Libxml versions prior to 2.13 cannot correctly handle a call to
xmlNodeSetName() with a name longer than 2G. It will leave the node
object in an invalid state with a NULL name. This later causes a NULL
pointer dereference when using the name during message serialization.
To solve this, implement a workaround that resets the name to the
sentinel name if this situation arises.
Versions of libxml of 2.13 and higher are not affected.
This can be exploited if a SoapVar is created with a fully qualified
name that is longer than 2G. This would be possible if some application
code uses a namespace prefix from an untrusted source like from a remote
SOAP service.
Co-authored-by: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
This adds error checks for escape function is pgsql and pdo_pgsql
extensions. It prevents possibility of storing not properly escaped
data which could potentially lead to some security issues.
This fixes stream_socket_client() and fsockopen().
Specifically it adds a check to parse_ip_address_ex and it also makes
sure that the \0 is not ignored in fsockopen() hostname formatting.
Turns out that the instrumentation added for gcov can change inlining
decisions of the compiler, which results in a mismatch between the
profile data CFG and the actual generated CFG between compiles.
There are two functions that suffer from this issue:
1. _PHP_XXH3_Init: Removing the inline hint fixes this one. In fact,
always inlining this makes no sense as there's no real opportunity
for specialising. It just bloats the binary and increases I$ pressure.
So besides fixing this issue it's beneficial on its own to drop the
attribute.
2. PHP_XXH3_128_Final: Sometimes XXH128_canonicalFromHash gets inlined
and sometimes not. Make sure it gets always inlined.
Closes GH-18814.
This hack not only breaks the handling of custom allocators, but also
breaks if zend_alloc is compiled with USE_CUSTOM_MM.
This hack is just no good, if you want leak information then use ASAN.
Closes GH-18813.
GAS started checking the relocation for tlsgd: it must use the %rdi
register. However, the inline assembly now uses %rax instead.
Fix it by changing the "=a" output register to "=D".
Source: ec181e1710/gas/config/tc-i386.c (L6793)
gottpoff is unaffected.
Closes GH-18779.
This is backport for 8.3 of b222c020bf
that originally targeted only 8.4+. This is however a bug fix.
Following 68f6ab7113, the ext/curl doesn't
need to be linked against OpenSSL anymore, if curl_version_info_data
ssl_version is OpenSSL/1.1 or later.
With OpenSSL 3 and later the check for old SSL crypto locking callbacks
was detected here.
This also uses a common PHP_SETUP_OPENSSL macro for checking OpenSSL and
syncs the minimum OpenSSL version (currently 1.0.2 or later) across the
PHP build system.
This issue happens because http wrapper sets peer_name but then does not
remove so it stays in the context. The fix removes the peer name from
the context after enabling crypto.
In addition to bug #74796, this also fixes bug #76196.
In addition it should be a final fix for those SOAP bugs:
bug #69783
bug #52913
bug #61463
The resource check makes no sense, and the is_array() check doesn't
achieve anything. Drop the former, and replace the latter with a !
check.
Discovered while working on GH-18729.
Closes GH-18731.
`/./` matches all characters but newlines, so if `random_bytes`
generates a string with newlines in it, the resulting string is not
empty. Fix this by adding the `s` modifier.
This fixes null dereference error when calling fpm_get_status() and one
of the children is just being created.
Closes GH-18662
Co-authored-by: Jakub Zelenka <bukka@php.net>
The overflow checking code already existed, but didn't work because the
math was done on signed numbers instead of unsigned numbers.
In the process I also discovered a pre-existing issue that needs to be
fixed (and seems that other stream wrappers can have this issue too).
Closes GH-18644.
Introducing a new attribute macro in lower branches is an ABI break and
not allowed. However, we still need to fix the warnings such that
-Werror builds don't break. So we copy the macro from the master branch
to the C files in the appropriate places.
The assertion is imprecise now, and the code assumed that from the
moment an internal class was encountered that there were only internal
classes remaining. This is wrong now, and we still have to continue if
we encounter an internal class. We can only skip the remaining iterations
if the entry in the hash table is not an alias.
Closes GH-18575.
The VM assumes that an exception must be handled when the AST evaluation
returns FAILURE. However, the comparison functions always return SUCCESS
even if an exception happened. This can be fixed in
zend_ast_evaluate_inner() or we can make is_smaller_function() etc check
for the exception. I chose the former to avoid impact or API breaks.
Perhaps in the future the comparison functions should either return void
or return whether an exception happened, as to be not misleading.
Closes GH-18589.
This causes problems if an allocation profiler decides to walk the
stack, or if the engine itself OOMs on this opcode, and it tries to
print file and line information.
