History log of /php-src/NEWS (Results 51 – 75 of 15454)
Revision (<<< Hide revision tags) (Show revision tags >>>) Date Author Comments
(<<< Hide modified files)
(Show modified files >>>)
# cc39bc21 29-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16590: UAF in session_encode()

The `PS_ENCODE_LOOP` does not protect the session hash table that it
iterates over. Change it by temporarily creating a copy.

Closes GH-166

Fix GH-16590: UAF in session_encode()

The `PS_ENCODE_LOOP` does not protect the session hash table that it
iterates over. Change it by temporarily creating a copy.

Closes GH-16640.

show more ...


# 5ddb7566 03-Nov-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix various memory leaks on error conditions in openssl_x509_parse()

Closes GH-16690.


# 418f820f 04-Nov-2024 Ilija Tovilo

Add NEWS entry


# 2bdce613 31-Oct-2024 Ilija Tovilo

Fix array going away during sorting

Fixes GH-16648
Closes GH-16654


# 90aac521 25-Oct-2024 David Carlier

Fix GH-16592 msg_send() crashes when the type does not serialize as expected.

It is assumed that the serialization always had initialised its buffer
zend_string, but in the case of a typ

Fix GH-16592 msg_send() crashes when the type does not serialize as expected.

It is assumed that the serialization always had initialised its buffer
zend_string, but in the case of a type not serialising, it is null.

close GH-16599

show more ...


# e643129b 02-Nov-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16628: FPM logs are getting corrupted with this log statement

zlog_buf_prefix() can return a larger length than what actually was
written due to its use of snprintf(). The code in

Fix GH-16628: FPM logs are getting corrupted with this log statement

zlog_buf_prefix() can return a larger length than what actually was
written due to its use of snprintf(). The code in
zlog_stream_prefix_ex() does not take this into account, other callers
do. What ends up happening then is that stream->length is set to the
length as if snprintf() was able to write all bytes, causing
stream->length to become larger than stream->buf.size, causing a
segfault.

In case the buffer was too small we try with a larger buffer up to a
limit of zlog_limit. This makes sure that the stream length will remain
bounded by the buffer size.

This also adds assertions to make the programmer intent clear and catch
this more easily in debug builds.

Closes GH-16680.

show more ...


# f0f666ba 01-Nov-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16601: Memory leak in Reflection constructors

Additionally fixes wrong behaviour in ReflectionParameter when you first
have a construction that uses an object and the subsequent d

Fix GH-16601: Memory leak in Reflection constructors

Additionally fixes wrong behaviour in ReflectionParameter when you first
have a construction that uses an object and the subsequent doesn't.

Closes GH-16672.

show more ...


# 52536475 23-Sep-2024 Gina Peter Banyard

ext/gmp: Fix segfault when null is encountered on an overloaded operator

And various other issues like inconsistent type errors

Closes GH-16015


# ca5fd055 02-Nov-2024 David Carlier

ext/posix: adding POSIX_SC_OPEN_MAX constant.

returns the number of file descriptors that a process can handle.
e.g. useful after pcntl_fork() to close all the file descriptors up
to

ext/posix: adding POSIX_SC_OPEN_MAX constant.

returns the number of file descriptors that a process can handle.
e.g. useful after pcntl_fork() to close all the file descriptors up
to that boundary.

close GH-16681

show more ...


# f9453a88 18-Oct-2024 Christoph M. Becker

Fix GH-14732: date_sun_info() fails for non-finite values

`timelib_astro_rise_set_altitude()` is not prepared to deal with non-
finite values (`nan`, `inf` and `-inf`) for `lon` and `lat

Fix GH-14732: date_sun_info() fails for non-finite values

`timelib_astro_rise_set_altitude()` is not prepared to deal with non-
finite values (`nan`, `inf` and `-inf`) for `lon` and `lat`; instead
these trigger undefined behavior. Thus we catch non-finite values
before even calling that timelib function; for `date_sun_info()` we
trigger `ValueError`s; for `date_sunrise()` and `date_sunset()` we
silently return `false`, since these functions will be sunsetted
anyway.

Closes GH-16497.

show more ...


# 886a5287 01-Nov-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16604: Memory leaks in SPL constructors

Closes GH-16673.


# c9eafc19 25-Oct-2024 Christoph M. Becker

Fix GH-16450: PDO_ODBC can inject garbage into field values

A previous bug fix[1] relied on ODBC drivers to properly count down the
`StrLen_or_IndPtr` argument for consecutive calls to `

Fix GH-16450: PDO_ODBC can inject garbage into field values

A previous bug fix[1] relied on ODBC drivers to properly count down the
`StrLen_or_IndPtr` argument for consecutive calls to `SQLGetData()`.
Apparently, not all drivers handle this correctly, so we cannot assert
they do. Instead we fall back to the old behavior for drivers which
would violate the assertion.

A test against SQLServer (which we currently use in CI) would not make
sense, since the respective drivers do not exhibit that behavior.
Instead we target the regression test especially to a MS Access
database.

Since there is apparently no way to easily create an MS Access database
programmatically, we commit a minimal empty DB which is used for the
regression test, and could also be used by other test cases.

[1] <bccca0b53aa60a62e2988c750fc73c02d109e642>

Closes GH-16587.

show more ...


# 54a40f3b 10-Oct-2024 Arnaud Le Blanc

Add ReflectionProperty::isLazy()

Closes GH-16342


# 3d3b22dd 29-Oct-2024 Arnaud Le Blanc

Fix assertion failure in zend_std_read_property

We asserted that Z_PROP_FLAG_P(retval) was exactly IS_PROP_UNINIT, but this is a
bit field and it may contain irrelevant bits. For instanc

Fix assertion failure in zend_std_read_property

We asserted that Z_PROP_FLAG_P(retval) was exactly IS_PROP_UNINIT, but this is a
bit field and it may contain irrelevant bits. For instance it may contain
IS_PROP_REINITABLE during clone, or IS_PROP_LAZY if the object is lazy.

Fixes GH-16615
Closes GH-16639

show more ...


# eeec0939 29-Jun-2024 David Carlier

Fix GH-14687 segfault on debugging a freed SplObjectIterator instance.

close GH-14711


# 9d8983c0 25-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16595: Another UAF in DOM -> cloneNode

We need to perform all sanity checks before doing any modification.
I don't have a reliable and easy test for this on 8.2, but I have one

Fix GH-16595: Another UAF in DOM -> cloneNode

We need to perform all sanity checks before doing any modification.
I don't have a reliable and easy test for this on 8.2, but I have one
for 8.4.

Closes GH-16598.

show more ...


# d89dd28d 25-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16593: Assertion failure in DOM->replaceChild

This is already forbidden by libxml, but this condition isn't properly
checked; so the return value and lack of error makes it seem l

Fix GH-16593: Assertion failure in DOM->replaceChild

This is already forbidden by libxml, but this condition isn't properly
checked; so the return value and lack of error makes it seem like it
worked while it actually didn't. Furthermore, this can break assumptions
and assertions later on.

Closes GH-16596.

show more ...


# 947e319b 25-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16594: Assertion failure in DOM -> before

The invalid parent condition can actually happen because PHP's DOM is
allows to get children of e.g. attributes; something normally not

Fix GH-16594: Assertion failure in DOM -> before

The invalid parent condition can actually happen because PHP's DOM is
allows to get children of e.g. attributes; something normally not
possible.

Closes GH-16597.

show more ...


# 38e1b0ac 24-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16572: Incorrect result with reflection in low-trigger JIT

When a recursive call happens with invalid arguments, the maximum valid
arguments are computed and stored in `num_args`,

Fix GH-16572: Incorrect result with reflection in low-trigger JIT

When a recursive call happens with invalid arguments, the maximum valid
arguments are computed and stored in `num_args`, but the RECV entry
block we jump to is `call_num_args` instead. This can skip argument
validation checks. Fix this by using `num_args` instead.

Closes GH-16575.

show more ...


# 757781a1 25-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16577: EG(strtod_state).freelist leaks with opcache.preload

This happens because on ZTS we execute `executor_globals_ctor` which reset the
`freelist` and `p5s` pointers, while on

Fix GH-16577: EG(strtod_state).freelist leaks with opcache.preload

This happens because on ZTS we execute `executor_globals_ctor` which reset the
`freelist` and `p5s` pointers, while on NTS we don't.
On NTS we can reuse the caches but on ZTS we can't, the easiest fix is
to call `zend_shutdown_strtod` when preloading is shut down.
This regressed in GH-13974 and therefore only exists in PHP 8.4 and
higher.

Closes GH-16602.

show more ...


# 8f60309a 26-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16589: UAF in SplDoublyLinked->serialize()

Closes GH-16611.


# 992ac1c2 26-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16591: Assertion error in shm_put_var

Closes GH-16610.

Suggested-by: "Christoph M. Becker" <cmbecker69@gmx.de>


# a19029fc 17-Oct-2024 Gina Peter Banyard

Fix GH-16477 (Segmentation fault when calling __debugInfo() after failed SplFileObject::__constructor)

Closes GH-16480
Closes GH-16604


# 144d2ee2 25-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16588: UAF in Observer->serialize

Closes GH-16600.


# e9283c08 24-Oct-2024 Niels Dossche <7771979+nielsdos@users.noreply.github.com>

Fix GH-16574: Incorrect error "undefined method" messages

The `get_method` object handler may change the object pointer. SPL does
this in its iterator implementations. This causes the er

Fix GH-16574: Incorrect error "undefined method" messages

The `get_method` object handler may change the object pointer. SPL does
this in its iterator implementations. This causes the error message
to change to another class which is confusing to the user. JIT handles
this correctly. This patch aligns behaviour with JIT.

Closes GH-16576.

show more ...


12345678910>>...619