From 58df9fcf98350af60d6eea3425e563946d5c897b Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Fri, 24 Oct 2025 10:21:26 +0200 Subject: [PATCH 1/2] Fix UAF in tidy when tidySetErrorBuffer() fails We should not free `intern` as its stored in the object store as well, so the object store will already free it, leading to a UAF when the object store tries to read the object's fields. Closes GH-20276. --- NEWS | 2 +- ext/tidy/tidy.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index 0ecf44b4c4c..01b077a7b83 100644 --- a/NEWS +++ b/NEWS @@ -74,10 +74,10 @@ PHP NEWS . Fixed bug GH-19798: XP_SOCKET XP_SSL (Socket stream modules): Incorrect condition for Win32/Win64. (Jakub Zelenka) - - Tidy: . Fixed GH-19021 (improved tidyOptGetCategory detection). (arjendekorte, David Carlier, Peter Kokot) + . Fix UAF in tidy when tidySetErrorBuffer() fails. (nielsdos) - XMLReader: . Fix arginfo/zpp violations when LIBXML_SCHEMAS_ENABLED is not available. diff --git a/ext/tidy/tidy.c b/ext/tidy/tidy.c index a42e2bc2037..434d5a8493b 100644 --- a/ext/tidy/tidy.c +++ b/ext/tidy/tidy.c @@ -434,7 +434,7 @@ static zend_object *tidy_object_new(zend_class_entry *class_type, zend_object_ha efree(intern->ptdoc->errbuf); tidyRelease(intern->ptdoc->doc); efree(intern->ptdoc); - efree(intern); + /* TODO: convert to exception */ php_error_docref(NULL, E_ERROR, "Could not set Tidy error buffer"); } From aebe5c92a9fc72786df0da91b792cdd79db5ffd1 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Fri, 24 Oct 2025 21:20:25 +0200 Subject: [PATCH 2/2] Fix macro check that I forgot to commit --- ext/pdo_mysql/mysql_statement.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/pdo_mysql/mysql_statement.c b/ext/pdo_mysql/mysql_statement.c index 722d0824711..0ce7c7224dc 100644 --- a/ext/pdo_mysql/mysql_statement.c +++ b/ext/pdo_mysql/mysql_statement.c @@ -750,7 +750,7 @@ static char *type_to_name_native(int type) /* {{{ */ PDO_MYSQL_NATIVE_TYPE_NAME(NEWDATE) #endif /* The following 2 don't have BC FIELD_TYPE_* aliases. */ -#if MYSQL_VERSION_ID >= 90000 && !defined(MARIADB_BASE_VERSION) /* TODO: mysqlnd support (added in 8.4 via a1ab846231aeff49c0441a30ebd44463fc7825b1) */ +#if (MYSQL_VERSION_ID >= 90000 && !defined(MARIADB_BASE_VERSION)) || defined(PDO_USE_MYSQLND) PDO_MYSQL_NATIVE_TYPE_NAME(VECTOR) #endif #if MYSQL_VERSION_ID >= 50708 || defined(PDO_USE_MYSQLND)