| #
e0a0e216 |
| 12-Oct-2024 |
David Carlier |
ext/gmp: gmp_pow fix FPE with large values.
even without sanitizers, it is reproducible but with the following
```
<?php
$g = gmp_init(256);
var_dump(gmp_pow($g, PHP_INT
ext/gmp: gmp_pow fix FPE with large values.
even without sanitizers, it is reproducible but with the following
```
<?php
$g = gmp_init(256);
var_dump(gmp_pow($g, PHP_INT_MAX));
```
we get this
```
AddressSanitizer:DEADLYSIGNAL
=================================================================
==286922==ERROR: AddressSanitizer: FPE on unknown address 0x03e8000460ca (pc 0x7faf6c69de5c bp 0x400000000000004 sp 0x7ffe9843c740 T0)
#0 0x7faf6c69de5c in __pthread_kill_implementation nptl/pthread_kill.c:44
#1 0x7faf6c649c81 in __GI_raise ../sysdeps/posix/raise.c:26
#2 0x7faf6db9386c in __gmp_exception (/lib/x86_64-linux-gnu/libgmp.so.10+0xd86c) (BuildId: 1af68a49fe041a5bb48a2915c3d47541f713bb38)
#3 0x7faf6db938d3 in __gmp_overflow_in_mpz (/lib/x86_64-linux-gnu/libgmp.so.10+0xd8d3) (BuildId: 1af68a49fe041a5bb48a2915c3d47541f713bb38)
#4 0x7faf6dbac95c in __gmpz_realloc (/lib/x86_64-linux-gnu/libgmp.so.10+0x2695c) (BuildId: 1af68a49fe041a5bb48a2915c3d47541f713bb38)
#5 0x7faf6dba9038 in __gmpz_n_pow_ui (/lib/x86_64-linux-gnu/libgmp.so.10+0x23038) (BuildId: 1af68a49fe041a5bb48a2915c3d47541f713bb38)
#6 0x5565ae1ccd9f in zif_gmp_pow /home/dcarlier/Contribs/php-src/ext/gmp/gmp.c:1286
#7 0x5565aee96ea9 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/dcarlier/Contribs/php-src/Zend/zend_vm_execute.h:1312
#8 0x5565af144320 in execute_ex /home/dcarlier/Contribs/php-src/Zend/zend_vm_execute.h:56075
#9 0x5565af160f07 in zend_execute /home/dcarlier/Contribs/php-src/Zend/zend_vm_execute.h:60439
#10 0x5565aed6fafe in zend_execute_scripts /home/dcarlier/Contribs/php-src/Zend/zend.c:1842
#11 0x5565aeae70a8 in php_execute_script /home/dcarlier/Contribs/php-src/main/main.c:2578
#12 0x5565af532f4e in do_cli /home/dcarlier/Contribs/php-src/sapi/cli/php_cli.c:964
#13 0x5565af535877 in main /home/dcarlier/Contribs/php-src/sapi/cli/php_cli.c:1334
#14 0x7faf6c633d67 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#15 0x7faf6c633e24 in __libc_start_main_impl ../csu/libc-start.c:360
#16 0x5565adc04040 in _start (/home/dcarlier/Contribs/php-src/sapi/cli/php+0x2604040) (BuildId: 949049955bdf8b7197390b1978a1dfc3ef6fdf38)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE nptl/pthread_kill.c:44 in __pthread_kill_implementation
==286922==ABORTING
```
close GH-16384
show more ...
|
| #
1e7eba0b |
| 24-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
[ci skip] Fix NEWS formatting
|
| #
e1e1e64a |
| 23-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16559: UBSan abort in ext/gd/libgd/gd_interpolation.c:1007
The `uchar_clamp` function was backported from old code, this backports
it from new code.
Closes GH-16562.
|
| #
58929919 |
| 20-Oct-2024 |
Máté Kocsis |
Fix GH-16131: Prevent mixing PDO sub-classes with different DSN
|
| #
bb6cf5e9 |
| 22-Oct-2024 |
Saki Takamachi |
[ci skip] Update NEWS for PHP 8.4.0RC4
|
| #
2d068c4f |
| 21-Oct-2024 |
Ilija Tovilo |
Fix lineno for inheritance errors of early bound classes
Fixes GH-16508
Closes GH-16532
|
| #
de7ef3fa |
| 21-Oct-2024 |
Ilija Tovilo |
Fix lineno in function redeclaration error
We were previously using the lineno of the first instruction, rather than the
start of the function itself.
Fixes GH-16509
Closes
Fix lineno in function redeclaration error
We were previously using the lineno of the first instruction, rather than the
start of the function itself.
Fixes GH-16509
Closes GH-16531
show more ...
|
| #
8720063c |
| 21-Oct-2024 |
Ilija Tovilo |
Fix propagation of ZEND_ACC_RETURN_REFERENCE for call trampoline
Fixes GH-16515
Closes GH-16529
|
| #
64081d13 |
| 11-Sep-2024 |
Arnaud Le Blanc |
Lazy objects: Update class constants earlier
If a lazy object is created for a class whose constants can not be updated, then
we have created an instance of a non-instantiable class. Thi
Lazy objects: Update class constants earlier
If a lazy object is created for a class whose constants can not be updated, then
we have created an instance of a non-instantiable class. This breaks the
expectations of clone.
Here I ensure that a class has its constants updated before creating a lazy
instance of it.
Fixes OSS-Fuzz #71407
Closes GH-15856
show more ...
|
| #
f9ce5e79 |
| 21-Oct-2024 |
Christoph M. Becker |
Fix GH-16523: FILTER_FLAG_HOSTNAME accepts ending hyphen
Domain name labels must not end with a hyphen, and that is also true
for the last label. Apparently, this has been overlooked so
Fix GH-16523: FILTER_FLAG_HOSTNAME accepts ending hyphen
Domain name labels must not end with a hyphen, and that is also true
for the last label. Apparently, this has been overlooked so far.
Closes GH-16540.
show more ...
|
| #
51b642f2 |
| 21-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16535: UAF when using document as a child
Documents can never be children of any node.
Closes GH-16539.
|
| #
a0a7361b |
| 21-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16533: Segfault when adding attribute to parent that is not an element
Attributes are only valid as children of elements. This bug goes back
all the way.
Closes GH-16537.
|
| #
d3b0efe9 |
| 18-Oct-2024 |
Christoph M. Becker |
Fix GH-16390: dba_open() can segfault for "pathless" streams
`dba_open()` accepts arbitrary stream wrapper paths, but unless no
locking (`-`) is specified, we try to determine the underl
Fix GH-16390: dba_open() can segfault for "pathless" streams
`dba_open()` accepts arbitrary stream wrapper paths, but unless no
locking (`-`) is specified, we try to determine the underlying file
path. If that fails, we need to error out.
Closes GH-16498.
show more ...
|
| #
9ca68e03 |
| 19-Oct-2024 |
David Carlier |
Fix GH-16501: gmp_random_bits overflow.
we do the same calculation in advance as mpz_realloc overflow check to
avoid abort.
close GH-16503
|
| #
b2b294a2 |
| 18-Oct-2024 |
Derick Rethans |
Fixed bug GH-16037 (Assertion failure in ext/date/php_date.c)
|
| #
9bc34182 |
| 17-Oct-2024 |
Christoph M. Becker |
Fix GH-16454: Unhandled INF in date_sunset() with tiny $utcOffset
After normalization, `N` is supposed to be in range [0, 24], but for
very large and very small `$utcOffset` this is not
Fix GH-16454: Unhandled INF in date_sunset() with tiny $utcOffset
After normalization, `N` is supposed to be in range [0, 24], but for
very large and very small `$utcOffset` this is not necessarily the
case, since the normalization might yied `-inf` or `inf`. If that
happens, we let the function fail silently, since it is highly unlikely
that such `$utcOffset`s are passed in practice.
Closes GH-16483.
show more ...
|
| #
41af9335 |
| 17-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16473: dom_import_simplexml stub is wrong
It's been wrong since PHP 8.0 at least, and the signature was inherited
in 8.4-dev to the new DOM methods.
Closes GH-16489.
|
| #
6a8d0a05 |
| 16-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16406: Assertion failure in ext/phar/phar.c:2808
When copying entries during conversion in phar_convert_to_other(), the
header offset is not reset. This didn't matter in the past
Fix GH-16406: Assertion failure in ext/phar/phar.c:2808
When copying entries during conversion in phar_convert_to_other(), the
header offset is not reset. This didn't matter in the past as it wasn't
used anyway in the particular use-case, but since 1bb2a4f9 this is
actually used and sanity-checked.
Closes GH-16470.
show more ...
|
| #
5cb38e9d |
| 10-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix various document ref pointer mismanagements
- Properly handle attributes
- Fix potential NULL dereference if the intern document pointer is NULL
Fixes GH-16336.
Fixes GH
Fix various document ref pointer mismanagements
- Properly handle attributes
- Fix potential NULL dereference if the intern document pointer is NULL
Fixes GH-16336.
Fixes GH-16338.
Closes GH-16345.
show more ...
|
| #
7fe168d8 |
| 17-Oct-2024 |
Ilija Tovilo |
Fix uaf in SplFixedArray::unset()
Fixes GH-16478
Closes GH-16481
|
| #
12c987fa |
| 17-Oct-2024 |
Ilija Tovilo |
Fix use-after-free in SplObjectStorage::setInfo()
Fixes GH-16479
Closes GH-16482
|
| #
8820a103 |
| 16-Oct-2024 |
Ilija Tovilo |
Fix uaf in SplDoublyLinkedList::offsetSet()
Write to the new offset before calling the destructor of the previous value.
Fixes GH-16464
Closes GH-16466
|
| #
a8bbc845 |
| 16-Oct-2024 |
Ilija Tovilo |
Disallow asymmetric visibility on static properties
This check was forgotten in the original implementation. Relaxing this
restriction shouldn't be hard, but needs some work. We either n
Disallow asymmetric visibility on static properties
This check was forgotten in the original implementation. Relaxing this
restriction shouldn't be hard, but needs some work. We either need to prevent
merging of cache slots for R/RW/W, or we need to introduce an additional check
when writing to the property indirectly. This check is currently present only
for direct writes.
Closes GH-16462
show more ...
|
| #
d70f3ba9 |
| 16-Oct-2024 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix GH-16465: Heap buffer overflow in DOMNode->getElementByTagName
If the input contains NUL bytes then the length doesn't match the actual
duplicated string's length. Note that libxml c
Fix GH-16465: Heap buffer overflow in DOMNode->getElementByTagName
If the input contains NUL bytes then the length doesn't match the actual
duplicated string's length. Note that libxml can't handle this properly
anyway so we just reject NUL bytes and too long strings.
Closes GH-16467.
show more ...
|
| #
cb6025cd |
| 16-Oct-2024 |
Tim Düsterhus |
curl: Add `curl_multi_get_handles()` (#16363)
see https://curl.se/libcurl/c/curl_multi_get_handles.html
|
