing any modification. I don't have a reliable and easy test for this on 8.2, but I have one
Fix GH-16595: Another UAF in DOM -> cloneNode We need to perform all sanity checks before doing any modification. I don't have a reliable and easy test for this on 8.2, but I have one for 8.4. Closes GH-16598.
show more ...
|
#
d89dd28d |
| 25-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16593: Assertion failure in DOM->replaceChild This is already forbidden by libxml, but this condition isn't properly checked; so the return value and lack of error makes it seem l
Fix GH-16593: Assertion failure in DOM->replaceChild This is already forbidden by libxml, but this condition isn't properly checked; so the return value and lack of error makes it seem like it worked while it actually didn't. Furthermore, this can break assumptions and assertions later on. Closes GH-16596.
show more ...
|
#
947e319b |
| 25-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16594: Assertion failure in DOM -> before The invalid parent condition can actually happen because PHP's DOM is allows to get children of e.g. attributes; something normally not
Fix GH-16594: Assertion failure in DOM -> before The invalid parent condition can actually happen because PHP's DOM is allows to get children of e.g. attributes; something normally not possible. Closes GH-16597.
show more ...
|
#
38e1b0ac |
| 24-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16572: Incorrect result with reflection in low-trigger JIT When a recursive call happens with invalid arguments, the maximum valid arguments are computed and stored in `num_args`,
Fix GH-16572: Incorrect result with reflection in low-trigger JIT When a recursive call happens with invalid arguments, the maximum valid arguments are computed and stored in `num_args`, but the RECV entry block we jump to is `call_num_args` instead. This can skip argument validation checks. Fix this by using `num_args` instead. Closes GH-16575.
show more ...
|
#
757781a1 |
| 25-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16577: EG(strtod_state).freelist leaks with opcache.preload This happens because on ZTS we execute `executor_globals_ctor` which reset the `freelist` and `p5s` pointers, while on
Fix GH-16577: EG(strtod_state).freelist leaks with opcache.preload This happens because on ZTS we execute `executor_globals_ctor` which reset the `freelist` and `p5s` pointers, while on NTS we don't. On NTS we can reuse the caches but on ZTS we can't, the easiest fix is to call `zend_shutdown_strtod` when preloading is shut down. This regressed in GH-13974 and therefore only exists in PHP 8.4 and higher. Closes GH-16602.
show more ...
|
#
8f60309a |
| 26-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16589: UAF in SplDoublyLinked->serialize() Closes GH-16611.
|
#
992ac1c2 |
| 26-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16591: Assertion error in shm_put_var Closes GH-16610. Suggested-by: "Christoph M. Becker" <cmbecker69@gmx.de>
|
#
a19029fc |
| 17-Oct-2024 |
Gina Peter Banyard |
Fix GH-16477 (Segmentation fault when calling __debugInfo() after failed SplFileObject::__constructor) Closes GH-16480 Closes GH-16604
|
#
144d2ee2 |
| 25-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16588: UAF in Observer->serialize Closes GH-16600.
|
#
e9283c08 |
| 24-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16574: Incorrect error "undefined method" messages The `get_method` object handler may change the object pointer. SPL does this in its iterator implementations. This causes the er
Fix GH-16574: Incorrect error "undefined method" messages The `get_method` object handler may change the object pointer. SPL does this in its iterator implementations. This causes the error message to change to another class which is confusing to the user. JIT handles this correctly. This patch aligns behaviour with JIT. Closes GH-16576.
show more ...
|