This has been reported as bug #78984, and is generally and properly
fixed as of timelib 2020.3 (PHP-8.0). However, it is not fixed in
PHP-7.4, where the test results in an OOB read, and an unterminated
C string when calling `::getName()`. Therefore, we apply a minimal
fix which just avoids this dangerous behavior.
We must never strip embedded whitespace; we only need to skip values
when that option is set, and make sure that we keep BC regarding the
different behavior for "cdata" and "complete" elements (for the former,
the whole element is skipped; for the latter only the "value" key).
We also fix erroneous `int` types which should actually be `size_t`.
Co-authored-by: Christoph M. Becker <cmbecker69@gmx.de>
Closes GH-7493.
offsetSet did not account for the fact that the array may no longer exist after
the field is overwritten. This fixes that.
Add test of resizing both to the empty array and a smaller array - there should
be no valgrind warnings with a proper fix.
Alternate approach to #7486 (described in https://bugs.php.net/bug.php?id=81429)
We need to allocate buffers for the file mapping names which are large
enough for all potential keys (`key_t` is defined as `int` on Windows).
Regarding the test: it's probably never a good idea to use hard-coded
keys (should always use `ftok()` instead), but to reliably reproduce
this Windows specific issue we need to, and it shouldn't be an issue on
that OS.
Closes GH-7448.
If buf_len is zero, this would leave behind a dangling pointer
to an already released header.str. Make sure this can't happen
by always overwriting the pointer.
Closes GH-7376.
The CURLOPT_DEBUGDATA will point to the old curl handle after
copying. Update it to point to the new handle.
We don't separately store whether CURLINFO_HEADER_OUT is enabled,
so I'm doing this unconditionally. It should be harmless if
CURLOPT_DEBUGFUNCTION is not used.
When more than INT_MAX resource are created, throw a fatal error,
rather than reusing already allocated IDs, which will result in
assertion failures or crashes down the line.
This doesn't fix the fundamental problem, but makes the failure
more graceful with an obvious cause.
Inspired by https://bugs.php.net/bug.php?id=81399.
Closes GH-7428.
If we assemble a zend_string manually, we need to end it with a NUL
byte ourselves.
We also fix the size calculation for that zend_string; there is no need
for the extra byte for each part, and we don't have to multiply by two,
since we're using DnsQuery_A(), not DnsQuery_W () (in which case we
would have to do the character set conversion, anyway). This avoids
over-allocation, and the need to explicitly set the string length.
Finally, we use the proper access macro for zend_strings.
Closes GH-7427.
In this case we should use the original internal handler. Otherwise
the trampoline will attempt to free the closure, but the function
being used is not actually part of a closure anymore.
We port the upstream fix[1], and also revert commit a3383ac3d7[2] which
is now obsolete, and also not part of libgd. Especially the change to
gd.png.c was at best a half-baked optimization.
[1] <a24e96f019>
[2] <a3383ac3d7>
Closes GH-7402.
This change was originall only done for 'master'. Xdebug bundles this file as
it requires it, but PHP 7.2/7.3 don't have it bundled. By doing "phpize" with
master, it updates the file introducing a local diff. By fixing it in older
versions, that problem goes away.
It is insufficient to check whether the `base` is contained in `fname`;
we also need to ensure that `fname` is properly separated. And of
course, `fname` has to start with `base`.
We must avoid integer overflows in memory allocations, so we introduce
an additional check in the VM, and bail out in the rare case of an
overflow.
Closes GH-7381.
We must avoid integer overflows in memory allocations, so we introduce
an additional check in the VM, and bail out in the rare case of an
overflow. Since the recent fix for bug #74960 still doesn't catch all
possible overflows, we fix that right away.
This is a non-intrusive, minimal fix for bug #81316, which prevents
a bailout during imap RSHUTDOWN and prevents the basic shutdown
handler from being skipped.
I wasn't able to make the issue reproduce in a small test.
The fix for bug #73151[1] cured the symptoms, but not the root cause,
namely xmlParse() must not be called recursively. Since that bugfix
also messed up the error handling, we basically revert it (but also
simplify the return), and then prevent calling the parser recursively.
[1] <f2a8a8c068>
Co-authored-by: Nikita Popov <nikita.ppv@gmail.com>
Closes GH-7363.
The stream position is not related to the buffer, and needs to be
updated for non-seekable streams as well. The erroneous condition
around the position update is a relict of an old commit[1].
The unexpected test expectation is due to bug #81345.
[1] <088e2692c3>
Closes GH-7356.
When flushing the stream filters actually causes data to be written to
the stream, we need to update its position, because that is not done by
the streams' write methods.
Closes GH-7354.
The recent fix for bug 52093 is not compatible with LibreSSL ≥ 2.7.0,
which we recognize as mostly OpenSSL 1.1.0 compatible, but they still
do not support `ASN1_INTEGER_set_int64()`.
Closes GH-7339.
While our HTTP parser supports upgrade requests, the code using it does
not. Since upgrade requests are only valid for HTTP/1.1 and we neither
support any higher version, nor HTTPS yet, we do not exit early in case
of such requests, i.e. we ignore them, what is allowed by the specs.
We keep the supporting code in case we can meaningfully support upgrade
requests in the future.
Closes GH-7316.
If `P->len` is negative (not only when it is `SQL_NULL_DATA`), we must
not go on, because the following code can't deal with that. This means
that the output parameter will be set to `NULL` without any indication
what went wrong, but it's still better than crashing.
Closes GH-7295.
