This happens because getName() resets the iterator to the start because
it overwrites the iterator data.
We add a version of get_first_node that does not overwrite the iterator
data.
Closes GH-12193.
For some reason, FILTER_CALLBACK disables the FILTER_REQUIRE_SCALAR flag that is
normally set by default. While surprising, this is not something we can change.
However, even specifying FILTER_REQUIRE_SCALAR explicitly does not corrently set
this flag. This is because FILTER_CALLBACK zeroes the flags after they have been
populated from the parameters.
We reverse the checks to make explicitly specifying the flag behave as expected.
Closes GH-12203
In this test file, the free_obj handler is called with a refcount of 2,
caused by the fact we do a GC_ADDREF() to increase its refcount while
its refcount is still 1 because the Foo object hasn't been destroyed yet
(due to the cycle caused by the sqlite function callback).
Solve this by introducing a get_gc handler.
Closes GH-11881.
Like oci8, procedural ODBC uses an apply function on the hash list to
enumerate persistent connections and close the specific one. However,
this function take zvals, not resources. However, it was getting casted
as such, causing it to interpret the pointer incorrectly. This could
have caused other issues, but mostly manifested as failing to close the
connection even fi it matched.
The function now takes a zval and gets the resource from that. In
addition, it also removes the cast of the function pointer and moves
casting to the function body, to avoid possible confusion like this in
refactors again. It also cleans up style and uses constants in the
function body.
Closes GH-12132
Signed-off-by: George Peter Banyard <girgias@php.net>
Addref to relevant fields before allocating any memory. Also only set/remove the
ZEND_ACC_HEAP_RT_CACHE flag after allocating memory.
Fixes GH-12073
Closes GH-12074
Passing NULL as the pointer to intl_error* will use the global error stack.
This is what we need to do instead of pushing it onto the temporary format object that is released.
When you do an assignment between two zvals (no, not zval*), you copy
all fields. This includes the additional u2 data. So that means for
example the Z_NEXT index gets copied, which in some cases can therefore
cause a cycle in zend_hash lookups.
Instead of doing an assignment, we should be doing a ZVAL_COPY (or
ZVAL_COPY_VALUE for non-refcounting cases). This avoids copying u2.
Closes GH-12086.
clang and newer gcc releases support byte-sized atomic accesses on
riscv64 through inline builtins. In both cases the hard dependency on
libatomic added by GH-11321 isn't useful.
Stop using AC_CHECK_LIB() which is too naive to notice that libatomic
isn't needed. Instead, PHP_CHECK_FUNC() will retry the check with -latomic
if required.
Closes GH-11790
Because the failure path did not release the string, there was a memory
leak.
As the only valid types for this function are IS_NULL and IS_STRING, we
and IS_NULL is always rejected in practice, solve the issue by not using
a function that increments the refcount in the first place.
Closes GH-12002.
NetBSD still adopts the old iconv signature for buffer inputs.
The next release will too so we can assume it will remain that way for
a while.
Close GH-12001
Evaluating constants at comptime can result in arrays that contain objects. This
is problematic for printing the default value of constant ASTs containing
objects, because we don't actually know what the constructor arguments were.
Avoid this by not propagating array constants.
Fixes GH-11937
Closes GH-11947
Upon resizing, the elements are destroyed from lower index to higher
index. When an element refers to an object with a destructor, it can
refer to a lower (i.e. already destroyed) element, causing a uaf.
Set refcounted zvals to NULL after destroying them to avoid a uaf.
Closes GH-11959.
The tempnam documentation currently states that "Only the first 63
characters of the prefix are used, the rest are ignored". However when
the prefix is 64 characters-long, the current implementation fails to
strip the last character, diverging from the documented behavior. This
patch fixes the implementation so it matches the documented behavior for
that specific case where the prefix is 64 characters long.
Closes GH-11870
Signed-off-by: George Peter Banyard <girgias@php.net>
People relied on manually waiting for children, but the fix for GH-11498
broke this. Fixing this in PHP is fundamentally incompatible with doing
the wait loop in userland. This reverts to the old behaviour.
Closes GH-11863.
https://dev.mysql.com/doc/dev/mysql-server/latest/page_caching_sha2_authentication_exchanges.html
tells us that the nonce used in this authentication method is 20 bytes
long. However, we might receive additional scramble data in
php_mysqlnd_greet_read not used in this method.
On my test setup, I received 21 bytes (20 bytes + '\0'). This resulted
in the xor computation to incorrectly include the NUL byte. Every
password of at least 20 characters therefore failed to authenticate
using this method.
Looking at mysql-server source code also seems to reveal that it always
uses a fixed number of scramble bytes [1].
[1] ea7087d885/sql/auth/sha2_password.cc (L1078-L1079)
Closes GH-11445.
Co-authored-by: Kamil Tekiela <tekiela246@gmail.com>
According to https://www.php.net/manual/en/class.domdocument:
When using json_encode() on a DOMDocument object the result will be
that of encoding an empty object.
But this was broken in 8.1. The output was `{"config": null}`.
That's because the config property is defined with a default value of
NULL, hence it was included. The other properties are not included
because they don't have a default property, and nothing is ever written
to their backing field. Hence, the JSON encoder excludes them.
Similarly, `(array) $doc` would yield the same `config` key in the
array.
Closes GH-11840.
At one point this was changed from a bool to an int in libxml2, with
negative values meaning it is unspecified. Because it is cast to a bool
this therefore returned true instead of the expected false.
Closes GH-11793.
- publicId could crash PHP if none was provided
- notationName never worked
The fields of this classs were untested. This new test file changes that.
Closes GH-11779.
There are a couple of oddities.
1) The interned strings buffer comprises the whole hashtable
datastructure.
Therefore, it seems that the interned strings buffer size is the size of
only said table. However, in the current code it also includes the size
of the zend_accel_shared_globals.
2) ZCSG(interned_strings).end is computed starting from the accelerator
globals struct itself. I would expect it to start from the part where
the interned strings table starts.
3) When computing the used size, it is done using
ZCSG(interned_strings).end - ZCSG(interned_strings).start. However,
this does not include the uin32_t slots array because
ZCSG(interned_strings).start pointers after that array.
This patch corrrects these 3 points.
Closes GH-11717.
Previously, FFI_G(symbols) and FFI_G(tags) were never cleaned up when calling
new on an existing object. However, if cdef() is called without parameters these
globals are NULL and might be created when new() creates new definitions. These
would then be discarded without freeing them.
Closes GH-11751
Not sure if this is possible to hit in practice, zend_accel_error_noreturn
doesn't return so the unlock isn't called. Other callsites that use both
zend_accel_error_noreturn and zend_shared_alloc_unlock first perform the
unlocking.
Closes GH-11718.
This also includes a fix for the MySQL ND driver to actually respect the user decided behaviour.
Closes GH-11622
Signed-off-by: George Peter Banyard <girgias@php.net>
Depending on the libxml2 version, the behaviour is either to not
render the fragment correctly, or to wrap it inside <></>. Fix it by
unpacking fragments manually. This has the side effect that we need to
move the unlinking check in the replacement function to earlier because
the empty child list is now possible in non-error cases.
Also fixes a mistake in the linked list management.
Closes GH-11627.
When the user does not fully consume the data stream, but instead opens
a new one, a memory leak occurs. Moreover, the state is invalid: when
more commands arrive they'll be handled out-of-sync because the state of
the client does not match what the server is doing.
This leads to all sorts of weirdness, for example:
Warning: ftp_nb_fget(): OK.
Fix it by gracefully closing the old data stream when a new data stream
is started.
Closes GH-11606.
The error handling is replaced using zend_replace_error_handling(), but
when SQLITE3_CHECK_INITIALIZED() returns early, the old error handling
isn't restored.
In the past, SQLITE3_CHECK_INITIALIZED() threw a warning when the check
failed. This was replaced a few years ago with an error exception. So we
can fix the bug by just removing the replacing error handling as it
accomplishes nothing anymore.
Closes GH-11607.
* ext/gd/tests/bug45799.phpt: tweak to work with external gd.
The expected output from this test contains an extra newline with
gd-2.3.3 from the system (Gentoo). Adding a whitespace wildcard takes
care of it, and the test still passes with the bundled version of gd.
* ext/gd/tests: external gd-2.3.3 compatibility.
Support for the legacy "gd" image format was removed from gd-2.3.3
upstream:
https://github.com/libgd/libgd/blob/master/CHANGELOG.md#233---2021-09-12
Several tests for the gd extension utilize that format, and naturally
fail when gd-2.3.3 from the system is used. This commit skips those
tests when the version of gd is at least 2.3.3.
* ext/gd/tests/bug73159.phpt: skip with external gd >= 2.3.3
This test uses the imagegd2() function to check that
https://github.com/libgd/libgd/issues/289
is fixed. When an external gd without support for the "gd" format is
used, no error is thrown, but a nonsense result is printed: this is
normal. The corresponding upstream test is disabled in that situation;
it's not expected to work.
This commit skips the corresponding PHP test under the same
circumstances to fix a test failure with external gd >= 2.3.3.
* ext/gd/tests/bug73155.phpt: skip with external gd >= 2.3.3
This test uses the imagegd2() function to check that
https://github.com/libgd/libgd/issues/309
is fixed. When an external gd without support for the "gd" format is
used, no error is thrown, but a nonsense result is printed: this is
normal. The corresponding upstream test is disabled in that situation;
it's not expected to work.
This commit skips the corresponding PHP test under the same
circumstances to fix a test failure with external gd >= 2.3.3.
* ext/gd/tests/bug73157.phpt: skip with external gd >= 2.3.3
This test ensures that the third (chunk_size) parameter to imagegd2()
is respected when a fourth parameter is also given. However, when an
external gd without support for the "gd" format is used, the call to
imagegd2() does not really work at all. It doesn't fail, but it
produces an "image" with a nonsense chunk size.
To avoid failures when an external gd >= 2.3.3 is used, we skip the
test entirely in that case.
* ext/gd/tests/bug77973.phpt: accept lowercase "Invalid"
This test fails with an external gd because the test expects "Invalid"
where upstream gd says "invalid". This commit tweaks the expected
output to accept an arbitrary character in the i/I position.
* ext/gd/tests/bug39780_extern.phpt: update for external gd-2.3.3.
Since there are no CI runs with external gd, I can only assume that
this test has fallen out-of-date due to changes in PHP itself. I've
tweaked the expected output (only slightly) so that the test passes
with both gd-2.3.2 and gd-2.3.3.
* ext/gd/tests/bug66356.phpt: update expected output for external gd.
Newer (external) versions of GD start their error messages with
lowercase characters, whereas this test is expecting them in
uppercase. A single-character wildcard now supports both formats.
* ext/gd/tests/imagegd_truecolor.phpt: skip with external gd >= 2.3.3.
This test uses the imagegd() function, but the "gd" format has been
disabled by default in upstream gd-2.3.3. We still get some kind of
image data back from the call to imagegd(), but its "signature",
"truecolor", and "size" no longer match the expected values. This
commit skips the test when an external gd >= 2.3.3 is used.
* ext/gd/tests/createfromwbmp2_extern.phpt: update for external gd-2.3.3.
* ext/gd/tests/libgd00086_extern.phpt: update for external gd-2.3.3.
Since there are no CI runs with external gd, I can only assume that
this test has fallen out-of-date due to changes in PHP itself. I've
tweaked the expected output (only slightly) so that the test passes
with both gd-2.3.2 and gd-2.3.3.
* ext/gd/tests/bug77272.phpt: update expected output for external gd.
Newer (external) versions of GD start their error messages with
lowercase characters, whereas this test is expecting them in
uppercase. A single-character wildcard now supports both formats.
* ext/gd/tests/bug77479.phpt: update for newer external gd.
This test fails with gd-2.3.3 (at least) due to minor capitalization
and whitespace issues. We add some wildcards to account for the
difference.
Closes GH-11257.
Closes GH-11262.
Closes GH-11264.
Closes GH-11280.
Normally, PHP evaluates all expressions in offsets (property or array), as well
as the right hand side of assignments before actually fetching the offsets. This
is well explained in this blog post.
https://www.npopov.com/2017/04/14/PHP-7-Virtual-machine.html#writes-and-memory-safety
For ??= we have a bit of a problem in that the rhs must only be evaluated if the
lhs is null or undefined. Thus, we have to first compile the lhs with BP_VAR_IS,
conditionally run the rhs and then re-fetch the lhs with BP_VAR_W to to make
sure the offsets are valid if they have been invalidated.
However, we don't want to just re-evaluate the entire lhs because it may contain
side-effects, as in $array[$x++] ??= 42;. In this case, we don't want to
re-evaluate $x++ because it would result in writing to a different offset than
was previously tested. The same goes for function calls, like
$array[foo()] ??= 42;, where the second call to foo() might result in a
different value. PHP behaves correctly in these cases. This is implemented by
memoizing sub-expressions in the lhs of ??= and reusing them when compiling the
lhs for the second time. This is done for any expression that isn't a variable,
i.e. anything that can (potentially) be written to.
Unfortunately, this also means that function calls are considered writable due
to their return-by-reference semantics, and will thus not be memoized. The
expression foo()['bar'] ??= 42; will invoke foo() twice. Even worse,
foo(bar()) ??= 42; will call both foo() and bar() twice, but
foo(bar() + 1) ??= 42; will only call foo() twice. This is likely not by design,
and was just overlooked in the implementation. The RFC does not specify how
function calls in the lhs of the coalesce assignment behaves. This should
probably be improved in the future.
Now, the problem this commit actually fixes is that ??= may memoize expressions
inside assert() function calls that may not actually execute. This is not only
an issue when using the VAR in the second expression (which would usually also
be skipped) but also when freeing the VAR. For this reason, it is not safe to
memoize assert() sub-expressions.
There are two possible solutions:
1. Don't memoize any sub-expressions of assert(), meaning they will execute
twice.
2. Throw a compile error.
Option 2 is not quite simple, because we can't disallow all memoization inside
assert(), as that would break assertions like assert($array[foo()] ??= 'bar');.
Code like this is highly unlikely (and dubious) but possible. In this case, we
would need to make sure that a memoized value could not be used across the
assert boundary it was created in. The complexity for this is not worthwhile. So
we opt for option 1 and disable memoization immediately inside assert().
Fixes GH-11580
Closes GH-11581
Previously, if an object had RC1 it would never be recorded in
php_serialize_data.ht because it was assumed that it could not be encountered
again. This assumption is incorrect though as the object itself may be saved
inside an array with RCn. This results in a new instance of the object, instead
of a second reference to the same object.
This is solved by tracking these objects in php_serialize_data.ht. To retain
performance, track if the current object resides in a potentially nested RCn
array. If not, and if the object is RC1 itself it may be omitted from
php_serialize_data.ht.
Additionally, we may treat the array root itself as RC1 because it may not
appear in the object graph again without recursion. Recursive arrays are still
somewhat broken even with this change, as the tracking of the array only happens
when the reference is encountered, thus resulting in a -> a' -> a' for a self
recursive array a -> a. Recursive arrays have limited support in serialize
anyway, so we ignore this case for now.
Co-authored-by: Dmitry Stogov <dmitry@zend.com>
Co-authored-by: Martin Hoch <martin@littlerobot.de>
Closes GH-11349
Closes GH-11305
Linux, and maybe other unixes, may merge multiple standard signals into
a single one. This causes issues when keeping track of process IDs.
Solve this by manually checking which children are dead using waitpid().
Test case is based on taka-oyama's test code.
Closes GH-11509.
When writing the output in the CLI is interrupted by a signal, the
writing will fail in sapi_cli_single_write(), causing an exit later in
sapi_cli_ub_write(). This was the other part of the issue in GH-11498.
The solution is to restart the write if an EINTR has been observed.
Closes GH-11510.
This reverts commit 7eb3e9cd17.
Although the fix follows the spec, it causes issues because a lot of old
code assumes the incorrect behaviour PHP had since a long time.
We cannot do this yet, especially not in a stable release.
We revert this for the time being.
See GH-11428.
The problem is the usage of zval_get_long(). In particular, if the
string is non-numeric the result of zval_get_long() will be 0 without
giving an error or warning. This is misleading for users: users get the
impression that they can use strings to access the map because it
coincidentally works for the first item (which is at index 0). Of
course, this fails with any other index which causes confusion and bugs.
This patch adds proper support for using string offsets while accessing
the map. It does so by detecting if it's a non-numeric string, and then
using the getNamedItem() method instead of item(). I had to split up the
array access implementation code for DOMNodeList and DOMNamedNodeMap
first to be able to do this.
Closes GH-11468.
The NULL namespace is only correct when there is no default namespace
override. When there is, we need to manually set it to the empty string
namespace.
Closes GH-11428.
We'll use the DOM wrapper version of libxml2 instead of the regular one.
It's conforming to the behaviour we expect of DOM.
Most of this patch is tests.
I based and extended the tests on the code attached with the aforementioned
bug reports. Therefore the credits for the tests:
Co-authored-by: hilse at web dot de
Co-authored-by: robin2008 at altruists dot org
Co-authored-by: sgunderson at bigfoot dot com
We'll also change the searching point of the internal reconciliation to
start at the top of the added tree to avoid redundant work now that the
function is changed.
Closes GH-11454.
* Fix type confusion and parent reference
* Manually manage the lifetime of the parent
* Add regression tests
* Break out to a helper, and apply the use-after-free fix to xpath
Closes GH-11402.
IPv6 addresses are valid entries in subjectAltNames. Certificate
Authorities may issue certificates including IPv6 addresses except
if they fall within addresses in the RFC 4193 range. Google and
CloudFlare provide IPv6 addresses in their DNS over HTTPS services.
Internal CAs do not have those restrictions and can issue Unique
local addresses in certificates.
Closes GH-11145
From the moment an ID is created, libxml2's behaviour is to cache that element,
even if that element is not yet attached to the document. Similarly, only upon
destruction of the element the ID is actually removed by libxml2.
Since libxml2 has such behaviour deeply ingrained in the library, and uses the
cache for various purposes, it seems like a bad idea and lost cause to fight it.
Instead, we'll simply walk the tree upwards to check if the node is attached to
the document.
Closes GH-11369.
The test was amended from the original issue report. For the test:
Co-authored-by: php@deep-freeze.ca
The problem is that the regular dom_reconcile_ns() only works on a
single node. We actually have to reconciliate the whole tree in case a
fragment was added. This also required to move some code around such
that this special case could be handled separately.
Closes GH-11362.
It's a type confusion bug. `zend_make_callable` may change the function name
of the fci to become an array, causing a crash in debug mode on
`zval_ptr_dtor_str(&fci.function_name);` in `dom_xpath_ext_function_php`.
On a production build it doesn't crash but only causes a leak, because
the array elements are not destroyed, only the array container itself
is. We can use the nogc variant because it cannot contain cycles, the
potential array can only contain 2 strings.
Closes GH-11350.
Fail to clobber_error only when the argv is a non-contiguous area
Don't increment the end_of_error if a non-contiguous area is encountered in environ
Closes GH-11247
We could end up in an invalid hierarchy, resulting in infinite loops and
eventual crashes if we don't check for the DOM hierarchy validity.
Closes GH-11344.
