The issue is about not being able to connect as cafile for SNI
is not used in its SSL context. This sets it up so it is possible
to capture the client certificate which is only possible when
verify_peer is true.
Closes GH-18893
There are two bugfixes here.
The first was a crash that I discovered while working on GH-19035.
The check for when a file pointer was still occupied was wrong, leading
to a UAF. Strangely, zip got this right.
The second issue was that even after fixing the first one, the file
contents were garbage. This is because the file write offset for the
phar stream was wrong.
Closes GH-19038.
The copy function does two things wrong:
- The error recovery logic is a hack that temporarily moves the fp
pointer to cfp, even though it's not compressed. The respective error
recovery it talks about is not present in the code, nor is it
necessary. This is the direct cause of the double free in the original
reproducer. Fixing this makes it crash in another location though.
- The link following logic is inconsistent and illogical. It cannot be a
link at this point.
The root cause, after fixing the above issues, is that the file pointers
are not reset properly for the copy. The file pointer need to be the
original ones to perform the copy from the right source, but after that
they need to be set properly to NULL (because fp_type == PHAR_FP).
Closes GH-19035.
Co-authored-by: Yun Dou <dixyes@gmail.com>
Currently the resource is attached to the object and its refcount is
increased. This means that the refcount to the resource is 2 instead of
1 as expected. A refcount of 2 is necessary in the current code because
of how the error handling works: by using convert_to_null() the resource
actually goes to rc_dtor_func(), dropping its refcount to 1. So on error
the refcount is correct.
To solve the issue, let `stream` conceptually be a borrow of the
resource with refcount 1, and just use ZVAL_NULL() to prevent calling
rc_dtor_func() on the resource.
Closes GH-19001.
Libxml versions prior to 2.13 cannot correctly handle a call to
xmlNodeSetName() with a name longer than 2G. It will leave the node
object in an invalid state with a NULL name. This later causes a NULL
pointer dereference when using the name during message serialization.
To solve this, implement a workaround that resets the name to the
sentinel name if this situation arises.
Versions of libxml of 2.13 and higher are not affected.
This can be exploited if a SoapVar is created with a fully qualified
name that is longer than 2G. This would be possible if some application
code uses a namespace prefix from an untrusted source like from a remote
SOAP service.
Co-authored-by: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
This adds error checks for escape function is pgsql and pdo_pgsql
extensions. It prevents possibility of storing not properly escaped
data which could potentially lead to some security issues.
This fixes stream_socket_client() and fsockopen().
Specifically it adds a check to parse_ip_address_ex and it also makes
sure that the \0 is not ignored in fsockopen() hostname formatting.
When the array functions perform their operation in-place, the
`@refcount 1` annotation is wrong and causes a failure under
`ZEND_VERIFY_FUNC_INFO`.
The test file tests all functions that have the in-place optimization,
even those that didn't have the refcount annotation, just to prevent
future regressions.
Closes GH-18929.
During persisting, the JIT may trigger and fill in the call graph.
The call graph info is allocated on the arena which will be gone after preloading.
To prevent invalid accesses during normal requests, the arena data should be cleared.
This has to be done after all scripts have been persisted because shared op arrays between
scripts can change the call graph.
Closes GH-18916.
ZEND_FUNC_INFO() can not be used on internal CE's. If preloading makes a
CE that's an alias of an internal class, the invalid access happens when
setting the FUNC_INFO.
While we could check the class type to be of user code, we can just skip
aliases altogether anyway which may be faster.
Closes GH-18915.
Clearly nobody has used this in a while given the compile errors and
warnings.
This patch fixes them so there are no errors nor warnings anymore.
Closes GH-18910.
We prevent signed overflow by making the count unsigned. The actual
interpretation of the count doesn't matter as it's just used to denote a
limit.
The test output for some limit values looks strange though, so that may
need extra investigation. However, that's orthogonal to this fix.
Closes GH-18906.
This happens because there are no checks in php_stream_fill_read_buffer
calls. This should not fail always but only on fatal error so special
flag is needed for that.
Closes GH-18778
These tests attempt to test that no memory is leaked for stream calls. However,
it is incorrect to assume the memory will not increase for other reasons, e.g.
when growing resource buffers, for the output buffer, etc. This was discovered
through 9cacc57350 with USE_TRACKED_ALLOC=1, but
this can also fail with USE_ZEND_ALLOC=1 when increasing loop iterations.
Turns out that the instrumentation added for gcov can change inlining
decisions of the compiler, which results in a mismatch between the
profile data CFG and the actual generated CFG between compiles.
There are two functions that suffer from this issue:
1. _PHP_XXH3_Init: Removing the inline hint fixes this one. In fact,
always inlining this makes no sense as there's no real opportunity
for specialising. It just bloats the binary and increases I$ pressure.
So besides fixing this issue it's beneficial on its own to drop the
attribute.
2. PHP_XXH3_128_Final: Sometimes XXH128_canonicalFromHash gets inlined
and sometimes not. Make sure it gets always inlined.
Closes GH-18814.
GAS started checking the relocation for tlsgd: it must use the %rdi
register. However, the inline assembly now uses %rax instead.
Fix it by changing the "=a" output register to "=D".
Source: ec181e1710/gas/config/tc-i386.c (L6793)
gottpoff is unaffected.
Closes GH-18779.
This is backport for 8.3 of b222c020bf
that originally targeted only 8.4+. This is however a bug fix.
Following 68f6ab7113, the ext/curl doesn't
need to be linked against OpenSSL anymore, if curl_version_info_data
ssl_version is OpenSSL/1.1 or later.
With OpenSSL 3 and later the check for old SSL crypto locking callbacks
was detected here.
This also uses a common PHP_SETUP_OPENSSL macro for checking OpenSSL and
syncs the minimum OpenSSL version (currently 1.0.2 or later) across the
PHP build system.
This issue happens because http wrapper sets peer_name but then does not
remove so it stays in the context. The fix removes the peer name from
the context after enabling crypto.
In addition to bug #74796, this also fixes bug #76196.
In addition it should be a final fix for those SOAP bugs:
bug #69783
bug #52913
bug #61463
The resource check makes no sense, and the is_array() check doesn't
achieve anything. Drop the former, and replace the latter with a !
check.
Discovered while working on GH-18729.
Closes GH-18731.
`/./` matches all characters but newlines, so if `random_bytes`
generates a string with newlines in it, the resulting string is not
empty. Fix this by adding the `s` modifier.
The overflow checking code already existed, but didn't work because the
math was done on signed numbers instead of unsigned numbers.
In the process I also discovered a pre-existing issue that needs to be
fixed (and seems that other stream wrappers can have this issue too).
Closes GH-18644.
