]> granicus.if.org Git - php/log
php
4 years agoFix #70078: XSL callbacks with nodes as parameter leak memory
Christoph M. Becker [Wed, 29 Jan 2020 17:23:51 +0000 (18:23 +0100)]
Fix #70078: XSL callbacks with nodes as parameter leak memory

The fix for bug #49634 solved a double-free by copying the node with
`xmlDocCopyNodeList()`, but the copied node is later freed by calling
`xmlFreeNode()` instead of `xmlFreeNodeList()`, thus leaking memory.
However, there is no need to treat the node as node list, i.e. to copy
also the node's siblings; just creating a recursive copy of the node
with `xmlDocCopyNode()` is sufficient, while that also avoids the leak.

4 years agoFix leak in DateTimeImmutable::modify()
Nikita Popov [Thu, 30 Jan 2020 11:16:43 +0000 (12:16 +0100)]
Fix leak in DateTimeImmutable::modify()

4 years agoAdd SKIPIF to test requiring mbregex
Nikita Popov [Thu, 30 Jan 2020 10:20:42 +0000 (11:20 +0100)]
Add SKIPIF to test requiring mbregex

4 years agoFix mb_ord() crash if internal encoding not supported
Nikita Popov [Wed, 29 Jan 2020 15:17:30 +0000 (16:17 +0100)]
Fix mb_ord() crash if internal encoding not supported

enc_name can be NULL here. Take the name from the mbfl_encoding
instead.

4 years agoReset MBREX(search_re) in RSHUTDOWN
Nikita Popov [Wed, 29 Jan 2020 15:03:44 +0000 (16:03 +0100)]
Reset MBREX(search_re) in RSHUTDOWN

This is going to cause a segfault if reused in the next request.
To illustrate the issue, run these two scripts in sequence with
the built-in server:

// script1.php
mb_ereg_search_init('foobar');
mb_ereg_search('foo');

// script2.php
var_dump(mb_ereg_search_init("foobar"));
var_dump(mb_ereg_search_pos());

4 years agoFix use of mb_ereg_search_getregs() after invalid pattern
Nikita Popov [Wed, 29 Jan 2020 11:49:28 +0000 (12:49 +0100)]
Fix use of mb_ereg_search_getregs() after invalid pattern

This segfaulted because we assumed that if there are matches,
there must be a regular expression as well.

4 years agoFix #76584: PharFileInfo::decompress not working
Christoph M. Becker [Sun, 26 Jan 2020 12:33:07 +0000 (13:33 +0100)]
Fix #76584: PharFileInfo::decompress not working

We actually have to decompress, when told to do so.

4 years agoFix bug #78323: Code 0 is returned on invalid options
Ivan Mikheykin [Fri, 17 Jan 2020 19:26:35 +0000 (22:26 +0300)]
Fix bug #78323: Code 0 is returned on invalid options

Set CLI exit code to 1 when invalid parameters are passed,
and print error to stderr.

4 years agoAdd CURLOPT CURLOPT_HTTP09_ALLOWED available since 7.64.0
Florian Smeets [Sun, 26 Jan 2020 04:18:57 +0000 (05:18 +0100)]
Add CURLOPT CURLOPT_HTTP09_ALLOWED available since 7.64.0

4 years agoFixed bug #79080 [ci skip]
George Peter Banyard [Sat, 25 Jan 2020 12:23:51 +0000 (13:23 +0100)]
Fixed bug #79080 [ci skip]

Rewrote session.gc_probability and session.gc_divisor INI setting
description to be more succint.

4 years agoMake test independent of online XSD schema
Christoph M. Becker [Fri, 24 Jan 2020 09:18:01 +0000 (10:18 +0100)]
Make test independent of online XSD schema

The test still needs to access <http://www.w3.org/2009/01/xml.xsd>, but
at least we no longer depend on <http://x-road.eu/xsd/x-road.xsd>,
which may be moved again.

4 years agoYet another check for php_strip_tags_ex()
Christoph M. Becker [Fri, 24 Jan 2020 11:45:04 +0000 (12:45 +0100)]
Yet another check for php_strip_tags_ex()

4 years agoFix bug76348.phpt
Nikita Popov [Thu, 23 Jan 2020 14:08:20 +0000 (15:08 +0100)]
Fix bug76348.phpt

Adjust for URL change in XSD file and mark as online test.

Is it possible for use to store http://x-road.eu/xsd/xroad.xsd
locally instead? Do relative file system paths work here?
I'm not familiar with this.

4 years agoFixed bug #78902
liudaixiao [Mon, 16 Dec 2019 01:10:28 +0000 (09:10 +0800)]
Fixed bug #78902

4 years agoAdd unit test for bug #78902
Léopold Jacquot [Wed, 4 Dec 2019 14:14:50 +0000 (15:14 +0100)]
Add unit test for bug #78902

4 years agoFixed bug #79151
Nikita Popov [Thu, 23 Jan 2020 13:19:20 +0000 (14:19 +0100)]
Fixed bug #79151

Make sure we also NULL out next/prev of the removed element on
pop/shift. This only matter is that element is still being referenced
by an iterator.

4 years agoMerge branch 'PHP-7.2' into PHP-7.3
Stanislav Malyshev [Thu, 23 Jan 2020 06:41:56 +0000 (22:41 -0800)]
Merge branch 'PHP-7.2' into PHP-7.3

* PHP-7.2:
  More checks for php_strip_tags_ex

4 years agoMore checks for php_strip_tags_ex
Stanislav Malyshev [Thu, 23 Jan 2020 06:36:53 +0000 (22:36 -0800)]
More checks for php_strip_tags_ex

4 years agoDon't leak encoding_str
Christoph M. Becker [Wed, 22 Jan 2020 10:13:12 +0000 (11:13 +0100)]
Don't leak encoding_str

4 years agoFix #79154: mb_convert_encoding() can modify $from_encoding
Christoph M. Becker [Wed, 22 Jan 2020 09:25:37 +0000 (10:25 +0100)]
Fix #79154: mb_convert_encoding() can modify $from_encoding

We must not modify arrays passed by value.

4 years agoMerge branch 'PHP-7.2' into PHP-7.3
Remi Collet [Wed, 22 Jan 2020 08:17:33 +0000 (09:17 +0100)]
Merge branch 'PHP-7.2' into PHP-7.3

* PHP-7.2:
  next will be 7.2.28

4 years agonext will be 7.2.28
Remi Collet [Wed, 22 Jan 2020 08:17:00 +0000 (09:17 +0100)]
next will be 7.2.28

4 years agoFix #79145: openssl memory leak
Christoph M. Becker [Tue, 21 Jan 2020 15:17:25 +0000 (16:17 +0100)]
Fix #79145: openssl memory leak

We must increase the refcount of `return_value` only if `cert` is a
resource; this is already done in `php_openssl_evp_from_zval()`,
though.

4 years agoFix #79146: cscript can fail to run on some systems
Deus Kane [Mon, 20 Jan 2020 16:16:01 +0000 (16:16 +0000)]
Fix #79146: cscript can fail to run on some systems

In the buildconf and configure batch files, Windows' cscript utility was being
run without the /e:jscript flag. This works on systems that have not had the
default .js file association changed, but if .js has been re-associated to
(say) an IDE, the batch files fail with the error message:

Input Error: There is no script engine for file extension ".js".

4 years agoUpdate NEWS wrt. sec fixes
Christoph M. Becker [Tue, 21 Jan 2020 10:31:14 +0000 (11:31 +0100)]
Update NEWS wrt. sec fixes

4 years agoMerge branch 'PHP-7.2' into PHP-7.3
Stanislav Malyshev [Tue, 21 Jan 2020 06:22:02 +0000 (22:22 -0800)]
Merge branch 'PHP-7.2' into PHP-7.3

* PHP-7.2:
  Update NEWS
  Fix bug #79037 (global buffer-overflow in `mbfl_filt_conv_big5_wchar`)
  Fix #79099: OOB read in php_strip_tags_ex
  Fix #79091: heap use-after-free in session_create_id()

4 years agoUpdate NEWS
Stanislav Malyshev [Tue, 21 Jan 2020 06:12:32 +0000 (22:12 -0800)]
Update NEWS

4 years agoFix bug #79037 (global buffer-overflow in `mbfl_filt_conv_big5_wchar`)
Stanislav Malyshev [Tue, 21 Jan 2020 05:42:44 +0000 (21:42 -0800)]
Fix bug #79037 (global buffer-overflow in `mbfl_filt_conv_big5_wchar`)

4 years agoFix #79099: OOB read in php_strip_tags_ex
Stanislav Malyshev [Tue, 21 Jan 2020 05:33:17 +0000 (21:33 -0800)]
Fix #79099: OOB read in php_strip_tags_ex

4 years agoFix #79091: heap use-after-free in session_create_id()
Christoph M. Becker [Mon, 20 Jan 2020 17:05:00 +0000 (18:05 +0100)]
Fix #79091: heap use-after-free in session_create_id()

If the `new_id` is released, we must not use it again.

4 years agoFixed bug #79115
Nikita Popov [Fri, 17 Jan 2020 10:37:35 +0000 (11:37 +0100)]
Fixed bug #79115

4 years agoFixed bug #71876
Nikita Popov [Fri, 3 Jan 2020 10:14:45 +0000 (11:14 +0100)]
Fixed bug #71876

This is a backport of fcdc0a6db0ae63fbed9e3828137b899b844623ce
to the PHP-7.3 branch. We need to make sure that OnUpdateString
is also called for a NULL value, otherwise the reset of the encoding
at the end of the request will not work.

I believe I already tried to land this before once, but it didn't
actually end up on the PHP-7.3 branch due to a push conflict that
I only noticed just now.

4 years agoFix #79084: mysqlnd may fetch wrong column indexes with MYSQLI_BOTH
Christoph M. Becker [Mon, 13 Jan 2020 10:47:40 +0000 (11:47 +0100)]
Fix #79084: mysqlnd may fetch wrong column indexes with MYSQLI_BOTH

Column names can be numeric strings, so we have to make sure to insert
the column values with the appropriate numeric keys, instead of adding
them.

4 years agoFix test cases which fail on Windows debug builds
Christoph M. Becker [Mon, 11 Nov 2019 11:14:05 +0000 (12:14 +0100)]
Fix test cases which fail on Windows debug builds

We use the portable {TMP} instead of the hard-coded /tmp, and skip
mysqli_debug_append.phpt on Windows, because unlinking the trace file
while the connection is still open won't work there.

(cherry picked from commit 60081ca20d5701111de5f94ae64909b1cc265f1e)

4 years agoFix test for Windows ZTS builds
Christoph M. Becker [Fri, 10 Jan 2020 16:11:24 +0000 (06:11 +1400)]
Fix test for Windows ZTS builds

Cf. <https://bugs.php.net/bug.php?id=61685#1578672905>.

4 years agoFix #79078: Hypothetical use-after-free in curl_multi_add_handle()
Christoph M. Becker [Wed, 8 Jan 2020 10:52:24 +0000 (11:52 +0100)]
Fix #79078: Hypothetical use-after-free in curl_multi_add_handle()

To avoid this, we have to verify the handlers already in
`curl_multi_add_handle()`, not only in `curl_multi_exec()`.

4 years agoBump version
Christoph M. Becker [Tue, 7 Jan 2020 10:03:19 +0000 (11:03 +0100)]
Bump version

4 years agoRevert "Extend CURLFile to support streams"
Christoph M. Becker [Mon, 6 Jan 2020 14:19:34 +0000 (15:19 +0100)]
Revert "Extend CURLFile to support streams"

This reverts commit 17a9f1401aeb35fe1e3657b38102a410d151d42f, because
this commit would break ABI, and also due to bug #79013.
We keep the commit for PHP 7.4+, though.

4 years agoFix #54298: Using empty additional_headers adding extraneous CRLF
Christoph M. Becker [Sun, 5 Jan 2020 14:15:09 +0000 (15:15 +0100)]
Fix #54298: Using empty additional_headers adding extraneous CRLF

If the header string is empty, we pass `NULL` to `php_mail()` to avoid
further checks on the string length.

4 years agoFix #79068: gdTransformAffineCopy() changes interpolation method
Christoph M. Becker [Mon, 6 Jan 2020 09:33:47 +0000 (10:33 +0100)]
Fix #79068: gdTransformAffineCopy() changes interpolation method

We port
<https://github.com/libgd/libgd/commit/9088591eae437358ee5b929adf82865e37e3001e>.

4 years agoFix #79067: gdTransformAffineCopy() may use unitialized values
Christoph M. Becker [Mon, 6 Jan 2020 08:35:13 +0000 (09:35 +0100)]
Fix #79067: gdTransformAffineCopy() may use unitialized values

We port
<https://github.com/libgd/libgd/commit/7a06c1669c563917bc48c464521e3de962ddb4e8>.

4 years agoFix #78808: [LMDB] MDB_MAP_FULL: Environment mapsize limit reached
Christoph M. Becker [Thu, 14 Nov 2019 10:21:41 +0000 (11:21 +0100)]
Fix #78808: [LMDB] MDB_MAP_FULL: Environment mapsize limit reached

We implement support for a fifth parameter, which allows to specify the
mapsize.  The parameter defaults to zero, in which case the compiled in
default mapsize (usually 1048576) will be used.  The mapsize should be
a multiple of the page size of the OS.

4 years agoFix #78538: shmop memory leak
Christoph M. Becker [Mon, 25 Nov 2019 13:05:15 +0000 (14:05 +0100)]
Fix #78538: shmop memory leak

If the descriptor's refcount drops to zero, we have to unmap the
respective file view, to avoid leaking memory.

4 years agoFix #79015: undefined-behavior in php_date.c
Christoph M. Becker [Mon, 23 Dec 2019 13:42:54 +0000 (14:42 +0100)]
Fix #79015: undefined-behavior in php_date.c

We check that the given microsecond fraction is in the valid range
[0, 1000000[, and otherwise mark it as invalid.  We also drop the
useless do loop; a plain block is sufficient here.

5 years agoFix #79040: Warning Opcode handlers are unusable due to ASLR
Christoph M. Becker [Mon, 30 Dec 2019 11:20:31 +0000 (12:20 +0100)]
Fix #79040: Warning Opcode handlers are unusable due to ASLR

We must not use the same shared memory OPcache instance for different
SAPIs, since their memory layout is different.  To avoid this, we add
the SAPI name (truncated to at most 20 characters) to the names of the
memory base file, the mutex and the file mapping.

5 years agoAdd missing skipif clause
Christoph M. Becker [Sat, 28 Dec 2019 10:00:37 +0000 (11:00 +0100)]
Add missing skipif clause

5 years agoFix #79033: Curl timeout error with specific url and post
Christoph M. Becker [Sat, 28 Dec 2019 09:47:03 +0000 (10:47 +0100)]
Fix #79033: Curl timeout error with specific url and post

We must not set an empty mime structure as `CURLOPT_MIMEPOST`; instead
we set it to `NULL` if `CURLOPT_POSTFIELDS` has been set to an empty
array.

5 years agoFixed bug #79029 (Use After Free's in XMLReader / XMLWriter).
Xinchen Hui [Wed, 25 Dec 2019 11:05:44 +0000 (12:05 +0100)]
Fixed bug #79029 (Use After Free's in XMLReader / XMLWriter).

We backport the fix PHP 7.3, since this branch is affected as well.

(cherry picked from commit b5e004379647bd1ebb75eb2eac8826fb6abdd3d8)
(cherry picked from commit e36daa6927c05d2e687bb77495ef206cde118b33)
(cherry picked from commit 2704ee6844c03348de9d15e74646d09007ef0f7c)

5 years agoFix #78982: pdo_pgsql returns dead persistent connection
SATO Kentaro [Tue, 17 Dec 2019 17:36:03 +0000 (02:36 +0900)]
Fix #78982: pdo_pgsql returns dead persistent connection

Call PQconsumeInput() before PQstatus() to update the status.

5 years agoFix #78980: pgsqlGetNotify() overlooks dead connection
SATO Kentaro [Tue, 17 Dec 2019 17:16:55 +0000 (02:16 +0900)]
Fix #78980: pgsqlGetNotify() overlooks dead connection

pgsqlGetNotify() didn't check result of PQconsumeInput().

5 years agoFix #74170: locale information change after mime_content_type
Sergei Turchanov [Thu, 29 Aug 2019 07:29:19 +0000 (17:29 +1000)]
Fix #74170: locale information change after mime_content_type

Some functions in libmagic (distributed with fileinfo extension) perform this sequence of calls:
func() {
setlocale(LC_TYPE, "C")
.. do some work ..
setlocale(LC_TYPE, "")
}

It effectively resets LC_TYPE if it that was set before the function call.

To avoid manipulations with current locale at all, the problematic functions
were modified to use locale-independent functions.

5 years agoFix #78402: pcntl_signal() misleading error message
SATO Kentaro [Tue, 17 Dec 2019 19:03:42 +0000 (04:03 +0900)]
Fix #78402: pcntl_signal() misleading error message

An error message can be misleading when a handler
passed to pcntl_signal() is not callable.

5 years agoFixed bug #78999 (Cycle leak when using function result as temporary)
Dmitry Stogov [Thu, 19 Dec 2019 20:11:08 +0000 (23:11 +0300)]
Fixed bug #78999 (Cycle leak when using function result as temporary)

5 years agoFix #78983: pdo_pgsql config.w32 cannot find libpq-fe.h
SATO Kentaro [Tue, 17 Dec 2019 17:47:08 +0000 (02:47 +0900)]
Fix #78983: pdo_pgsql config.w32 cannot find libpq-fe.h

When configured with a path specified.

5 years agoAdd destructor annotations in ini parser
Nikita Popov [Thu, 19 Dec 2019 09:42:10 +0000 (10:42 +0100)]
Add destructor annotations in ini parser

It would be better to switch this to use %union and %type annotations,
but not going to do that change for 7.3.

5 years agofix release date
Remi Collet [Wed, 18 Dec 2019 13:17:31 +0000 (14:17 +0100)]
fix release date

5 years agoMerge branch 'PHP-7.2' into PHP-7.3
Remi Collet [Wed, 18 Dec 2019 13:17:21 +0000 (14:17 +0100)]
Merge branch 'PHP-7.2' into PHP-7.3

* PHP-7.2:
  fix release date

5 years agofix release date
Remi Collet [Wed, 18 Dec 2019 13:16:19 +0000 (14:16 +0100)]
fix release date

5 years agoRethrow generator exception even without active stack frame
Nikita Popov [Wed, 18 Dec 2019 10:02:44 +0000 (11:02 +0100)]
Rethrow generator exception even without active stack frame

Finally blocks in generators may be invoked during shutdown, in
which case we don't have a stack frame. Similar to what
zend_call_function does, we still need to rethrow these exceptions,
otherwise they will be hidden (and leak).

5 years agoFix freeing of dynamic call name
Nikita Popov [Wed, 18 Dec 2019 09:10:30 +0000 (10:10 +0100)]
Fix freeing of dynamic call name

We need to free op2 if the call construction fails.

Also remove a redundant check for !call.

5 years agoUpdate/fix NEWS [ci skip]
Christoph M. Becker [Tue, 17 Dec 2019 08:51:30 +0000 (09:51 +0100)]
Update/fix NEWS [ci skip]

5 years agoMerge branch 'PHP-7.2' into PHP-7.3
Christoph M. Becker [Tue, 17 Dec 2019 09:01:50 +0000 (10:01 +0100)]
Merge branch 'PHP-7.2' into PHP-7.3

* PHP-7.2:
  [ci skip] Update  NEWS

5 years ago[ci skip] Update NEWS
Stanislav Malyshev [Tue, 17 Dec 2019 07:45:11 +0000 (23:45 -0800)]
[ci skip] Update NEWS

5 years ago[ci skip] Update NEWS
Stanislav Malyshev [Tue, 17 Dec 2019 07:41:04 +0000 (23:41 -0800)]
[ci skip] Update  NEWS

5 years agoFix test
Stanislav Malyshev [Mon, 16 Dec 2019 18:32:49 +0000 (10:32 -0800)]
Fix test

5 years agoMerge branch 'PHP-7.2' into PHP-7.3
Stanislav Malyshev [Mon, 16 Dec 2019 18:04:03 +0000 (10:04 -0800)]
Merge branch 'PHP-7.2' into PHP-7.3

* PHP-7.2:
  Fix test
  Fix bug #78793

5 years agoFix test
Stanislav Malyshev [Mon, 16 Dec 2019 18:03:43 +0000 (10:03 -0800)]
Fix test

5 years agoFix bug #78793
Stanislav Malyshev [Mon, 16 Dec 2019 09:14:38 +0000 (01:14 -0800)]
Fix bug #78793

5 years agoFix build - no model field anymore
Stanislav Malyshev [Mon, 16 Dec 2019 09:10:42 +0000 (01:10 -0800)]
Fix build - no model field anymore

5 years agoMerge branch 'PHP-7.2' into PHP-7.3
Stanislav Malyshev [Mon, 16 Dec 2019 08:38:54 +0000 (00:38 -0800)]
Merge branch 'PHP-7.2' into PHP-7.3

* PHP-7.2:
  Fixed bug #78910
  Fix #78878: Buffer underflow in bc_shift_addsub
  Fix test
  Fix #78862: link() silently truncates after a null byte on Windows
  Fix #78863: DirectoryIterator class silently truncates after a null byte

5 years agoFixed bug #78910
Stanislav Malyshev [Mon, 16 Dec 2019 08:10:39 +0000 (00:10 -0800)]
Fixed bug #78910

5 years agoFix #78878: Buffer underflow in bc_shift_addsub
Christoph M. Becker [Sat, 30 Nov 2019 11:26:37 +0000 (12:26 +0100)]
Fix #78878: Buffer underflow in bc_shift_addsub

We must not rely on `isdigit()` to detect digits, since we only support
decimal ASCII digits in the following processing.

5 years agoFix test
Stanislav Malyshev [Sat, 30 Nov 2019 23:37:28 +0000 (15:37 -0800)]
Fix test

5 years agoFix #78862: link() silently truncates after a null byte on Windows
Christoph M. Becker [Sat, 23 Nov 2019 12:01:33 +0000 (13:01 +0100)]
Fix #78862: link() silently truncates after a null byte on Windows

Since link() is supposed to accepts paths (i.e. strings without NUL
bytes), we must not accept arbitrary strings.

5 years agoFix #78863: DirectoryIterator class silently truncates after a null byte
Christoph M. Becker [Mon, 25 Nov 2019 15:56:34 +0000 (16:56 +0100)]
Fix #78863: DirectoryIterator class silently truncates after a null byte

Since the constructor of DirectoryIterator and friends is supposed to
accepts paths (i.e. strings without NUL bytes), we must not accept
arbitrary strings.

5 years agoFix #78943: mail() may release string with refcount==1 twice
Christoph M. Becker [Tue, 10 Dec 2019 17:43:01 +0000 (18:43 +0100)]
Fix #78943: mail() may release string with refcount==1 twice

Since we need `headers_lc` as well as `headers_trim` in the following,
we do not release the former even if they are the same string, to avoid
complicating the release logic even more.

A new test case is not necessary, since we already have
mail_basic_alt2-win32.phpt and others.

5 years agoFixed bug #78921
Nikita Popov [Fri, 13 Dec 2019 15:37:20 +0000 (16:37 +0100)]
Fixed bug #78921

By resetting fake_scope during autoloading. We already do the same
when executing destructors.

5 years agoFix DCE with FE_FETCH
Nikita Popov [Tue, 10 Dec 2019 08:00:09 +0000 (09:00 +0100)]
Fix DCE with FE_FETCH

For now, don't treat FE_FETCH op2 as no-val use. See GH-4982.

5 years agoExtend CURLFile to support streams
Christoph M. Becker [Mon, 29 Apr 2019 08:21:07 +0000 (10:21 +0200)]
Extend CURLFile to support streams

Due to former restrictions of the libcurl API, curl multipart/formdata
file uploads supported only proper files.  However, as of curl 7.56.0
the new `curl_mime_*()` API is available (and already supported by
PHP[1]), which allows us to support arbitrary *seekable* streams, which
is generally desirable, and particularly resolves issues with the
transparent Unicode and long part support on Windows (see bug #77711).

Note that older curl versions are still supported, but CURLFile is
still restricted to proper files in this case.

[1] <http://git.php.net/?p=php-src.git;a=commit;h=a83b68ba56714bfa06737a61af795460caa4a105>

(cherry picked from commit c68dc6b5e37e74d89e0a387079139c054c8faa81)

5 years agoUse curl_mime_*() functions if available
Christoph M. Becker [Mon, 15 Apr 2019 16:24:59 +0000 (18:24 +0200)]
Use curl_mime_*() functions if available

As of curl 7.56.0, `curl_formadd()` is deprecated in favor of
`curl_mime_*()`, so we use the latter if available.

(cherry picked from commit a83b68ba56714bfa06737a61af795460caa4a105)

5 years agoFix #78923: Artifacts when convoluting image with transparency
willson-chen [Sat, 7 Dec 2019 02:56:37 +0000 (10:56 +0800)]
Fix #78923: Artifacts when convoluting image with transparency

We have to properly initialize `pxl` before using it.

Fix ported from <https://github.com/libgd/libgd/pull/559>.

5 years agoFix constant evaluation of && and ||
Nikita Popov [Fri, 6 Dec 2019 10:07:57 +0000 (11:07 +0100)]
Fix constant evaluation of && and ||

The "return" in the for loop should have been a break on the switch,
otherwise the result is just ignored... but because it prevents
evaluation of the other operand, it also violates the invariant that
everything has been constant evaluated, resulting in an assertion
failure.

The for loop isn't correct in any case though, because it's not legal
to determine the result based on just the second operand, as the
first one may have a side-effect that cannot be optimized away.

5 years agoFix AST printing of nullable builtin types
Nikita Popov [Wed, 4 Dec 2019 10:20:52 +0000 (11:20 +0100)]
Fix AST printing of nullable builtin types

Fixes oss-fuzz #19109.

5 years agoFix print_r return types in opcache
Tyson Andre [Sat, 30 Nov 2019 19:14:06 +0000 (14:14 -0500)]
Fix print_r return types in opcache

https://www.php.net/print_r

> When the return parameter is TRUE, this function will return a string.
> Otherwise, the return value is TRUE.

5 years agoNext is 7.3.14
Christoph M. Becker [Tue, 3 Dec 2019 11:04:17 +0000 (12:04 +0100)]
Next is 7.3.14

5 years agoMerge branch 'PHP-7.2' into PHP-7.3
Remi Collet [Tue, 3 Dec 2019 10:26:05 +0000 (11:26 +0100)]
Merge branch 'PHP-7.2' into PHP-7.3

* PHP-7.2:
  next is 7.2.27

5 years agonext is 7.2.27
Remi Collet [Tue, 3 Dec 2019 10:25:37 +0000 (11:25 +0100)]
next is 7.2.27

5 years agoMerge branch 'PHP-7.2' into PHP-7.3
Christoph M. Becker [Mon, 2 Dec 2019 10:38:11 +0000 (11:38 +0100)]
Merge branch 'PHP-7.2' into PHP-7.3

* PHP-7.2:
  Fix #78814: strip_tags allows / in tag name => whitelist bypass

5 years agoFix #78814: strip_tags allows / in tag name => whitelist bypass
Christoph M. Becker [Sun, 17 Nov 2019 13:14:59 +0000 (14:14 +0100)]
Fix #78814: strip_tags allows / in tag name => whitelist bypass

When normalizing tags to check whether they are contained in the set
of allowable tags, we must not strip slashes, unless they come
immediately after the opening `<`, or immediately before the closing
`>`.

5 years agoFix #78296: is_file fails to detect file
Christoph M. Becker [Mon, 25 Nov 2019 11:16:54 +0000 (12:16 +0100)]
Fix #78296: is_file fails to detect file

If we're constructing extended-length paths (i.e. paths prefixed with
`\\?\`), we have to replace all forward slashes with backward slashes,
because the former are not supported by Windows for extended-length
paths.

The more efficient and likely cleaner alternative solution would be to
cater to this in `php_win32_ioutil_normalize_path_w()` by always
replacing forward slashes, but that might break existing code.  It
might be sensible to change that for `master`, though.

5 years agoMerge branch 'PHP-7.2' into PHP-7.3
Christoph M. Becker [Mon, 2 Dec 2019 10:18:58 +0000 (11:18 +0100)]
Merge branch 'PHP-7.2' into PHP-7.3

* PHP-7.2:
  Fix #78833: Integer overflow in pack causes out-of-bound access

5 years agoFix #78833: Integer overflow in pack causes out-of-bound access
Christoph M. Becker [Tue, 19 Nov 2019 13:22:26 +0000 (14:22 +0100)]
Fix #78833: Integer overflow in pack causes out-of-bound access

We check for potential signed integer overflow, and bail out
gracefully, in that case.

5 years agoUpgrade to Oniguruma 6.9.4
Christoph M. Becker [Sat, 30 Nov 2019 08:38:46 +0000 (09:38 +0100)]
Upgrade to Oniguruma 6.9.4

Oniguruma 6.9.4 fixes several CVEs.

5 years agoAdd missing skip checks
Christoph M. Becker [Fri, 29 Nov 2019 22:50:05 +0000 (23:50 +0100)]
Add missing skip checks

5 years agoPartially revert "Adapt test cases for Oniguruma 6.9.4"
Christoph M. Becker [Fri, 29 Nov 2019 22:28:28 +0000 (23:28 +0100)]
Partially revert "Adapt test cases for Oniguruma 6.9.4"

This partially reverts commit c55d09c2f547634b577aa5aeaa1438d772bc29d1,
because `MB_ONIGURUMA_VERSION` is only available as of PHP 7.4.0, so
that change made no sense for PHP-7.3; we keep it for PHP-7.4, though.
We also stick with the modification to bug78633.phpt.

5 years agoAdapt test cases for Oniguruma 6.9.4
Christoph M. Becker [Fri, 29 Nov 2019 15:47:10 +0000 (16:47 +0100)]
Adapt test cases for Oniguruma 6.9.4

Apparently, bug 78633 has now really been fixed; the former fix only
catered to the buffer overflow, but yielded a wrong result.  Also,
the order of the named captures has been fixed.

5 years agoFix #78840: imploding $GLOBALS crashes
Christoph M. Becker [Tue, 26 Nov 2019 09:19:27 +0000 (10:19 +0100)]
Fix #78840: imploding $GLOBALS crashes

We add support for IS_INDIRECT zvals to implode().

5 years agoFix #77638: var_export'ing certain class instances segfaults
Christoph M. Becker [Mon, 25 Nov 2019 14:44:15 +0000 (15:44 +0100)]
Fix #77638: var_export'ing certain class instances segfaults

If objects return immutable property hash tables (typically,
`zend_empty_array`), we must not try to apply recursion protection on
those.

5 years agoFixed bug #78868 (Calling __autoload() with incorrect EG(fake_scope) value)
Dmitry Stogov [Mon, 25 Nov 2019 11:05:43 +0000 (14:05 +0300)]
Fixed bug #78868 (Calling __autoload() with incorrect EG(fake_scope) value)

5 years agoFix #78853: preg_match() may return integer > 1
Christoph M. Becker [Fri, 22 Nov 2019 18:21:43 +0000 (19:21 +0100)]
Fix #78853: preg_match() may return integer > 1

Commit 54ebebd[1] optimized the match loop, but for this case it has
been overlooked, that we must only loop if we're doing global matching.

[1] <http://git.php.net/?p=php-src.git;a=commit;h=54ebebd686255c5f124af718c966edb392782d4a>