diff --git a/NEWS b/NEWS index 2ea9cb2ca33..341af094271 100644 --- a/NEWS +++ b/NEWS @@ -23,6 +23,12 @@ PHP NEWS . Fix undefined behaviour in phpdbg_load_module_or_extension(). (nielsdos) . Fix NULL pointer dereference in phpdbg_create_conditional_breal(). (nielsdos) +- Posix: + . Fix memory leak in posix_ttyname() (girgias) + +- Standard: + . Fix GH-10187 (Segfault in stripslashes() with arm64). (nielsdos) + 05 Jan 2023, PHP 8.2.1 - Core: diff --git a/ext/posix/posix.c b/ext/posix/posix.c index ed7a93c5409..788fca0b287 100644 --- a/ext/posix/posix.c +++ b/ext/posix/posix.c @@ -474,15 +474,15 @@ PHP_FUNCTION(posix_ttyname) efree(p); RETURN_FALSE; } - RETURN_STRING(p); + RETVAL_STRING(p); efree(p); #else if (NULL == (p = ttyname(fd))) { POSIX_G(last_error) = errno; RETURN_FALSE; } -#endif RETURN_STRING(p); +#endif } /* }}} */ diff --git a/ext/standard/string.c b/ext/standard/string.c index a47687667a4..2198467926d 100644 --- a/ext/standard/string.c +++ b/ext/standard/string.c @@ -3990,19 +3990,23 @@ static zend_always_inline char *php_stripslashes_impl(const char *str, char *out quad_word q; vst1q_u8(q.mem, vceqq_u8(x, vdupq_n_u8('\\'))); if (q.dw[0] | q.dw[1]) { - int i = 0; - for (; i < 16; i++) { + unsigned int i = 0; + while (i < 16) { if (q.mem[i] == 0) { *out++ = str[i]; + i++; continue; } i++; /* skip the slash */ - char s = str[i]; - if (s == '0') - *out++ = '\0'; - else - *out++ = s; /* preserve the next character */ + if (i < len) { + char s = str[i]; + if (s == '0') + *out++ = '\0'; + else + *out++ = s; /* preserve the next character */ + i++; + } } str += i; len -= i; diff --git a/ext/standard/tests/strings/gh10187.phpt b/ext/standard/tests/strings/gh10187.phpt new file mode 100644 index 00000000000..b42c95e591e --- /dev/null +++ b/ext/standard/tests/strings/gh10187.phpt @@ -0,0 +1,8 @@ +--TEST-- +GH-10187 (Segfault in stripslashes() with arm64) +--FILE-- + +--EXPECT-- +string(15) "1234567890abcde"