* PHP-8.4:
Fix GH-18309: ipv6 filter integer overflow
Fix GH-18304: Changing the properties of a DateInterval through dynamic properties triggers a SegFault
* PHP-8.3:
Fix GH-18309: ipv6 filter integer overflow
Fix GH-18304: Changing the properties of a DateInterval through dynamic properties triggers a SegFault
For dynamic fetches the cache_slot will be NULL, so we have to check for
that when resetting the cache. For zip and xmlreader this couldn't
easily be tested because of a lack of writable properties.
Closes GH-18307.
The cache slot for FETCH_OBJ_W in function `test` is primed with the
class for C. The next call uses a simplexml instance and reuses the same
cache slot. simplexml's get_property_ptr handler does not use the cache
slot, so the old values remain in the cache slot. When
`zend_handle_fetch_obj_flags` is called this is not guarded by a check
for the class entry. So we end up using the prop_info from the property
C::$a instead of the simplexml property.
This patch adds a reset to the cache slots in the property address fetch
code and also in the extensions with a non-standard reference handler.
This keeps the run time cache consistent and avoids the issue without
complicating the fast paths.
Closes GH-17739.
Because the use of RETURN instead of RETVAL, the freeing code could not
be executed. This only is triggerable if the content of the attribute is
mixed text and entities, so it wasn't noticed earlier.
Closes GH-17147.
If the input contains NUL bytes then the length doesn't match the actual
duplicated string's length. Note that libxml can't handle this properly
anyway so we just reject NUL bytes and too long strings.
Closes GH-16467.
This never did anything in lower versions, but on master this crashes
because the virtual properties don't have backing storage. Just forbid
it since it was useless to begin with.
Closes GH-15891.
There's implicit truncation casts from zend_long to int which cause
issues because checks are done against the zend_longs. Since the
iterator infrastructure uses zend_longs, just convert everything to
zend_long.
Closes GH-15669.
For the read and write implementation, store the handler pointer in the
first cache slot.
For the write implementation, use the second cache slot to store the
property info.
For a micro-benchmark that performs a write:
```php
$dom = new DOMDocument;
for ($i=0;$i<9999999;$i++)
$dom->strictErrorChecking = false;
```
I obtain the following results on an i7-4790:
```
./sapi/cli/php ./write.php ran
1.42 ± 0.08 times faster than ./sapi/cli/php_old ./write.php
```
For a micro-benchmark that performs a read:
```php
$dom = new DOMDocument;
for ($i=0;$i<9999999;$i++)
$dom->strictErrorChecking;
```
I obtain the following results on the same machine:
```
./sapi/cli/php ./read.php ran
1.29 ± 0.13 times faster than ./sapi/cli/php_old ./read.php
```
When cloning a document, doc will not be equal to the actual new
document clone->doc. clone->doc will always point to the correct
document so use that instead when comparing document nodes.
Closes GH-15198.
This introduces a new helper php_dom_create_nullable_object() that does
the NULL check and puts NULL in return_value. Otherwise it runs
php_dom_create_object(). This deduplicates a bit of code.
The template element in HTML 5 is special in the sense that it does not
add its contents into the DOM tree, but instead keeps them in a separate
shadow DOM document fragment. Interacting with the DOM tree cannot touch
the elements in the document fragment.
Closes GH-14906.
We don't need to reconcile when we clone into the same document because
the namespace mapper is the same. Only when cloning into another
document is the namespace mapper different and do we need a
reconciliation.
