From 501b15ecbfa7a2406abe84501f65ebd1134ce9aa Mon Sep 17 00:00:00 2001 From: Jakub Zelenka Date: Sat, 11 Oct 2025 19:37:26 +0200 Subject: [PATCH 1/6] Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref --- ext/pdo/pdo_sql_parser.re | 6 +++++ ext/pdo_pgsql/tests/ghsa-8xr5-qppj-gvwj.phpt | 28 ++++++++++++++++++++ 2 files changed, 34 insertions(+) create mode 100644 ext/pdo_pgsql/tests/ghsa-8xr5-qppj-gvwj.phpt diff --git a/ext/pdo/pdo_sql_parser.re b/ext/pdo/pdo_sql_parser.re index a87fd473404..1897f9f238b 100644 --- a/ext/pdo/pdo_sql_parser.re +++ b/ext/pdo/pdo_sql_parser.re @@ -300,6 +300,12 @@ safe: } plc->quoted = stmt->dbh->methods->quoter(stmt->dbh, buf, param_type); + if (plc->quoted == NULL) { + /* bork */ + ret = -1; + strncpy(stmt->error_code, stmt->dbh->error_code, 6); + goto clean_up; + } } } diff --git a/ext/pdo_pgsql/tests/ghsa-8xr5-qppj-gvwj.phpt b/ext/pdo_pgsql/tests/ghsa-8xr5-qppj-gvwj.phpt new file mode 100644 index 00000000000..736354cab13 --- /dev/null +++ b/ext/pdo_pgsql/tests/ghsa-8xr5-qppj-gvwj.phpt @@ -0,0 +1,28 @@ +--TEST-- +#GHSA-8xr5-qppj-gvwj: NULL Pointer Derefernce for failed user input quoting +--EXTENSIONS-- +pdo +pdo_pgsql +--SKIPIF-- + +--FILE-- +setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); +$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, true); + +$sql = "SELECT * FROM users where username = :username"; +$stmt = $db->prepare($sql); + +$p1 = "alice\x99"; +var_dump($stmt->execute(['username' => $p1])); + +?> +--EXPECT-- +bool(false) From a7f2a15c5bcae1ce181b016c438b84f3d5761a6b Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+ndossche@users.noreply.github.com> Date: Sun, 9 Nov 2025 13:23:11 +0100 Subject: [PATCH 2/6] Fix GHSA-h96m-rvf9-jgm2 --- ext/standard/array.c | 7 ++++++- .../tests/array/GHSA-h96m-rvf9-jgm2.phpt | 16 ++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt diff --git a/ext/standard/array.c b/ext/standard/array.c index 44d226b2d82..b148bcf3568 100644 --- a/ext/standard/array.c +++ b/ext/standard/array.c @@ -4272,7 +4272,7 @@ static zend_always_inline void php_array_merge_wrapper(INTERNAL_FUNCTION_PARAMET uint32_t argc, i; zval *src_entry; HashTable *src, *dest; - uint32_t count = 0; + uint64_t count = 0; ZEND_PARSE_PARAMETERS_START(0, -1) Z_PARAM_VARIADIC('+', args, argc) @@ -4292,6 +4292,11 @@ static zend_always_inline void php_array_merge_wrapper(INTERNAL_FUNCTION_PARAMET count += zend_hash_num_elements(Z_ARRVAL_P(arg)); } + if (UNEXPECTED(count >= HT_MAX_SIZE)) { + zend_throw_error(NULL, "The total number of elements must be lower than %u", HT_MAX_SIZE); + RETURN_THROWS(); + } + if (argc == 2) { zval *ret = NULL; diff --git a/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt new file mode 100644 index 00000000000..2e3e85357e1 --- /dev/null +++ b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt @@ -0,0 +1,16 @@ +--TEST-- +GHSA-h96m-rvf9-jgm2 +--FILE-- +getMessage(), "\n"; +} + +?> +--EXPECTF-- +The total number of elements must be lower than %d From 6ba83131aafae1f0c5e2e7dc2c23beb5f9523323 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Sat, 6 Sep 2025 21:55:13 +0200 Subject: [PATCH 3/6] Fix GHSA-www2-q4fc-65wf --- ext/standard/basic_functions.c | 12 ++-- ext/standard/dns.c | 6 +- ext/standard/dns_win32.c | 6 +- .../tests/network/ghsa-www2-q4fc-65wf.phpt | 62 +++++++++++++++++++ 4 files changed, 74 insertions(+), 12 deletions(-) create mode 100644 ext/standard/tests/network/ghsa-www2-q4fc-65wf.phpt diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c index e0c4230dae2..8b72ffffc83 100644 --- a/ext/standard/basic_functions.c +++ b/ext/standard/basic_functions.c @@ -561,7 +561,7 @@ PHP_FUNCTION(inet_pton) char buffer[17]; ZEND_PARSE_PARAMETERS_START(1, 1) - Z_PARAM_STRING(address, address_len) + Z_PARAM_PATH(address, address_len) ZEND_PARSE_PARAMETERS_END(); memset(buffer, 0, sizeof(buffer)); @@ -593,7 +593,7 @@ PHP_FUNCTION(ip2long) struct in_addr ip; ZEND_PARSE_PARAMETERS_START(1, 1) - Z_PARAM_STRING(addr, addr_len) + Z_PARAM_PATH(addr, addr_len) ZEND_PARSE_PARAMETERS_END(); if (addr_len == 0 || inet_pton(AF_INET, addr, &ip) != 1) { @@ -2139,8 +2139,8 @@ PHP_FUNCTION(getservbyname) struct servent *serv; ZEND_PARSE_PARAMETERS_START(2, 2) - Z_PARAM_STR(name) - Z_PARAM_STRING(proto, proto_len) + Z_PARAM_PATH_STR(name) + Z_PARAM_PATH(proto, proto_len) ZEND_PARSE_PARAMETERS_END(); @@ -2183,7 +2183,7 @@ PHP_FUNCTION(getservbyport) ZEND_PARSE_PARAMETERS_START(2, 2) Z_PARAM_LONG(port) - Z_PARAM_STRING(proto, proto_len) + Z_PARAM_PATH(proto, proto_len) ZEND_PARSE_PARAMETERS_END(); serv = getservbyport(htons((unsigned short) port), proto); @@ -2210,7 +2210,7 @@ PHP_FUNCTION(getprotobyname) struct protoent *ent; ZEND_PARSE_PARAMETERS_START(1, 1) - Z_PARAM_STRING(name, name_len) + Z_PARAM_PATH(name, name_len) ZEND_PARSE_PARAMETERS_END(); ent = getprotobyname(name); diff --git a/ext/standard/dns.c b/ext/standard/dns.c index bd5720210fd..a574d8dd9ae 100644 --- a/ext/standard/dns.c +++ b/ext/standard/dns.c @@ -382,7 +382,7 @@ PHP_FUNCTION(dns_check_record) #endif ZEND_PARSE_PARAMETERS_START(1, 2) - Z_PARAM_STRING(hostname, hostname_len) + Z_PARAM_PATH(hostname, hostname_len) Z_PARAM_OPTIONAL Z_PARAM_STR(rectype) ZEND_PARSE_PARAMETERS_END(); @@ -829,7 +829,7 @@ PHP_FUNCTION(dns_get_record) bool raw = 0; ZEND_PARSE_PARAMETERS_START(1, 5) - Z_PARAM_STRING(hostname, hostname_len) + Z_PARAM_PATH(hostname, hostname_len) Z_PARAM_OPTIONAL Z_PARAM_LONG(type_param) Z_PARAM_ZVAL(authns) @@ -1067,7 +1067,7 @@ PHP_FUNCTION(dns_get_mx) #endif ZEND_PARSE_PARAMETERS_START(2, 3) - Z_PARAM_STRING(hostname, hostname_len) + Z_PARAM_PATH(hostname, hostname_len) Z_PARAM_ZVAL(mx_list) Z_PARAM_OPTIONAL Z_PARAM_ZVAL(weight_list) diff --git a/ext/standard/dns_win32.c b/ext/standard/dns_win32.c index 26c6487902e..10ba1701a2c 100644 --- a/ext/standard/dns_win32.c +++ b/ext/standard/dns_win32.c @@ -32,7 +32,7 @@ PHP_FUNCTION(dns_get_mx) /* {{{ */ DNS_STATUS status; /* Return value of DnsQuery_A() function */ PDNS_RECORD pResult, pRec; /* Pointer to DNS_RECORD structure */ - if (zend_parse_parameters(ZEND_NUM_ARGS(), "sz|z", &hostname, &hostname_len, &mx_list, &weight_list) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS(), "pz|z", &hostname, &hostname_len, &mx_list, &weight_list) == FAILURE) { RETURN_THROWS(); } @@ -86,7 +86,7 @@ PHP_FUNCTION(dns_check_record) DNS_STATUS status; /* Return value of DnsQuery_A() function */ PDNS_RECORD pResult; /* Pointer to DNS_RECORD structure */ - if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|S", &hostname, &hostname_len, &rectype) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|S", &hostname, &hostname_len, &rectype) == FAILURE) { RETURN_THROWS(); } @@ -343,7 +343,7 @@ PHP_FUNCTION(dns_get_record) int type, type_to_fetch, first_query = 1, store_results = 1; bool raw = 0; - if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|lz!z!b", + if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|lz!z!b", &hostname, &hostname_len, &type_param, &authns, &addtl, &raw) == FAILURE) { RETURN_THROWS(); } diff --git a/ext/standard/tests/network/ghsa-www2-q4fc-65wf.phpt b/ext/standard/tests/network/ghsa-www2-q4fc-65wf.phpt new file mode 100644 index 00000000000..3d082c8e952 --- /dev/null +++ b/ext/standard/tests/network/ghsa-www2-q4fc-65wf.phpt @@ -0,0 +1,62 @@ +--TEST-- +GHSA-www2-q4fc-65wf +--DESCRIPTION-- +This is a ZPP test but *keep* this as it is security-sensitive! +--FILE-- +getMessage(), "\n"; +} +try { + dns_get_mx("\0", $out); +} catch (ValueError $e) { + echo $e->getMessage(), "\n"; +} +try { + dns_get_record("\0"); +} catch (ValueError $e) { + echo $e->getMessage(), "\n"; +} +try { + getprotobyname("\0"); +} catch (ValueError $e) { + echo $e->getMessage(), "\n"; +} +try { + getservbyname("\0", "tcp"); +} catch (ValueError $e) { + echo $e->getMessage(), "\n"; +} +try { + getservbyname("x", "tcp\0"); +} catch (ValueError $e) { + echo $e->getMessage(), "\n"; +} +try { + getservbyport(0, "tcp\0"); +} catch (ValueError $e) { + echo $e->getMessage(), "\n"; +} +try { + inet_pton("\0"); +} catch (ValueError $e) { + echo $e->getMessage(), "\n"; +} +try { + ip2long("\0"); +} catch (ValueError $e) { + echo $e->getMessage(), "\n"; +} +?> +--EXPECT-- +dns_check_record(): Argument #1 ($hostname) must not contain any null bytes +dns_get_mx(): Argument #1 ($hostname) must not contain any null bytes +dns_get_record(): Argument #1 ($hostname) must not contain any null bytes +getprotobyname(): Argument #1 ($protocol) must not contain any null bytes +getservbyname(): Argument #1 ($service) must not contain any null bytes +getservbyname(): Argument #2 ($protocol) must not contain any null bytes +getservbyport(): Argument #2 ($protocol) must not contain any null bytes +inet_pton(): Argument #1 ($ip) must not contain any null bytes +ip2long(): Argument #1 ($ip) must not contain any null bytes From 9f903fbca520c5b02ddce0b515f3c6cdb4909f78 Mon Sep 17 00:00:00 2001 From: Jakub Zelenka Date: Fri, 12 Dec 2025 13:48:19 +0100 Subject: [PATCH 4/6] Update NEWS with info about security issues --- NEWS | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index d1ffa9e35f5..b6073275fe9 100644 --- a/NEWS +++ b/NEWS @@ -51,6 +51,8 @@ PHP NEWS - PDO: . Fixed bug GH-20553 (PDO::FETCH_CLASSTYPE ignores $constructorArgs in PHP 8.5.0). (Girgias) + . Fixed GHSA-8xr5-qppj-gvwj (PDO quoting result null deref). (CVE-2025-14180) + (Jakub Zelenka) - Phar: . Fixed bug GH-20442 (Phar does not respect case-insensitiveness of @@ -70,7 +72,12 @@ PHP NEWS . Fix memory leak in array_diff() with custom type checks. (ndossche) . Fixed bug GH-20583 (Stack overflow in http_build_query via deep structures). (ndossche) - . Fixed bug GH-20584 (Information Leak of Memory). (ndossche) + . Fixed GHSA-www2-q4fc-65wf (Null byte termination in dns_get_record()). + (ndossche) + . Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()). + (CVE-2025-14178) (ndossche) + . Fixed GHSA-3237-qqm7-mfv7 (Information Leak of Memory in getimagesize). + (CVE-2025-14177) (ndossche) - XML: . Fixed bug GH-20439 (xml_set_default_handler() does not properly handle From 1754cdc03311fd4020e5e1e08c9034599735f4c3 Mon Sep 17 00:00:00 2001 From: Ilija Tovilo Date: Tue, 2 Dec 2025 16:26:50 +0100 Subject: [PATCH 5/6] Suppress libxml deprecations Closes GH-20538 --- ext/dom/document.c | 12 ++++++++++++ ext/dom/xml_serializer.c | 5 ++++- ext/libxml/libxml.c | 3 +++ 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/ext/dom/document.c b/ext/dom/document.c index edf83939bf8..97215dfd270 100644 --- a/ext/dom/document.c +++ b/ext/dom/document.c @@ -1595,12 +1595,16 @@ PHP_METHOD(DOMDocument, save) libxml_doc_props const* doc_props = dom_get_doc_props_read_only(intern->document); bool format = doc_props->formatoutput; if (options & LIBXML_SAVE_NOEMPTYTAG) { + ZEND_DIAGNOSTIC_IGNORED_START("-Wdeprecated-declarations") saveempty = xmlSaveNoEmptyTags; xmlSaveNoEmptyTags = 1; + ZEND_DIAGNOSTIC_IGNORED_END } zend_long bytes = intern->document->handlers->dump_doc_to_file(file, docp, format, (const char *) docp->encoding); if (options & LIBXML_SAVE_NOEMPTYTAG) { + ZEND_DIAGNOSTIC_IGNORED_START("-Wdeprecated-declarations") xmlSaveNoEmptyTags = saveempty; + ZEND_DIAGNOSTIC_IGNORED_END } if (bytes == -1) { RETURN_FALSE; @@ -1641,10 +1645,14 @@ static void dom_document_save_xml(INTERNAL_FUNCTION_PARAMETERS, zend_class_entry /* Save libxml2 global, override its value, and restore after saving (don't move me or risk breaking the state * w.r.t. the implicit return in DOM_GET_OBJ). */ + ZEND_DIAGNOSTIC_IGNORED_START("-Wdeprecated-declarations") old_xml_save_no_empty_tags = xmlSaveNoEmptyTags; xmlSaveNoEmptyTags = (options & LIBXML_SAVE_NOEMPTYTAG) ? 1 : 0; + ZEND_DIAGNOSTIC_IGNORED_END res = intern->document->handlers->dump_node_to_str(docp, node, format, (const char *) docp->encoding); + ZEND_DIAGNOSTIC_IGNORED_START("-Wdeprecated-declarations") xmlSaveNoEmptyTags = old_xml_save_no_empty_tags; + ZEND_DIAGNOSTIC_IGNORED_END } else { int converted_options = XML_SAVE_AS_XML; if (options & XML_SAVE_NO_DECL) { @@ -1655,10 +1663,14 @@ static void dom_document_save_xml(INTERNAL_FUNCTION_PARAMETERS, zend_class_entry } /* Save libxml2 global, override its value, and restore after saving. */ + ZEND_DIAGNOSTIC_IGNORED_START("-Wdeprecated-declarations") old_xml_save_no_empty_tags = xmlSaveNoEmptyTags; xmlSaveNoEmptyTags = (options & LIBXML_SAVE_NOEMPTYTAG) ? 1 : 0; + ZEND_DIAGNOSTIC_IGNORED_END res = intern->document->handlers->dump_doc_to_str(docp, converted_options, (const char *) docp->encoding); + ZEND_DIAGNOSTIC_IGNORED_START("-Wdeprecated-declarations") xmlSaveNoEmptyTags = old_xml_save_no_empty_tags; + ZEND_DIAGNOSTIC_IGNORED_END } if (!res) { diff --git a/ext/dom/xml_serializer.c b/ext/dom/xml_serializer.c index a4b46082b0e..7684057a391 100644 --- a/ext/dom/xml_serializer.c +++ b/ext/dom/xml_serializer.c @@ -1097,7 +1097,10 @@ static int dom_xml_serialize_element_node( /* 14. If ns is the HTML namespace, and the node's list of children is empty, and the node's localName matches * any one of the following void elements: ... */ if (element->children == NULL) { - if (xmlSaveNoEmptyTags) { + ZEND_DIAGNOSTIC_IGNORED_START("-Wdeprecated-declarations") + int saveNoEmptyTags = xmlSaveNoEmptyTags; + ZEND_DIAGNOSTIC_IGNORED_END + if (saveNoEmptyTags) { /* Do nothing, use the closing style. */ } else if (php_dom_ns_is_fast(element, php_dom_ns_is_html_magic_token)) { size_t name_length = strlen((const char *) element->name); diff --git a/ext/libxml/libxml.c b/ext/libxml/libxml.c index f51e01cdf50..0105106d953 100644 --- a/ext/libxml/libxml.c +++ b/ext/libxml/libxml.c @@ -813,9 +813,12 @@ is_string: } else { /* make stream not being closed when the zval is freed */ GC_ADDREF(stream->res); + + ZEND_DIAGNOSTIC_IGNORED_START("-Wdeprecated-declarations") pib->context = stream; pib->readcallback = php_libxml_streams_IO_read; pib->closecallback = php_libxml_streams_IO_close; + ZEND_DIAGNOSTIC_IGNORED_END ret = xmlNewIOInputStream(context, pib, enc); if (ret == NULL) { From b8b7add531bbcd00b8fed8522a9e8bae3a59d5e8 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+ndossche@users.noreply.github.com> Date: Tue, 2 Dec 2025 20:59:26 +0100 Subject: [PATCH 6/6] intl: Fix tests for icu update --- ext/intl/tests/msgfmt_format_intlcalendar_variant4.phpt | 2 +- ext/intl/tests/timezone_getDisplayName_variant4.phpt | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/ext/intl/tests/msgfmt_format_intlcalendar_variant4.phpt b/ext/intl/tests/msgfmt_format_intlcalendar_variant4.phpt index 014bdd4749b..9436a9e9543 100644 --- a/ext/intl/tests/msgfmt_format_intlcalendar_variant4.phpt +++ b/ext/intl/tests/msgfmt_format_intlcalendar_variant4.phpt @@ -29,4 +29,4 @@ echo "msgf2: ", $msgf->format(array($time, 'date')), " ", ?> --EXPECTF-- Deprecated: Calling IntlGregorianCalendar::__construct() with more than 2 arguments is deprecated, use either IntlGregorianCalendar::createFromDate() or IntlGregorianCalendar::createFromDateTime() instead in %s on line %d -quinta-feira, 17 de maio de 2012 5:35:36 da tarde ptlis +quinta-feira, 17 de maio de 2012 5:35:36 %r(da tarde|p.m.)%r ptlis diff --git a/ext/intl/tests/timezone_getDisplayName_variant4.phpt b/ext/intl/tests/timezone_getDisplayName_variant4.phpt index 39d71f5aa20..ccde7f8e0ea 100644 --- a/ext/intl/tests/timezone_getDisplayName_variant4.phpt +++ b/ext/intl/tests/timezone_getDisplayName_variant4.phpt @@ -19,12 +19,12 @@ var_dump($lsb->getDisplayName(false, IntlTimeZone::DISPLAY_SHORT_COMMONLY_USED)) var_dump($lsb->getDisplayName(false, IntlTimeZone::DISPLAY_GENERIC_LOCATION)); ?> ---EXPECT-- -string(3) "GMT" +--EXPECTF-- +string(%d) "%r(GMT|GMT\+0)%r" string(30) "Western European Standard Time" string(13) "Portugal Time" string(21) "Western European Time" string(5) "+0000" -string(3) "GMT" -string(3) "GMT" +string(%d) "%r(GMT|GMT\+00:00)%r" +string(%d) "%r(GMT|GMT\+0)%r" string(13) "Portugal Time"