archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'PHP-8.4'

Browse source 
* PHP-8.4:
  Fix GH-18309: ipv6 filter integer overflow
  Fix GH-18304: Changing the properties of a DateInterval through dynamic properties triggers a SegFault
This commit is contained in:
Niels Dossche 2025-04-11 23:36:42 +02:00
commit 3ba725a556
No known key found for this signature in database
GPG key ID: B8A8AD166DF0E2E5
15 changed files with 130 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

4
ext/date/php_date.c
View file

@ -4567,7 +4567,9 @@ static zval *date_interval_get_property_ptr_ptr(zend_object *object, zend_string
zend_string_equals_literal(name, "days") || zend_string_equals_literal(name, "days") ||
zend_string_equals_literal(name, "invert") ) { zend_string_equals_literal(name, "invert") ) {
/* Fallback to read_property. */ /* Fallback to read_property. */
cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL; if (cache_slot) {
cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
}
ret = NULL; ret = NULL;
} else { } else {
ret = zend_std_get_property_ptr_ptr(object, name, type, cache_slot); ret = zend_std_get_property_ptr_ptr(object, name, type, cache_slot);

35
ext/date/tests/gh18304.phpt Normal file
View file

@ -0,0 +1,35 @@
--TEST--
GH-18304 (Changing the properties of a DateInterval through dynamic properties triggers a SegFault)
--CREDITS--
orose-assetgo
--FILE--
<?php
$di = new \DateInterval('P0Y');
$field = 'd';
$i = 1;
$di->$field += $i;
var_dump($di);
?>
--EXPECT--
object(DateInterval)#1 (10) {
["y"]=>
int(0)
["m"]=>
int(0)
["d"]=>
int(1)
["h"]=>
int(0)
["i"]=>
int(0)
["s"]=>
int(0)
["f"]=>
float(0)
["invert"]=>
int(0)
["days"]=>
bool(false)
["from_string"]=>
bool(false)
}

4
ext/dom/php_dom.c
View file

@ -357,7 +357,9 @@ static zval *dom_get_property_ptr_ptr(zend_object *object, zend_string *name, in
return zend_std_get_property_ptr_ptr(object, name, type, cache_slot); return zend_std_get_property_ptr_ptr(object, name, type, cache_slot);
} }
cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL; if (cache_slot) {
cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
}
return NULL; return NULL;
} }

15
ext/dom/tests/gh18304.phpt Normal file
View file

@ -0,0 +1,15 @@
--TEST--
GH-18304 (Changing the properties of a DateInterval through dynamic properties triggers a SegFault)
--CREDITS--
orose-assetgo
--EXTENSIONS--
dom
--FILE--
<?php
$text = new \DOMText();
$field = 'textContent';
$text->$field .= 'hello';
var_dump($text->$field);
?>
--EXPECT--
string(5) "hello"

3
ext/filter/logical_filters.c
View file

@ -758,7 +758,8 @@ static bool _php_filter_validate_ipv6(const char *str, size_t str_len, int ip[8]
{ {
int compressed_pos = -1; int compressed_pos = -1;
int blocks = 0; int blocks = 0;
int num, n, i; unsigned int num, n;
int i;
const char *ipv4; const char *ipv4;
const char *end; const char *end;
int ip4elm[4]; int ip4elm[4];

10
ext/filter/tests/gh18309.phpt Normal file
View file

@ -0,0 +1,10 @@
--TEST--
GH-18309 (ipv6 filter integer overflow)
--EXTENSIONS--
filter
--FILE--
<?php
var_dump(filter_var('fffffffffffffffffffffffffffffffffffff::', FILTER_VALIDATE_IP, FILTER_FLAG_IPV6));
?>
--EXPECT--
bool(false)

5
ext/pdo/pdo_stmt.c
View file

@ -2387,9 +2387,10 @@ static zval *pdo_row_get_property_ptr_ptr(zend_object *object, zend_string *name
ZEND_IGNORE_VALUE(object); ZEND_IGNORE_VALUE(object);
ZEND_IGNORE_VALUE(name); ZEND_IGNORE_VALUE(name);
ZEND_IGNORE_VALUE(type); ZEND_IGNORE_VALUE(type);
ZEND_IGNORE_VALUE(cache_slot);
cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL; if (cache_slot) {
cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
}
return NULL; return NULL;
} }

4
ext/simplexml/simplexml.c
View file

@ -631,7 +631,9 @@ static zval *sxe_property_get_adr(zend_object *object, zend_string *zname, int f
SXE_ITER type; SXE_ITER type;
zval member; zval member;
cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL; if (cache_slot) {
cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
}
sxe = php_sxe_fetch_object(object); sxe = php_sxe_fetch_object(object);
GET_NODE(sxe, node); GET_NODE(sxe, node);

18
ext/simplexml/tests/gh18304.phpt Normal file
View file

@ -0,0 +1,18 @@
--TEST--
GH-18304 (Changing the properties of a DateInterval through dynamic properties triggers a SegFault)
--CREDITS--
orose-assetgo
--EXTENSIONS--
simplexml
--FILE--
<?php
$sxe = simplexml_load_string('<root><abc/></root>');
$field = 'abc';
$sxe->$field .= 'hello';
var_dump($sxe->$field);
?>
--EXPECT--
object(SimpleXMLElement)#3 (1) {
[0]=>
string(5) "hello"
}

4
ext/snmp/snmp.c
View file

@ -1921,7 +1921,9 @@ static zval *php_snmp_get_property_ptr_ptr(zend_object *object, zend_string *nam
return zend_std_get_property_ptr_ptr(object, name, type, cache_slot); return zend_std_get_property_ptr_ptr(object, name, type, cache_slot);
} }
cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL; if (cache_slot) {
cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
}
return NULL; return NULL;
} }

15
ext/snmp/tests/gh18304.phpt Normal file
View file

@ -0,0 +1,15 @@
--TEST--
GH-18304 (Changing the properties of a DateInterval through dynamic properties triggers a SegFault)
--CREDITS--
orose-assetgo
--EXTENSIONS--
snmp
--FILE--
<?php
$snmp = new SNMP(1, '127.0.0.1', 'community');
$field = 'max_oids';
$snmp->$field++;
var_dump($snmp->$field);
?>
--EXPECT--
int(1)

4
ext/spl/spl_array.c
View file

@ -863,7 +863,9 @@ static zval *spl_array_get_property_ptr_ptr(zend_object *object, zend_string *na
if ((intern->ar_flags & SPL_ARRAY_ARRAY_AS_PROPS) != 0 if ((intern->ar_flags & SPL_ARRAY_ARRAY_AS_PROPS) != 0
&& !zend_std_has_property(object, name, ZEND_PROPERTY_EXISTS, NULL)) { && !zend_std_has_property(object, name, ZEND_PROPERTY_EXISTS, NULL)) {
cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL; if (cache_slot) {
cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
}
/* If object has offsetGet() overridden, then fallback to read_property, /* If object has offsetGet() overridden, then fallback to read_property,
* which will call offsetGet(). */ * which will call offsetGet(). */

14
ext/spl/tests/gh18304.phpt Normal file
View file

@ -0,0 +1,14 @@
--TEST--
GH-18304 (Changing the properties of a DateInterval through dynamic properties triggers a SegFault)
--CREDITS--
orose-assetgo
--FILE--
<?php
$ao = new ArrayObject(['abc' => 1]);
$ao->setFlags(ArrayObject::ARRAY_AS_PROPS);
$field = 'abc';
$ao->$field++;
var_dump($ao->$field);
?>
--EXPECT--
int(2)

2
ext/xmlreader/php_xmlreader.c
View file

@ -117,7 +117,7 @@ static zval *xmlreader_get_property_ptr_ptr(zend_object *object, zend_string *na
xmlreader_prop_handler *hnd = zend_hash_find_ptr(&xmlreader_prop_handlers, name); xmlreader_prop_handler *hnd = zend_hash_find_ptr(&xmlreader_prop_handlers, name);
if (hnd == NULL) { if (hnd == NULL) {
retval = zend_std_get_property_ptr_ptr(object, name, type, cache_slot); retval = zend_std_get_property_ptr_ptr(object, name, type, cache_slot);
} else { } else if (cache_slot) {
cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL; cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
} }

4
ext/zip/php_zip.c
View file

@ -889,8 +889,6 @@ static zval *php_zip_get_property_ptr_ptr(zend_object *object, zend_string *name
zval *retval = NULL; zval *retval = NULL;
zip_prop_handler *hnd = NULL; zip_prop_handler *hnd = NULL;
cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
obj = php_zip_fetch_object(object); obj = php_zip_fetch_object(object);
if (obj->prop_handler != NULL) { if (obj->prop_handler != NULL) {
@ -899,6 +897,8 @@ static zval *php_zip_get_property_ptr_ptr(zend_object *object, zend_string *name
if (hnd == NULL) { if (hnd == NULL) {
retval = zend_std_get_property_ptr_ptr(object, name, type, cache_slot); retval = zend_std_get_property_ptr_ptr(object, name, type, cache_slot);
} else if (cache_slot) {
cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
} }
return retval; return retval;