Libxml versions prior to 2.13 cannot correctly handle a call to
xmlNodeSetName() with a name longer than 2G. It will leave the node
object in an invalid state with a NULL name. This later causes a NULL
pointer dereference when using the name during message serialization.
To solve this, implement a workaround that resets the name to the
sentinel name if this situation arises.
Versions of libxml of 2.13 and higher are not affected.
This can be exploited if a SoapVar is created with a fully qualified
name that is longer than 2G. This would be possible if some application
code uses a namespace prefix from an untrusted source like from a remote
SOAP service.
Co-authored-by: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
This adds error checks for escape function is pgsql and pdo_pgsql
extensions. It prevents possibility of storing not properly escaped
data which could potentially lead to some security issues.
This fixes stream_socket_client() and fsockopen().
Specifically it adds a check to parse_ip_address_ex and it also makes
sure that the \0 is not ignored in fsockopen() hostname formatting.
Turns out that the instrumentation added for gcov can change inlining
decisions of the compiler, which results in a mismatch between the
profile data CFG and the actual generated CFG between compiles.
There are two functions that suffer from this issue:
1. _PHP_XXH3_Init: Removing the inline hint fixes this one. In fact,
always inlining this makes no sense as there's no real opportunity
for specialising. It just bloats the binary and increases I$ pressure.
So besides fixing this issue it's beneficial on its own to drop the
attribute.
2. PHP_XXH3_128_Final: Sometimes XXH128_canonicalFromHash gets inlined
and sometimes not. Make sure it gets always inlined.
Closes GH-18814.
This hack not only breaks the handling of custom allocators, but also
breaks if zend_alloc is compiled with USE_CUSTOM_MM.
This hack is just no good, if you want leak information then use ASAN.
Closes GH-18813.
GAS started checking the relocation for tlsgd: it must use the %rdi
register. However, the inline assembly now uses %rax instead.
Fix it by changing the "=a" output register to "=D".
Source: ec181e1710/gas/config/tc-i386.c (L6793)
gottpoff is unaffected.
Closes GH-18779.
* PHP-8.3:
pdo_odbc: Fix memory leak if WideCharToMultiByte() fails
Fix memory leak on php_odbc_fetch_hash() failure
Do not delete main chunk in zend_gc
This is backport for 8.3 of b222c020bf
that originally targeted only 8.4+. This is however a bug fix.
Following 68f6ab7113, the ext/curl doesn't
need to be linked against OpenSSL anymore, if curl_version_info_data
ssl_version is OpenSSL/1.1 or later.
With OpenSSL 3 and later the check for old SSL crypto locking callbacks
was detected here.
This also uses a common PHP_SETUP_OPENSSL macro for checking OpenSSL and
syncs the minimum OpenSSL version (currently 1.0.2 or later) across the
PHP build system.
This issue happens because http wrapper sets peer_name but then does not
remove so it stays in the context. The fix removes the peer name from
the context after enabling crypto.
In addition to bug #74796, this also fixes bug #76196.
In addition it should be a final fix for those SOAP bugs:
bug #69783
bug #52913
bug #61463
This API can't handle references, yet everyone keeps forgetting that it
can't and that you should DEREF upfront. Fix every type of this issue
once and for all by moving the reference handling to this Zend API.
Closes GH-18761.
The $classList property is special in the sense that it's a cached
object instance per (HTML)Element instance. The reason for this design
is because it has the [[SameObject]] IDL attribute.
Cloning in PHP also clones the properties, so it also clones the cached
instance. To solve this, we undo this by resetting the backing storage.
Closes GH-18749.
The intent here was to assign the first found line. Instead this
always fell back to CG(zend_lineno).
Not sure if this line matters for anything in php-src, but the
issue was observed in https://github.com/nikic/php-ast/issues/247.
The resource check makes no sense, and the is_array() check doesn't
achieve anything. Drop the former, and replace the latter with a !
check.
Discovered while working on GH-18729.
Closes GH-18731.
`/./` matches all characters but newlines, so if `random_bytes`
generates a string with newlines in it, the resulting string is not
empty. Fix this by adding the `s` modifier.
