There is no such thing as the "end of the unix epoch", and if it was,
it would certainly not be 2037-10-11T02:00:00. There is, however,
potential integer overflow which we need to avoid.
Fix #78470: odbc_specialcolumns() no longer accepts $nullable
It is mandatory to pass either `SQL_NO_NULLS` or `SQL_NULLABLE` as
tenth parameter to `SQLSpecialColumns()`; otherwise the function call
fails. Therefore the user must be allowed to pass the desired value
as parameter to `odbc_specialcolumns()` again.
Fix #76735: Incorrect message in fopen on invalid mode
We have to log errors in `stream_opener` callbacks to the wrapper's
error log, because otherwise we may pick up an unrelated `errno` or a
most generic message.
Fix #77493: curl_basic_009 fails with newer curl versions
libcurl 7.62.0 introduced a maximum protocol length of 8, so this test
case failed with `CURLE_URL_MALFORMAT`. While this is lifted to 40 as
of libcurl 7.65.0, and this test case has already been fixed with
commit e27301c[1], we restore the original intention to check for a
`CURLE_UNSUPPORTED_PROTOCOL ` error.
If restoring of any not registered built-in wrapper is requested, the
function is supposed to fail with a warning, so we have to check this
condition first.
Furthermore, to be able to detect whether a built-in wrapper has been
changed, it is not sufficient to check whether *any* userland wrapper
has been registered, but rather whether the specific wrapper has been
modified.
Fix #79423: copy command is limited to size of file it can copy
Passing `NULL` as `lpFileSizeHigh` to `GetFileSize()` gives wrong
results for files larger than 0xFFFFFFFF bytes. We fix this by using
`GetFileSizeEx()`, and let the mapping fail, if the file size is too
large for the architecture.
Daniel Black [Tue, 21 Jul 2020 06:23:14 +0000 (16:23 +1000)]
Fix #78179: mysqli/mysqlnd transaction extensions
MariaDB versioning created a mess with regarding testing
features based on version. We sidestep the problem here
by assuming the extensions are present, and if a syntax
error occurs with a SQL mode TRANS_START_READ_WRITE |
TRANS_START_READ_ONLY enabled, then output the same
warning as before.
> The size of BLOB/TEXT data inserted in one transaction is greater
> than 10% of redo log size. Increase the redo log size using
> innodb_log_file_size.
Fix bug #80107: Handling of large compressed packets
There's two layers of packet splitting going on. First, packets
need to be split into having a payload of exactly 2^24-1 bytes or
being the last packet. If the split packet has size between 2^24-5
and 2^24-1 bytes, the compressed packets also needs to be split,
though the choice of split doesn't matter here. I'm splitting off
the first 8192 bytes, as that's what I observe libmysqlclient to be
doing.
Add db2_execute() to the list of functions accessing the local
scope. Ideally the API wouldn't do that, but it seems most
pragmatic to address this on the opcache side at this point.
Fix #80067: Omitting the port in bindto setting errors
A recent commit[1] which fixed a memory leak introduced a regression
regarding the formerly liberal handling of IP addresses to bind to. We
fix this by reverting that commit, and fix the memory leak where it
actually occurs. In other words, this fix is less intrusive than the
former fix.
Fix #79825: opcache.file_cache causes SIGSEGV with custom opcode handlers
Modules may have changed after restart which can cause dangling pointers from custom opcode handlers in the second-level cache files. This fix includes the installed module names and versions in the accel_system_id hash as entropy. Closes GH-5836
> The domain names passed to getmxrr() do not contain a trailing dot.
> DNS lookups which do not find records will (depending on the local
> resolver config) try again by adding the local domain to the end of
> the searched host/domain. In many environments there's an mx record
> for any subdomain of the local domain and the MX query will return
> a hit. But the test expects no hit. So the test fails when checking
> that "qa.php.net" does not have an MX record in DNS. In our local
> environment the resolver falls back to also check qa.php.net.kippdata.de
> which does have an MX record. Using "qa.php.net." instead of "qa.php.net"
> should fix this for everyone.
Handle memory limit error during string reallocation correctly
Do not decrement the refcount before allocating the new string,
as the allocation operation may bail out and cause a use-after-free
lateron. We can only decrement the refcount once the allocation
has succeeded.
Fix throwing of yield from related exceptions into generator
Use the general zend_generator_throw_exception() helper for this.
Otherwise we don't handle the off-by-one opline correctly (should
we maybe just stop doing that?)
This is a followup to ad750c3bb6e7b48384c6265eb9d3bcf5b4000652,
which fixed a different yield from exception handling problem that
happened to show up in the same test case from oss-fuzz #25321.
Now both issues should be fixed.
Matteo Beccati [Mon, 31 Aug 2020 08:45:36 +0000 (10:45 +0200)]
Fix #80027 Terrible performance using $query->fetch on queries with many bind parameters
Added new flags that allow skipping param_evt(s) that are not used by drivers,
in a backwards and forward compatible manner. Updated the pgsql, mysql, sqlite
and oci drivers to properly use the new flags. I've left out pdo_dblib, which
doesn't have a param_hook, and pdo_firebird, which seems to be using
PARAM_EVT_NORMALIZE in a wrong context (param type vs event type).
Nikita Popov [Wed, 12 Aug 2020 08:09:37 +0000 (10:09 +0200)]
Make MAX_IFD_NESTING_LEVEL an actual nesting level
Currently we only ever increment ifd_nesting_level, so this ends up
being a limit on the total number of IFD tags and we regularly get
bug reports of it being exceeded. I think the intention behind this
limit was to prevent recursion stack overflow, and for that we only
need to check actual recursive usage. I've implemented that here,
and dropped the nesting limit down to a smaller value
(which still passes our tests).
However, it seems that we do also need to have a total limit on
the number of tags, as we don't catch some instances of infinite
looping otherwise. Add this as a separate limit with a higher
value, that should hopefully be sufficient.
Nikita Popov [Thu, 27 Aug 2020 13:49:33 +0000 (15:49 +0200)]
Require non-negative length in stream_get_contents()
If the length is not -1, require it to be non-negative.
Using such lengths doesn't make sense (as only -1 is special-case
to read in chunks, anything else will end up doing a huge upfront
allocation) and can lead to string allocation overflow.
A similar check is already in place for file_get_contents(). That
one does not allow -1 (and uses null instead), but this function
is explicitly specified to accept -1, so stick to that behavior.
Fix #64130: COM obj parameters passed by reference are not updated
`ITypeInfo_GetIDsOfNames()` is supposed to fail with `E_NOTIMPL` for
out-of-process servers, thus we should not remove the already available
typeinfo of the object in this case.
Fix #79986: str_ireplace bug with diacritics characters
`tolower()` returns an `int`, so we must not convert to `char` which
may be `signed` and as such may be subject to overflow (actually,
implementation defined behavior).
Ahmed Abdou [Sun, 17 Feb 2019 21:59:00 +0000 (22:59 +0100)]
Fix #64705 errorInfo property of PDOException is null when PDO::__construct() fails
PDO driver constructors are throwing PdoException without setting
errorInfo, so create a new reusable function that throws exceptions
for PDO and will also set the errorInfo. Use this function in
pdo_mysql, pdo_sqlite, and pdo_pgsql.
Fix bug #75785 by attempt switching endianness on Maker's Note
Different manufacturer models may come with a
different endianness (motorola/intel) format. In
order to avoid a big refactor and a gigantic lookup
table, this commit simply attempts to switch the
endianness and proceed when values are acceptable.
Fix #48585: com_load_typelib holds reference, fails on second call
Whether the type library is cached is actually irrelevant here; what
matters is that the symbols are imported, and since these are not
cached, we have to import them for every request. And we cannot cache
the symbols, because the import depends on the current codepage, but
the codepage is a `PHP_INI_ALL` setting.
Fix #79922: Crash after multiple calls to xml_parser_free()
We must not call `zend_list_delete()` in resource closer functions
exposed to userland, because decreasing the refcount there leads to
use-after-free scenarios. In this case, commit 4a42fbb worked for
typical use-cases where `xml_parser_free()` has been called exactly
once for the resource, because there is an internal zval (`->index`)
referencing the same resource which already increased the refcount by
one. However, when `xml_parser_free()` is called multiple times on the
same XML parser resource, the resource would be freed prematurely.
Instead we forcefully close the resource in `xml_parser_free()`. We
also could decrease the refcount of the resource there, but that would
require to call `xml_parser_free()` which is somewhat uncommon, and
would be particularly bad wrt. PHP 8 where that function is a NOP, and
as such doesn't have to be called. So we do no longer increase the
refcount of the resource when copying it to the internal zval, and let
the usualy refcounting semantics take care of the resource destruction.