Merge branch 'PHP-8.3' into PHP-8.4

* PHP-8.3:
Fix uaf in SplDoublyLinkedList::offsetSet()

Merge branch 'PHP-8.2' into PHP-8.3

* PHP-8.2:
Fix uaf in SplDoublyLinkedList::offsetSet()

Fix uaf in SplDoublyLinkedList::offsetSet()

Write to the new offset before calling the destructor of the previous value.

Fixes GH-16464
Closes GH-16466

Merge branch 'PHP-8.4'

* PHP-8.4:
Disallow asymmetric visibility on static properties

Disallow asymmetric visibility on static properties

This check was forgotten in the original implementation. Relaxing this
restriction shouldn't be hard, but needs some work. We either n

Disallow asymmetric visibility on static properties

This check was forgotten in the original implementation. Relaxing this
restriction shouldn't be hard, but needs some work. We either need to prevent
merging of cache slots for R/RW/W, or we need to introduce an additional check
when writing to the property indirectly. This check is currently present only
for direct writes.

Closes GH-16462

show more ...

Merge branch 'PHP-8.4'

* PHP-8.4:
Fix GH-16465: Heap buffer overflow in DOMNode->getElementByTagName

Fix GH-16465: Heap buffer overflow in DOMNode->getElementByTagName

If the input contains NUL bytes then the length doesn't match the actual
duplicated string's length. Note that libxml c

Fix GH-16465: Heap buffer overflow in DOMNode->getElementByTagName

If the input contains NUL bytes then the length doesn't match the actual
duplicated string's length. Note that libxml can't handle this properly
anyway so we just reject NUL bytes and too long strings.

Closes GH-16467.

show more ...

curl: Add `curl_multi_get_handles()` (#16363)

see https://curl.se/libcurl/c/curl_multi_get_handles.html

Refactor zlib dictionary processing (GH-16407)

Co-authored-by: Tim Düsterhus <tim@bastelstu.be>

Stop trace recording only on ENTER to FAKE_CLOSURE (continue on EXIT) (#16455)

Merge branch 'PHP-8.4'

* PHP-8.4:
Fix GH-16433: Large values for openssl_csr_sign() $days overflow

Merge branch 'PHP-8.3' into PHP-8.4

* PHP-8.3:
Fix GH-16433: Large values for openssl_csr_sign() $days overflow

Merge branch 'PHP-8.2' into PHP-8.3

* PHP-8.2:
Fix GH-16433: Large values for openssl_csr_sign() $days overflow

Fix GH-16433: Large values for openssl_csr_sign() $days overflow

The `offset_sec` parameter of `X509_gmtime_adj()` expects a `long`, but
the `$days` parameter of `openssl_csr_sign()` a `

Fix GH-16433: Large values for openssl_csr_sign() $days overflow

The `offset_sec` parameter of `X509_gmtime_adj()` expects a `long`, but
the `$days` parameter of `openssl_csr_sign()` a `zend_long`. We must
avoid signed integer overflow (UB), but also must not silently truncate.
Thus we check the given `$days` for the permissible range, and bail out
otherwise.

Closes GH-16437.

show more ...

Allow JIT for passing arguments to trampolines and "bad" functions (#16365)

* Better trace coverage (JIT trampoline calls)

* clenup trampoline by zend_jit_free_trampoline()

Allow JIT for passing arguments to trampolines and "bad" functions (#16365)

* Better trace coverage (JIT trampoline calls)

* clenup trampoline by zend_jit_free_trampoline()

* Fix ZEND_JIT_TRACE_INIT_CALL/ZEND_JIT_TRACE_DO_ICALL num_args mismatch

It may be caused by SEND_UNPACK/SEND_ARRAY

* cleanup

* cleanup

* Don't record function that may be temporary

* cleanup

* Prevent invalid run_time_cache allocation for "bad" internal functions

* Update zend_jit_trace_record_fake_init_call_ex() accordingly

* Better handling of "bad" functions and fake closures

show more ...

Merge branch 'PHP-8.4'

* PHP-8.4:
Fix GH-16411: gmp_export() can cause overflow

Merge branch 'PHP-8.3' into PHP-8.4

* PHP-8.3:
Fix GH-16411: gmp_export() can cause overflow

Merge branch 'PHP-8.2' into PHP-8.3

* PHP-8.2:
Fix GH-16411: gmp_export() can cause overflow

Fix GH-16411: gmp_export() can cause overflow

We need not only to avoid the signed overflow while calculating
`bits_per_word` (reported issue), but also the unsigned overflow when
ca

Fix GH-16411: gmp_export() can cause overflow

We need not only to avoid the signed overflow while calculating
`bits_per_word` (reported issue), but also the unsigned overflow when
calculating `count`. While the former has a fixed threshold, the
latter does not, since it also depends on the size in base 2. Thus we
use a somewhat unconventional error message.

Closes GH-16418.

show more ...

Fix GH-16358: Segmentation fault (access null pointer) in Zend/zend_operators.c:2495

Merge branch 'PHP-8.4'

* PHP-8.4:
Fix handling of invalid iterator in zend_weakmap_iterator_get_current_key()

Merge branch 'PHP-8.3' into PHP-8.4

* PHP-8.3:
Fix handling of invalid iterator in zend_weakmap_iterator_get_current_key()

Merge branch 'PHP-8.2' into PHP-8.3

* PHP-8.2:
Fix handling of invalid iterator in zend_weakmap_iterator_get_current_key()

Fix handling of invalid iterator in zend_weakmap_iterator_get_current_key()

Fixes GH-16371
Closes GH-16436

Merge branch 'PHP-8.4'

* PHP-8.4:
Fix GH-16393: Assertion failure in ext/opcache/jit/zend_jit.c:2897