The `defaultMemoryManager` is only available via a non-public
header and is not supposed to be used by users of the library [1].
It also has a very generic name, further indicating that it is not
supposed to be used.
Instead pass the memory manager explicitly, which is how the library is
supposed to be used.
[1] https://github.com/uriparser/uriparser/issues/52#issuecomment-453853700
There are two bugfixes here.
The first was a crash that I discovered while working on GH-19035.
The check for when a file pointer was still occupied was wrong, leading
to a UAF. Strangely, zip got this right.
The second issue was that even after fixing the first one, the file
contents were garbage. This is because the file write offset for the
phar stream was wrong.
Closes GH-19038.
The copy function does two things wrong:
- The error recovery logic is a hack that temporarily moves the fp
pointer to cfp, even though it's not compressed. The respective error
recovery it talks about is not present in the code, nor is it
necessary. This is the direct cause of the double free in the original
reproducer. Fixing this makes it crash in another location though.
- The link following logic is inconsistent and illogical. It cannot be a
link at this point.
The root cause, after fixing the above issues, is that the file pointers
are not reset properly for the copy. The file pointer need to be the
original ones to perform the copy from the right source, but after that
they need to be set properly to NULL (because fp_type == PHAR_FP).
Closes GH-19035.
Co-authored-by: Yun Dou <dixyes@gmail.com>
Relates to #14461 and https://wiki.php.net/rfc/url_parsing_api
Co-authored-by: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Co-authored-by: Tim Düsterhus <tim@tideways-gmbh.com>
The code is already looking up the entry in the function table anyway,
so might as well use it directly.
This simplifies the code and avoids a redundant lookup.
* PHP-8.4:
Fix GH-18990, bug #81029, bug #47314: SOAP HTTP socket not closing on object destruction
Fix leak when path is too long in ZipArchive::extractTo()
curl: Remove incorrect string release on error
* PHP-8.3:
Fix GH-18990, bug #81029, bug #47314: SOAP HTTP socket not closing on object destruction
Fix leak when path is too long in ZipArchive::extractTo()
curl: Remove incorrect string release on error
Currently the resource is attached to the object and its refcount is
increased. This means that the refcount to the resource is 2 instead of
1 as expected. A refcount of 2 is necessary in the current code because
of how the error handling works: by using convert_to_null() the resource
actually goes to rc_dtor_func(), dropping its refcount to 1. So on error
the refcount is correct.
To solve the issue, let `stream` conceptually be a borrow of the
resource with refcount 1, and just use ZVAL_NULL() to prevent calling
rc_dtor_func() on the resource.
Closes GH-19001.
`zend_enum_new()` is not intended to be used “at runtime”, since it will create
a new object, breaking the singleton property. Instead
`zend_enum_get_case_cstr()` must be used.
Libxml versions prior to 2.13 cannot correctly handle a call to
xmlNodeSetName() with a name longer than 2G. It will leave the node
object in an invalid state with a NULL name. This later causes a NULL
pointer dereference when using the name during message serialization.
To solve this, implement a workaround that resets the name to the
sentinel name if this situation arises.
Versions of libxml of 2.13 and higher are not affected.
This can be exploited if a SoapVar is created with a fully qualified
name that is longer than 2G. This would be possible if some application
code uses a namespace prefix from an untrusted source like from a remote
SOAP service.
Co-authored-by: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
This adds error checks for escape function is pgsql and pdo_pgsql
extensions. It prevents possibility of storing not properly escaped
data which could potentially lead to some security issues.
This fixes stream_socket_client() and fsockopen().
Specifically it adds a check to parse_ip_address_ex and it also makes
sure that the \0 is not ignored in fsockopen() hostname formatting.
