When unserializing, the cached_resize field was not reset to -1
correctly, causing the setSize() method to think we were inside of a
resize operation.
Closes GH-13543.
The reflection failure is because the XML extension is used to check the
module dependency information, but that extension can be configured to
not depend on ext/libxml, resulting in a different output. The solution
is to check another extension instead.
The test failures in ext/xml/tests are because of different behaviour
between libxml2 and Expat error handling. These are expected differences
and the solution is to split the tests.
Closes GH-13522.
- Add tests
- NULL derefencing in read_dimension handler
- Fix isset()
- Fix empty() with column numbers as offsets
- Refactoring to use common functions
- Use gdFontCacheShutdown() to detect freetype
Currently we look for gdImageStringFT() to determine whether or not gd
has freetype support... but that function always exists. This leads
PHP to believe that gd has freetype support when it does not, and can
lead to build failures.
The gdFontCacheShutdown() function, on the other hand, is only present
when gd was built with freetype support. Let's use that instead.
- Fix GD image format detection
We currently check for, say, AVIF support by attempting to link a
program that calls libgd's gdImageCreateFromAvif() function. But
perversely, that function always exists in libgd; moreover when AVIF
support is missing it emits a warning and returns normally. Thus
our straightforward link test becomes not so straightforward.
This commit adds a new macro PHP_GD_CHECK_FORMAT that compiles, links,
and runs a test program instead. The test program overrides that "emit
a warning" handler so that the program actually fails if the format
we're looking for is not supported. This fixes detection of AVIF and
the other formats we check for in an external libgd.
- ext/gd/tests/bug77391.phpt: skip if gd lacks BMP support
I don't actually know how to remove BMP support from libgd, but PHP
has a ./configure test for it, so we should probably treat it as
optional.
Closes GH-12019
For master (8.4-dev) I merged GH-13381. But that PR changes public API
of TSRM, so cannot be used on lower branches.
This patch is a safe workaround for the issue, in combination with a
pre-existing fix using `ifdef ZTS + if (module_started)` inside pgsql
and odbc. The idea is to delay unloading modules until the persistent
resources are destroyed. This will keep the destructor code accessible
in memory.
This is not a proper fix on its own, because we still need the
workaround of not accessing globals after module destruction.
The proper fix is in master.
Closes GH-13388.
php_array_key_compare_string_case_unstable_i has a typo for the second
operand resulting in a wrong buffer size calculation.
Issue reported by @AlexRudyuk
Close GH-13315
The array isn't just observable if the array has RCn, but also if it is inside a
reference that is RCn. By-ref parameters are always RCn and as such always
observable.
Fixes GH-13279
Closes GH-13285
libgd uses an incorrect absolute path check in gdft.c.
It checks if either the path starts with a '/' (only valid on Posix
btw), or whether it contains something of the form C:\ or C:/.
However, this overlooks the possibility of using UNC paths on Windows.
As we already do PHP-specific stuff with VCWD_ macros, use
IS_ABSOLUTE_PATH to check for an absolute path which will take into
account UNC paths as well.
Closes GH-13241.
The code currently assumes that the extra field length of the central
directory entry and the local entry are the same, but that's not the
case. For example, the "Extended Timestamp extra field" differs in size
for local vs central directory entries. This causes the file contents
offset to be incorrect because it is based on the central directory
length instead of the local entry length. Fix it by reading the local
entry and getting the size from there as well as checking consistency
for the file name length.
Closes GH-13045.
zend_compile has an exception to this rule for constructors using
`zend_is_constructor`, which compares the function name to
`__construct`. Sadly, `zend_is_constructor` is not a public API, but we
can just do the string compare ourselves.
Closes GH-13179.
* Arrays returned from range are never empty
* When step is a double value representable by a long, it is coerced implicitly.
As such, passing a double step no longer guarantees that the result is a
non-int array.
Closes GH-13166
Commit 5cbe5a538c disabled chunking for all writes to streams. However,
user streams have a callback where code is executed on data that is
subject to the memory limit. Therefore, when using large writes or
stream_copy_to_stream/copy the memory limit can easily be hit with large
enough data.
To solve this, we reintroduce chunking for userspace streams.
Users have control over the chunk size, which is neat because
they can improve the performance by setting the chunk size if
that turns out to be a bottleneck.
In an ideal world, we add an option so we can "ask" the stream whether
it "prefers" chunked writes, similar to how we have
php_stream_mmap_supported & friends. However, that cannot be done on
stable branches.
Closes GH-13136.
Fixed an issue where pdo_firebird float and double type values were wrong.
Changed from using `%F` format with `zend_strpprintf` to using `%H` format with
`zend_strpprintf_unchecked`.
Fixes GH-13119
Closes GH-13125
Global --tag=CC defined in configure.ac is not correct in all cases. For example
linking objects that were compiled from C++ sources needs to be done with C++
compiler, however for link mode libtool will prefer compiler indicated with
--tag.
Fixes GH-12349
Issue occur when compiling with recent clang releases (> 13) and
with the '-Os' optimisation level, after using
`imageloadfont` which returns a proper GdFont class leads to
a subtle bug when attempting to use via the imagefont* function.
`start_type + end_type < 2*IS_STRING` is not right, in this test case
the types are start_type==5 (IS_DOUBLE), end_type==7 (IS_ARRAY).
The IS_ARRAY type is a sentinel to disambiguate single-byte strings.
The path must be taken when one of the types is not a string nor a
single-byte string. Therefore, use < IS_STRING with an OR condition.
Closes GH-13105.
We should perhaps look into a generic system to ask the SAPI whether
a feature should be supported or not. Or, we should look into making
a denylist instead of an allowlist.
Anyway, let's not try doing anything fancy on stable branches.
Closes GH-13070.
phar_get_pharfp() can return NULL. In this case this is because the
stream gets closed by the include code in the engine. However, the phar
entry is still cached, so when the next include happens the engine tries
to read from a closed (and nullified) stream.
Use the same fix as in phar_open_entry_fp(): take into account that the
phar_get_pharfp() can return NULL and in that case reopen the phar
archive.
Closes GH-13056.
On ZTS, the global variables are stored in dynamically allocated memory.
When the module gets shut down this memory is released. After the module
is shut down, only then are the persistent resources cleared. Normally
this isn't an issue, but pgsql and odbc refer to the globals to modify
some counters, after the globals have been freed.
Fix this by guarding the modification.
Closes GH-13032.
There's two issues here:
- freeing of predefined entity declaration crashes (unique to 8.3 & master)
- using multiple entity references for a single entity declaration crashes
(since forever)
The fix for the last issue is fairly easy to do on 8.3, but may require a
slightly different approach on 8.2. Therefore, for now this is 8.3-only.
Closes GH-13004.
I forgot to also update the document reference of attributes, so when
there is no document reference anymore from a variable, but still an
attribute, this can crash. Fix it by also updating the document
references for attributes.
Closes GH-13002.
Autotools emits warning if 3rd argument is empty. Call is wrapped in the
AC_CACHE_CHECK with php_cv_* cache variable name according to the docs.
Closes GH-12966
Because these functions are copied and not properly registered (which we
can't), the observer code doesn't add the temporaries on startup.
Add them via a callback during startup.
Closes GH-12906.
This is a false positive. The cycle detection code stops at 10.000
iterations. Instead of stopping at a fixed amount, make it more robust
by implementing Floyd's cycle detection algorithm.
Closes GH-12954.
Move SimpleXML invalidation code after node checks
This is safe, i.e. the tree hasn't been modified yet, because either we
didn't call a libxml modification function yet, or xmlNewChild is called
with a NULL pointer, which makes it bail out and return NULL.
Closes GH-12947.
* PHP-8.2:
Fix getting the address of an uninitialized property of a SimpleXMLElement resulting in a crash
Fix GH-12962: Double free of init_file in phpdbg_prompt.c
It seems SELinux has a bug where memory directly adjacent to the heap is
interpreted as heap memory. Dodge this issue by leaving some space between the
heap and memory suggested by find_prefered_mmap_base.
See GH-12932
See https://bugzilla.kernel.org/show_bug.cgi?id=218258
Closes GH-12942
There's two problems:
- Some loops used `unsigned int` instead of `size_t`.
- The 2*N-bit addition that is emulated using 2 N bit numbers has a bug:
it first truncated the number to 32/64 bit and only then shifted. This
resulted in the wrong length info stored inside the resulting hash.
Closes GH-12937.
When the cli-server specifies a router script, we run it using
zend_execute_scripts instead of php_execute_script, because the former preserves
the return value of the script. However, php_execute_script also starts resets
the execution timer with the value from max_execution_time. If the timer has
previously been initialized with max_input_time, it will never be reset, and
thus trigger at the incorrect time.
Closes GH-12886
The issue referenced here doesn't contain a reproducer, but I recently
received an email of a user with the exact same problem. I was able to
recreate the scenario locally using vsftpd and setting
`require_ssl_reuse=YES` in the vsftpd configuration.
It turns out that our session resumption code is broken. It only works a
single time: the first time a data connection opens. Subsequent data
connections fail to reuse the session. This is because on every data
connection a new session is negotiated, but the current code always
tries to reuse the (stale) session of the control connection.
To fix this, we use SSL_CTX_sess_set_new_cb() to setup a callback that
gets called every time a new session is negotiated. We take a strong
reference using SSL_get1_session() and store it in the ftpbuf_t struct.
Every time we open a data connection we'll take that session.
This works because every control connection has at most a single
associated data connection.
Also disable internal session caching storage to not fill the cache up
with useless sessions.
There is no phpt for this because PHP does not support enforcing SSL
session reuse.
It is however testable manually by setting up vsftpd and setting the
`require_ssl_reuse=YES` function from before.
Closes GH-12851.
This regressed in cd53ce838a.
The loop with `zend_hash_iterators_update` hangs forever because
`iter_pos` can't advance to idx. This is because the
`zend_hash_iterators_lower_pos` upper bound is `target->nNumUsed`,
but that is set to `source->nNumOfElements`.
That means that if there are holes in the array, we still loop over all
the buckets but the number of bucket slots will not match.
Fix it by changing the assignment.
Closes GH-12831.
If there are two users that can execute the script that caches a WSDL,
but the script is owned by a single user, then the caching code will
name the cached file with the file owner username and a hash of the uri.
When one of the two tries to rename the file created by the other
process, this does not work because it has no permission to do so.
This then leaves temporary files floating in the temp directory.
To fix the immediate problem, unlink the file after rename has failed.
On the long term, this has to be fixed by taking the username of the
process instead of the username of the file owner.
Closes GH-12841.
php_strip_url_passwd modifies url in-place. We cannot assume from
php_message_handler_for_zend that data is a temporary, modifiable string.
Fixes oss-fuzz #64209
Closes GH-12733
The namespace data is freed and set to NULL, but there remain references
to the namespace declaration nodes. This (rightfully) confuses libxml2
because its invariants are broken. We also have to remove all remaining
references from the subtree. This fixes the data corruption bug.
Closes GH-12681.
Have to use file_put_contents() instead of --FILE-- because we have to
actually load it using the exec command, *and* have to make multiple
files, and note that we can only load files relative from the current
directory, so we can't rely on files being in the sapi/phpdbg/tests
folder.
Closes GH-12680.
The temporary HashTable has a destructor that releases the string held
by the entry's value. However, browscap_intern_str(_ci) only incremented
the refcount for the reference created by the return value. As the
HashTable is only used during parsing, we don't need to manage the
reference count of the value anyway, so get rid of the destructor.
This is triggerable in two cases:
- When using php_admin_value to set the ini at the activation stage
- When running out of space for the opcache-interned strings
Closes GH-12634.
These two might not be available everywhere so we check them in
config.m4 when doing the configure step. Check is skipped for musl libc
due to limited implementation.
Constants that are defined into main/php_config.h:
HAVE_FPATHCONF
HAVE_PATHCONF
Implemented via GH-10238
Related to GH-10350
Fixes GH-12725
php_strip_url_passwd modifies url in-place. We cannot assume from
php_message_handler_for_zend that data is a temporary, modifiable string.
Fixes oss-fuzz #64209
Closes GH-12733
The namespace data is freed and set to NULL, but there remain references
to the namespace declaration nodes. This (rightfully) confuses libxml2
because its invariants are broken. We also have to remove all remaining
references from the subtree. This fixes the data corruption bug.
Closes GH-12681.
Have to use file_put_contents() instead of --FILE-- because we have to
actually load it using the exec command, *and* have to make multiple
files, and note that we can only load files relative from the current
directory, so we can't rely on files being in the sapi/phpdbg/tests
folder.
Closes GH-12680.
The temporary HashTable has a destructor that releases the string held
by the entry's value. However, browscap_intern_str(_ci) only incremented
the refcount for the reference created by the return value. As the
HashTable is only used during parsing, we don't need to manage the
reference count of the value anyway, so get rid of the destructor.
This is triggerable in two cases:
- When using php_admin_value to set the ini at the activation stage
- When running out of space for the opcache-interned strings
Closes GH-12634.
Adding pg_send_flush_request.
Fix freeze after next execute pg_send_* on PQgetResult in _php_pgsql_link_has_results.
Set nonblocking for pipelining mode.
No flush client buffer in pg_send_* for pipelining mode.
Close GH-12644
Removes 'PRAGMA writable_schema;'.
From sqlite changelog https://www.sqlite.org/releaselog/3_44_0.html:
> The SQLITE_DBCONFIG_DEFENSIVE setting now prevents PRAGMA writable_schema
> from being turned on.
> Previously writable_schema could be turned on, but would not actually allow
> the schema to be writable. Now it simply cannot be turned on.
Closes GH-12636.
* PHP-8.2:
Fixed GH-10008: Narrowing occurred during type inference of ZEND_ADD_ARRAY_ELEMENT
ext/intl: change when the locale is invalid for the 8.1/8.2 serie.
Now it's possible via removeAttribute("xmlns:prefix").
It was not possible to reuse a libxml2 function to reconcile because it
does not align with DOM behaviour.
Closes GH-12542.
Setting the stream context via php_stream_context_to_zval() will
increase the reference count. So if the new context is created, then it
will end up with a reference count of 2 while it should be 1.
Credits to cmb for the analysis. I arrived at the same patch as he did.
Closes GH-12523.
