]> granicus.if.org Git - php/log
php
4 years agoFix memory leak introduced by fixing bug #78221
Christoph M. Becker [Wed, 8 Apr 2020 08:35:54 +0000 (10:35 +0200)]
Fix memory leak introduced by fixing bug #78221

We have to free the retrieved text content; to keep the code readable,
we extract a helper function to check for empty nodes.  Unfortunately,
we cannot use xmlIsBlankNode(), because that also recognizes whitespace
only text content.

We also make sure to properly handle NULL returns from
xmlNodeGetContent().

4 years agoRevert "Went to fast and forgot to update tests"
George Peter Banyard [Tue, 7 Apr 2020 20:24:40 +0000 (22:24 +0200)]
Revert "Went to fast and forgot to update tests"

This reverts commit 656eac74fa6074aebc087bb73d2e4651f7dc8c9e.

4 years agoRevert "Fix Bug #79448 0 is a valid Unicode codepoint, but mb_substitute_character...
George Peter Banyard [Tue, 7 Apr 2020 20:23:24 +0000 (22:23 +0200)]
Revert "Fix Bug #79448 0 is a valid Unicode codepoint, but mb_substitute_character(0) fails"

This commit brings some substantial changes in behaviour due to the weird implementation.
This will be fixed in master due to BC concerns.

This reverts commit 1333b46d6dc0c293c1fd626803f91bc69743eb79.

4 years agoFix #78221: DOMNode::normalize() doesn't remove empty text nodes
Christoph M. Becker [Wed, 11 Mar 2020 12:02:09 +0000 (13:02 +0100)]
Fix #78221: DOMNode::normalize() doesn't remove empty text nodes

If a text node is not followed by another text node, we remove it, if
its textContent is empty.

4 years agoWent to fast and forgot to update tests
George Peter Banyard [Fri, 3 Apr 2020 20:03:00 +0000 (22:03 +0200)]
Went to fast and forgot to update tests

However due to the really lax conversion to integer all strings pass as 0

4 years agoFix Bug #79448 0 is a valid Unicode codepoint, but mb_substitute_character(0) fails
George Peter Banyard [Fri, 3 Apr 2020 19:16:04 +0000 (21:16 +0200)]
Fix Bug #79448 0 is a valid Unicode codepoint, but mb_substitute_character(0) fails

4 years agoFix incorrect free for last_message
Qianqian Bu [Fri, 3 Apr 2020 07:44:41 +0000 (15:44 +0800)]
Fix incorrect free for last_message

In commit a7305eb539596e175bd6c3ae9a20953358c5d677 the last_message
field of the connection object was changed to be always non-persistent.
But there is a place on change_user path that still treats it
depending on conn->persistent flag. This will cause PHP crash after
com_change_user success when there is last_message set

4 years agoFixed bug #79434
Nikita Popov [Thu, 2 Apr 2020 14:32:57 +0000 (16:32 +0200)]
Fixed bug #79434

4 years agoFix literal compaction collision between string and double
Nikita Popov [Wed, 1 Apr 2020 12:20:59 +0000 (14:20 +0200)]
Fix literal compaction collision between string and double

For the sake of simplicity I'm using a separate hashtable, rather
than trying to do hash perturabation on the double strings.

4 years agoAdd NEWS entryc [ci skip]
Christoph M. Becker [Wed, 1 Apr 2020 07:26:20 +0000 (09:26 +0200)]
Add NEWS entryc [ci skip]

4 years agoFix bug 79441
George Peter Banyard [Wed, 1 Apr 2020 02:29:20 +0000 (04:29 +0200)]
Fix bug 79441

4 years agoNext is 7.3.18
Christoph M. Becker [Tue, 31 Mar 2020 08:22:55 +0000 (10:22 +0200)]
Next is 7.3.18

4 years agoFix #79413: session_create_id() fails for active sessions
Christoph M. Becker [Thu, 26 Mar 2020 18:01:33 +0000 (19:01 +0100)]
Fix #79413: session_create_id() fails for active sessions

The comment on `PS_VALIDATE_SID_FUNC(files)` is very clear that the
function is supposed to return `SUCCESS` if the session already exists.
So to detect a collision, we have to check for `SUCCESS`, not
`FAILURE`.

We also fix the wrong condition in session_regenerate_id() as well.

4 years agoFix #79427: Integer Overflow in shmop_open()
Christoph M. Becker [Sun, 29 Mar 2020 14:56:57 +0000 (16:56 +0200)]
Fix #79427: Integer Overflow in shmop_open()

If `shm.shm_segsz > ZEND_LONG_MAX` the assignment to `shmop->size` a
few lines below would overflow, so we catch that early and bail out if
necessary.

4 years agoFix #79424 ext/zip: don't use gl_pathc after call to globfree
Max Rees [Fri, 27 Mar 2020 17:57:24 +0000 (12:57 -0500)]
Fix #79424 ext/zip: don't use gl_pathc after call to globfree

This breaks on Linux with the musl libc, since it zeroes out gl_pathc during
globfree.

4 years agoAdd missing 'skip' to bug79332.phpt skip message
Lukas Berger [Thu, 26 Mar 2020 17:39:39 +0000 (10:39 -0700)]
Add missing 'skip' to bug79332.phpt skip message

The skip message must start with the word 'skip', otherwise the test will not be skipped.

*Before:*
Running selected tests.
TEST 1/1 [ext/com_dotnet/tests/bug79332.phpt]
========DIFF========
001+ Fatal error: Uncaught Error: Class 'COMPersistHelper' not found in /srv/php/ext/com_dotnet/tests/bug79332.php:2
001- A com_exception has been thrown
002+ Stack trace:
003+ #0 {main}
004+   thrown in /srv/php/ext/com_dotnet/tests/bug79332.php on line 2
========DONE========
FAIL Bug #79332 (php_istreams are never freed) [ext/com_dotnet/tests/bug79332.phpt]

*After:*
Running selected tests.
SKIP Bug #79332 (php_istreams are never freed) [ext/com_dotnet/tests/bug79332.phpt] reason: com_dotnet extension not available

4 years agoFixed bug #79412 (Opcache chokes and uses 100% CPU on specific script).
Dmitry Stogov [Wed, 25 Mar 2020 14:31:06 +0000 (17:31 +0300)]
Fixed bug #79412 (Opcache chokes and uses 100% CPU on specific script).

4 years agoFix bug #79410 (system() swallows last chunk if it is exactly 4095 bytes without...
Christian Schneider [Tue, 24 Mar 2020 15:43:17 +0000 (16:43 +0100)]
Fix bug #79410 (system() swallows last chunk if it is exactly 4095 bytes without newline)

Closes GH-5292.

4 years agoAdd test file
Nikita Popov [Mon, 23 Mar 2020 16:13:57 +0000 (17:13 +0100)]
Add test file

Forgot the git add again...

4 years agoHandle NULL caller_call_opline
Nikita Popov [Mon, 23 Mar 2020 16:10:54 +0000 (17:10 +0100)]
Handle NULL caller_call_opline

This can happen if there is an EXIT in the call arguments, in which
case the DO_CALL opcode may be eliminated as unreachable.

4 years agoFix test for Windows
Christoph M. Becker [Mon, 23 Mar 2020 15:19:25 +0000 (16:19 +0100)]
Fix test for Windows

Windows filenames may very well contain a colon, so we adjust the test
accordingly.

4 years agoFix #79200: Some iconv functions cut Windows-1258
Christoph M. Becker [Mon, 16 Mar 2020 12:09:16 +0000 (13:09 +0100)]
Fix #79200: Some iconv functions cut Windows-1258

To cater to potentially state-dependent encodings, we have to reset the
conversion descriptor into its initial shift state to properly finish
the conversion.  Furthermore, state-dependent encodings may not show
progress when comparing `in_left` before and after the conversion; we
rather have to see whether `out_left` has decreased.  Also we have to
cater to the fact that the final potentially state resetting call does
not signal failure, but we still have to break respective loops
afterwards.

4 years agoFix #79393: Null coalescing operator failing with SplFixedArray
Christoph M. Becker [Wed, 18 Mar 2020 16:39:27 +0000 (17:39 +0100)]
Fix #79393: Null coalescing operator failing with SplFixedArray

We favor the KISS principle over optimization[1] – SPL is already
special enough.

[1] <https://github.com/php/php-src/pull/2489/commits/352f3d4476a79bb86136b431719df7394e5a8d4e#r112498098>ff

4 years agoNEWS
Remi Collet [Fri, 20 Mar 2020 10:16:08 +0000 (11:16 +0100)]
NEWS

4 years agoFix Bug #79296 ZipArchive::open fails on empty file
Remi Collet [Thu, 19 Mar 2020 16:31:17 +0000 (17:31 +0100)]
Fix Bug #79296 ZipArchive::open fails on empty file

4 years agoFix #79396: DateTime hour incorrect during DST jump forward
Nate Brunette [Wed, 18 Mar 2020 20:04:46 +0000 (15:04 -0500)]
Fix #79396: DateTime hour incorrect during DST jump forward

When you attempt to set the time to a non-existent time occuring during
a DST jump forward, the hour does not move forward correctly.

4 years agoClarify session.cookie_samesite="None"
Nikita Popov [Wed, 18 Mar 2020 14:59:30 +0000 (15:59 +0100)]
Clarify session.cookie_samesite="None"

4 years agoMerge branch 'PHP-7.2' into PHP-7.3
Remi Collet [Tue, 17 Mar 2020 10:28:47 +0000 (11:28 +0100)]
Merge branch 'PHP-7.2' into PHP-7.3

* PHP-7.2:
  bump verison to 7.2.30-dev

4 years agobump verison to 7.2.30-dev
Remi Collet [Tue, 17 Mar 2020 10:28:34 +0000 (11:28 +0100)]
bump verison to 7.2.30-dev

4 years agoMerge branch 'PHP-7.2' into PHP-7.3
Christoph M. Becker [Tue, 17 Mar 2020 10:08:45 +0000 (11:08 +0100)]
Merge branch 'PHP-7.2' into PHP-7.3

* PHP-7.2:
  Fix NEWS

4 years agoFix NEWS
Christoph M. Becker [Tue, 17 Mar 2020 10:04:24 +0000 (11:04 +0100)]
Fix NEWS

4 years agoMerge branch 'PHP-7.2' into PHP-7.3
Christoph M. Becker [Tue, 17 Mar 2020 09:56:47 +0000 (10:56 +0100)]
Merge branch 'PHP-7.2' into PHP-7.3

* PHP-7.2:
  [ci skip] Update NEWS
  Fix test
  Fix bug #79329 - get_headers should not accept \0
  Fixed bug #79282

4 years ago[ci skip] Update NEWS
Stanislav Malyshev [Mon, 16 Mar 2020 02:35:35 +0000 (19:35 -0700)]
[ci skip] Update NEWS

4 years agoFix test
Stanislav Malyshev [Mon, 16 Mar 2020 00:55:28 +0000 (17:55 -0700)]
Fix test

4 years agoFix bug #79329 - get_headers should not accept \0
Stanislav Malyshev [Mon, 16 Mar 2020 00:30:44 +0000 (17:30 -0700)]
Fix bug #79329 - get_headers should not accept \0

4 years agoFixed bug #79282
Stanislav Malyshev [Mon, 16 Mar 2020 00:26:00 +0000 (17:26 -0700)]
Fixed bug #79282

4 years agoFix #79371: mb_strtolower (UTF-32LE): stack-buffer-overflow
Christoph M. Becker [Thu, 12 Mar 2020 12:04:04 +0000 (13:04 +0100)]
Fix #79371: mb_strtolower (UTF-32LE): stack-buffer-overflow

We make sure that negative values are properly compared.

4 years ago[ci skip] Update NEWS
Stanislav Malyshev [Mon, 16 Mar 2020 02:35:26 +0000 (19:35 -0700)]
[ci skip] Update NEWS

4 years agoFix test
Stanislav Malyshev [Mon, 16 Mar 2020 00:55:28 +0000 (17:55 -0700)]
Fix test

4 years agoFix bug #79329 - get_headers should not accept \0
Stanislav Malyshev [Mon, 16 Mar 2020 00:30:44 +0000 (17:30 -0700)]
Fix bug #79329 - get_headers should not accept \0

4 years agoFixed bug #79282
Stanislav Malyshev [Mon, 16 Mar 2020 00:26:00 +0000 (17:26 -0700)]
Fixed bug #79282

4 years agoFix typo in php.ini comment
Jacob Dreesen [Sun, 15 Mar 2020 13:11:40 +0000 (14:11 +0100)]
Fix typo in php.ini comment

4 years agoFix #79199: curl_copy_handle() memory leak
Christoph M. Becker [Wed, 11 Mar 2020 17:29:40 +0000 (18:29 +0100)]
Fix #79199: curl_copy_handle() memory leak

`curl_copy_handle()` already registers a new resource, so we must not
increase the refcount of the original resource.

4 years agoFix #61597: SXE properties may lack attributes and content
Christoph M. Becker [Sat, 7 Mar 2020 10:20:06 +0000 (11:20 +0100)]
Fix #61597: SXE properties may lack attributes and content

We must not treat a node as string if it has attributes, unless it is
an entity declaration which is always treated as string by simplexml.

4 years agoFix #78210: Invalid pointer address
Christoph M. Becker [Wed, 11 Mar 2020 09:16:04 +0000 (10:16 +0100)]
Fix #78210: Invalid pointer address

This is actually about three distinct issues:

* If an empty string is passed as $address to `stream_socket_sendto()`,
  the `sa` is not initialized, so we must not pass it as `addr` to
  `php_stream_xport_sendto()`.

* On POSIX, `recvfrom()` truncates messages which are too long to fit
  into the specified buffer (unless `MSG_PEEK` is given), discards the
  excessive bytes, and returns the buffer length.  On Windows, the same
  happens, but `recvfrom()` returns `SOCKET_ERROR` with the error code
  `WSAEMSGSIZE`.  We have to catch this for best POSIX compatibility.

* In `php_network_parse_network_address_with_port()`, we have to zero
  `in6` (not only its alias `sa`) to properly support IPv6.

Co-Authored-By: Nikita Popov <nikita.ppv@googlemail.com>
4 years agoFix #79364: When copy empty array, next key is unspecified
Christoph M. Becker [Tue, 10 Mar 2020 15:12:53 +0000 (16:12 +0100)]
Fix #79364: When copy empty array, next key is unspecified

We must not forget to keep the `nNextFreeElement` when duplicating
empty arrays.

4 years agoEnclose INI values containing {TMP} in quotes
Christoph M. Becker [Mon, 9 Mar 2020 16:58:36 +0000 (17:58 +0100)]
Enclose INI values containing {TMP} in quotes

At least on Windows, the temporary directory may contain tilde signs,
which would result in an INI parse error.

4 years agoSkip test on Windows if privileges are insufficient
Christoph M. Becker [Fri, 6 Mar 2020 15:38:18 +0000 (16:38 +0100)]
Skip test on Windows if privileges are insufficient

4 years agoFix #75673: SplStack::unserialize() behavior
Christoph M. Becker [Thu, 5 Mar 2020 13:57:27 +0000 (14:57 +0100)]
Fix #75673: SplStack::unserialize() behavior

Even though `SplStack::unserialize()` is not supposed to be called on
an already constructed instance, it is probably better if the method
clears the stack before actually unserializing.

4 years agoNext is 7.3.17
Christoph M. Becker [Tue, 3 Mar 2020 09:19:31 +0000 (10:19 +0100)]
Next is 7.3.17

4 years agoUpdate libmagic.patch
Christoph M. Becker [Wed, 26 Feb 2020 08:59:44 +0000 (09:59 +0100)]
Update libmagic.patch

Some commits missed to update the patch file, so we're catching up on
this.

To generally make this easier, we back-port generate_patch.sh from
PHP-7.4, where we now also generate magic.h from magic.h.in.

4 years agoFix #79333: com_print_typeinfo() leaks memory
Christoph M. Becker [Mon, 2 Mar 2020 10:36:30 +0000 (11:36 +0100)]
Fix #79333: com_print_typeinfo() leaks memory

We have to free the `ansiname`s, regardless of whether they have been
put into the hashtable or not.

Since bug79299.phpt already shows the leak when run with a leak
checker, there is no need for another regression test.

4 years agoFix #79332: php_istreams are never freed
Christoph M. Becker [Mon, 2 Mar 2020 09:45:37 +0000 (10:45 +0100)]
Fix #79332: php_istreams are never freed

Releasing the `com_dotnet_istream_wrapper` in `istream_destructor()` is
pointless, since `istream_destructor()` is only called when the
resource is going to be released.  This recursion is not a real issue,
though, since the resource is never exposed to userland, and has at
most refcount 1, so due to well defined unsigned integer underflow, it
never is released twice.  However, returning early in this case causes
a memory leak which needs to be fixed.

4 years agoFixed bug #79062
Nikita Popov [Fri, 28 Feb 2020 16:06:05 +0000 (17:06 +0100)]
Fixed bug #79062

Back up the doc comment when performing heredoc scanahead.

4 years agoFix #79311: enchant_dict_suggest() fails on big endian architecture
Christoph M. Becker [Fri, 28 Feb 2020 12:18:00 +0000 (13:18 +0100)]
Fix #79311: enchant_dict_suggest() fails on big endian architecture

For obvious reasons, we must not assign a `size_t` value to an `int`
variable using memcpy().  However, there is actually no need for the
intermediate `n_sugg_st` here, if we use the proper types in the first
place.

A regression test is not necessary, because dict_suggest.phpt already
exhibits the erroneous behavior on big endian architectures.

4 years agoFix #79315 ZipArchive::addFile doesn't honor start/length parameters
Remi Collet [Fri, 28 Feb 2020 09:21:19 +0000 (10:21 +0100)]
Fix #79315 ZipArchive::addFile doesn't honor start/length parameters

4 years agoFixed incorrect overflow detection
Dmitry Stogov [Thu, 27 Feb 2020 20:37:41 +0000 (23:37 +0300)]
Fixed incorrect overflow detection

4 years agoAdd upgrading node regarding fix for bug #79271
Christoph M. Becker [Thu, 27 Feb 2020 09:32:24 +0000 (10:32 +0100)]
Add upgrading node regarding fix for bug #79271

Cf. <https://github.com/php/php-src/pull/5180#issuecomment-590259750>ff.

4 years agoFixed incorrect behavior of internal memory debugger
Dmitry Stogov [Thu, 27 Feb 2020 09:27:22 +0000 (12:27 +0300)]
Fixed incorrect behavior of internal memory debugger

4 years agoFix #64032: mysqli reports different client_version
Christoph M. Becker [Wed, 26 Feb 2020 17:33:25 +0000 (18:33 +0100)]
Fix #64032: mysqli reports different client_version

While `mysqli_get_client_version()` calls `mysql_get_client_version()`
to retrieve the client version, `mysql::$client_version` is initialized
to `MYSQL_VERSION_ID`.  Both should match though, and since the former
is the more useful information, we fix `mysql::$client_version`.

We do not add a regression test, because it would usually succeed
anyway, and we already have several tests with respective `assert()`s.

4 years agoFix #63206: Fully support error/exception_handler stacking, even with null or inside...
Mark Plomer [Mon, 24 Feb 2020 20:32:02 +0000 (21:32 +0100)]
Fix #63206: Fully support error/exception_handler stacking, even with null or inside the handler

Always push the current user_error/exception_handler to the stack,
even when it is empty, so restore_error_handler() always works as
expected.

The user_error_handler is especially temporarily empty when we are inside
the error handler, which caused inconsistent behaviour before.

4 years agoDon't treat any WS as start of header
Nikita Popov [Mon, 24 Feb 2020 09:19:58 +0000 (10:19 +0100)]
Don't treat any WS as start of header

Check that the header occurs after \n, not other whitespace
characters.

4 years agoReduce code duplication in HTTP header checks
Nikita Popov [Mon, 24 Feb 2020 08:58:29 +0000 (09:58 +0100)]
Reduce code duplication in HTTP header checks

4 years agoFixes #79265: Improper injection of Host header when using fopen for http requests
Miguel Xavier Penha Neto [Mon, 24 Feb 2020 05:04:37 +0000 (02:04 -0300)]
Fixes #79265: Improper injection of Host header when using fopen for http requests

Check all occurrences of the string "host:" (and other headers),
not just the first one.

4 years agoFix #79299: com_print_typeinfo prints duplicate variables
Christoph M. Becker [Sun, 23 Feb 2020 22:23:12 +0000 (23:23 +0100)]
Fix #79299: com_print_typeinfo prints duplicate variables

`lastid` has to retain its value during the traversal, so we move it to
an outer scope.

Patch contributed by Litiano Moura.

4 years agoFix #79294: ::columnType() may fail after SQLite3Stmt::reset()
Christoph M. Becker [Fri, 21 Feb 2020 12:24:37 +0000 (13:24 +0100)]
Fix #79294: ::columnType() may fail after SQLite3Stmt::reset()

The fix for feature request #53466 did not properly handle resetting of
the corresponding statement; the problem with this is that the
statement does not know about its result sets.  But even if we could
fix this, the `complete` handling still appears to be brittle, since
the `sqlite3_column_type()`docs[1] state:

| If the SQL statement does not currently point to a valid row, or if
| the column index is out of range, the result is undefined.

Fortunately, we can use `sqlite3_data_count()` instead, since[2]:

| If prepared statement P does not have results ready to return (via
| calls to the sqlite3_column() family of interfaces) then
| sqlite3_data_count(P) returns 0.

Thus, we guard `SQLite3::columnType()` with `sqlite3_data_count()`, and
completely drop updating the `php_sqlite3_result_object.complete`
field, but keep it for ABI BC purposes.

[1] <https://www.sqlite.org/c3ref/column_blob.html>
[2] <https://www.sqlite.org/c3ref/data_count.html>

4 years agoAdd test for bug #78569
Christoph M. Becker [Fri, 21 Feb 2020 09:30:51 +0000 (10:30 +0100)]
Add test for bug #78569

4 years agoFix NEWS [ci skip]
Christoph M. Becker [Thu, 20 Feb 2020 09:55:17 +0000 (10:55 +0100)]
Fix NEWS [ci skip]

Cosmetics.

4 years agoRemove extra tab in NEWS [ci skip]
Christoph M. Becker [Tue, 18 Feb 2020 10:09:37 +0000 (11:09 +0100)]
Remove extra tab in NEWS [ci skip]

4 years agoMerge branch 'PHP-7.2' into PHP-7.3
Remi Collet [Tue, 18 Feb 2020 10:00:49 +0000 (11:00 +0100)]
Merge branch 'PHP-7.2' into PHP-7.3

* PHP-7.2:
  bump version to 7.2.29

4 years agobump version to 7.2.29
Remi Collet [Tue, 18 Feb 2020 10:00:28 +0000 (11:00 +0100)]
bump version to 7.2.29

4 years agoFix #79038: PDOStatement::nextRowset() leaks column values
Christoph M. Becker [Fri, 27 Dec 2019 12:20:11 +0000 (13:20 +0100)]
Fix #79038: PDOStatement::nextRowset() leaks column values

Firstly, we must not rely on `stmt->column_count` when freeing the
driver specific column values, but rather store the column count in
the driver data.  Since the column count is a `short`, 16 bit are
sufficient, so we can store it in reserved bits of `pdo_odbc_stmt`.

Furthermore, we must not allocate new column value storage when the
statement is not executed, but rather when the column value storage has
not been allocated.

Finally, we have to introduce a driver specific `cursor_closer` to
avoid that `::closeCursor()` calls `odbc_stmt_next_rowset()` which then
frees the column value storage, because it may be still needed for
bound columns.

4 years agoFix NEWS [ci skip]
Christoph M. Becker [Mon, 17 Feb 2020 18:35:42 +0000 (19:35 +0100)]
Fix NEWS [ci skip]

4 years agoMerge branch 'PHP-7.2' into PHP-7.3
Christoph M. Becker [Mon, 17 Feb 2020 18:22:15 +0000 (19:22 +0100)]
Merge branch 'PHP-7.2' into PHP-7.3

* PHP-7.2:
  Update NEWS [ci skip]

4 years agoUpdate NEWS [ci skip]
Christoph M. Becker [Mon, 17 Feb 2020 18:21:51 +0000 (19:21 +0100)]
Update NEWS [ci skip]

4 years agoMerge branch 'PHP-7.2' into PHP-7.3
Christoph M. Becker [Mon, 17 Feb 2020 18:08:04 +0000 (19:08 +0100)]
Merge branch 'PHP-7.2' into PHP-7.3

* PHP-7.2:
  Mark bug76348.phpt as online test
  Fix bug #79082 - Files added to tar with Phar::buildFromIterator have all-access permissions
  Fix bug #79221 - Null Pointer Dereference in PHP Session Upload Progress

4 years agoFix # 79171: heap-buffer-overflow in phar_extract_file
Christoph M. Becker [Sun, 26 Jan 2020 15:03:35 +0000 (16:03 +0100)]
Fix # 79171: heap-buffer-overflow in phar_extract_file

We must not access memory outside of the allocated buffer.

4 years agoFix bug #79082 - Files added to tar with Phar::buildFromIterator have all-access...
Stanislav Malyshev [Sun, 16 Feb 2020 06:17:14 +0000 (22:17 -0800)]
Fix bug #79082 - Files added to tar with Phar::buildFromIterator have all-access permissions

4 years agoFix bug #79221 - Null Pointer Dereference in PHP Session Upload Progress
Stanislav Malyshev [Sun, 16 Feb 2020 04:52:19 +0000 (20:52 -0800)]
Fix bug #79221 - Null Pointer Dereference in PHP Session Upload Progress

4 years agoFix #79271: DOMDocumentType::$childNodes is NULL
Christoph M. Becker [Fri, 14 Feb 2020 09:55:17 +0000 (10:55 +0100)]
Fix #79271: DOMDocumentType::$childNodes is NULL

Dom level 2 core, DOM level 3 core and the DOM living standard agree
that `childNodes` always return a `NodeList`, and never `null`.

4 years agoMark bug76348.phpt as online test
Nikita Popov [Tue, 19 Mar 2019 14:47:25 +0000 (15:47 +0100)]
Mark bug76348.phpt as online test

4 years agoFix bug #79082 - Files added to tar with Phar::buildFromIterator have all-access...
Stanislav Malyshev [Sun, 16 Feb 2020 06:17:14 +0000 (22:17 -0800)]
Fix bug #79082 - Files added to tar with Phar::buildFromIterator have all-access permissions

4 years agoFix bug #79221 - Null Pointer Dereference in PHP Session Upload Progress
Stanislav Malyshev [Sun, 16 Feb 2020 04:52:19 +0000 (20:52 -0800)]
Fix bug #79221 - Null Pointer Dereference in PHP Session Upload Progress

4 years agoMerge branch 'PHP-7.2' into PHP-7.3
Christoph M. Becker [Fri, 14 Feb 2020 08:22:37 +0000 (09:22 +0100)]
Merge branch 'PHP-7.2' into PHP-7.3

* PHP-7.2:
  Fix typo in recent bugfix

4 years agoFix typo in recent bugfix
Christoph M. Becker [Fri, 14 Feb 2020 08:21:13 +0000 (09:21 +0100)]
Fix typo in recent bugfix

4 years agoMerge branch 'PHP-7.2' into PHP-7.3
Christoph M. Becker [Thu, 13 Feb 2020 14:14:45 +0000 (15:14 +0100)]
Merge branch 'PHP-7.2' into PHP-7.3

* PHP-7.2:
  Fix #77569: Write Acess Violation in DomImplementation

4 years agoFix #77569: Write Acess Violation in DomImplementation
Christoph M. Becker [Thu, 13 Feb 2020 14:13:26 +0000 (15:13 +0100)]
Fix #77569: Write Acess Violation in DomImplementation

We must not assume that the zval IS_STRING.

4 years agoFix #79254: getenv() w/o arguments not showing changes
Christoph M. Becker [Tue, 11 Feb 2020 08:43:15 +0000 (09:43 +0100)]
Fix #79254: getenv() w/o arguments not showing changes

To be able to see changes done only with `SetEnvironmentVariable()`, we
have to use `GetEnvironmentStrings()` instead of `environ`, because the
latter sees only changes done with `putenv()`.

For best backward compatibility we're using `GetEnvironmentStringsA()`;
switching to the wide string version likely makes sense for master,
though.

4 years agoFix #79248: Traversing empty VT_ARRAY throws com_exception
Christoph M. Becker [Sat, 8 Feb 2020 15:56:30 +0000 (16:56 +0100)]
Fix #79248: Traversing empty VT_ARRAY throws com_exception

If the `VT_ARRAY` is empty, i.e. its upperbound is less than its lower
bound, we must not call `php_com_safearray_get_elem()`, because that
function throws in this case.

4 years agoSkip test case on x86 where it otherwise fails [ci skip]
Christoph M. Becker [Fri, 7 Feb 2020 20:00:27 +0000 (21:00 +0100)]
Skip test case on x86 where it otherwise fails [ci skip]

`-2200000000` can't be converted to integer on x86, so the constructor
call would fail.

4 years agoFix #79242: COM error constants don't match com_exception codes
Christoph M. Becker [Fri, 7 Feb 2020 17:04:14 +0000 (18:04 +0100)]
Fix #79242: COM error constants don't match com_exception codes

Because a `HRESULT` is a `LONG`[1], no special treatment is required on
x86 platforms to get appropriate values.  On x64 platforms we prefer
positive values, what we could accomplish by casting the `HRESULT`
value to `ULONG` and then to `zend_long`, but since the current
behavior is correct and the performance improvement is negligible, we
defer that to master.

[1] <https://docs.microsoft.com/en-us/windows/win32/winprog/windows-data-types#hresult>

4 years agoFix #66322: COMPersistHelper::SaveToFile can save to wrong location
Christoph M. Becker [Thu, 6 Feb 2020 13:59:55 +0000 (14:59 +0100)]
Fix #66322: COMPersistHelper::SaveToFile can save to wrong location

Saving under the given `filename` may also work, but since
`::LoadFromFile` uses the `fullpath` we follow suit.

4 years agoFixed bug #79188
Nikita Popov [Wed, 29 Jan 2020 09:57:44 +0000 (10:57 +0100)]
Fixed bug #79188

4 years agoNext is 7.3.16
Christoph M. Becker [Tue, 4 Feb 2020 10:38:29 +0000 (11:38 +0100)]
Next is 7.3.16

4 years agoFix #78090: bug45161.phpt takes forever to finish
Christoph M. Becker [Mon, 3 Feb 2020 10:47:01 +0000 (11:47 +0100)]
Fix #78090: bug45161.phpt takes forever to finish

Not all systems support the discard protocol (TCP port 9), and since
there is no particular reason to use it, we switch to using actual
server testing.

4 years agoFix #79191: Error in SoapClient ctor disables DOMDocument::save()
Christoph M. Becker [Mon, 3 Feb 2020 22:10:20 +0000 (23:10 +0100)]
Fix #79191: Error in SoapClient ctor disables DOMDocument::save()

The culprit is the too restrictive fix for bug #71536, which prevents
`php_libxml_streams_IO_write()` from properly executing when unclean
shutdown is flagged.  A *more* suitable solution is to move the
`xmlwriter_free_resource_ptr()` call from the `free_obj` handler to an
added `dtor_obj` handler, to avoid to write to a closed stream in case
of late object freeing.  This makes the `EG(active)` guard superfluous.

We also fix bug79029.phpt which has to use different variables for the
three parts to actually check the original shutdown issue.

Thanks to bwoebi and daverandom for helping to investigate this issue.

4 years agoRelax test expectation
Christoph M. Becker [Mon, 3 Feb 2020 12:02:12 +0000 (13:02 +0100)]
Relax test expectation

Since we're dealing with floating point numbers, precision issues may
hit us, and actually it's not necessary to check for the exact number
anyway, because it is not exact in the first place.  Therefore, we
relax the test expectations.

4 years agoFix #79212: NumberFormatter::format() may detect wrong type
Christoph M. Becker [Sun, 2 Feb 2020 12:38:34 +0000 (13:38 +0100)]
Fix #79212: NumberFormatter::format() may detect wrong type

We have to convert to number *before* detecting the type, to cater to
internal objects implementing `cast_object`.

We also get rid of the fallback behavior of using `FORMAT_TYPE_INT32`,
because that can no longer happen; after `convert_scalar_to_number_ex`
the type is either `IS_LONG` or `IS_DOUBLE`.  We cater explicitly to
the `IS_ARRAY` case what also avoids triggering a type confusion when
`::TYPE_INT64` is passed as `$type`.

4 years agoFix bug #76047
Nikita Popov [Fri, 31 Jan 2020 09:21:37 +0000 (10:21 +0100)]
Fix bug #76047

Unlink the current stack frame before freeing CVs or extra args.
This means it will no longer show up in back traces that are
generated during CV destruction.

We already did this prior to destructing the object/closure,
presumably for the same reason.

4 years agoFix #70078: XSL callbacks with nodes as parameter leak memory
Christoph M. Becker [Wed, 29 Jan 2020 17:23:51 +0000 (18:23 +0100)]
Fix #70078: XSL callbacks with nodes as parameter leak memory

The fix for bug #49634 solved a double-free by copying the node with
`xmlDocCopyNodeList()`, but the copied node is later freed by calling
`xmlFreeNode()` instead of `xmlFreeNodeList()`, thus leaking memory.
However, there is no need to treat the node as node list, i.e. to copy
also the node's siblings; just creating a recursive copy of the node
with `xmlDocCopyNode()` is sufficient, while that also avoids the leak.