Keep this up to date in all nonbranches, because the node.js runtime for older
versions might get deprecated in the future and fixing this for all branches at
once is easier.
see 2650248a92
Keep this up to date in all nonbranches, because the node.js runtime for older
versions might get deprecated in the future and fixing this for all branches at
once is easier.
see 2650248a92
This procedure may be called during i_free_compiled_variables(), when
EG(current_execute_data) is unfortunately already reset to the parent frame.
EG(opline_before_exception) does not actually belong to this frame. Furthermore,
setting opline to EG(exception_op) early will miss a later
zend_rethrow_exception(), which will also miss installation of the correct
EG(opline_before_exception).
Fixes GH-20714
Closes GH-20716
* PHP-8.2:
Update NEWS with info about security issues
Fix GHSA-www2-q4fc-65wf
Fix GHSA-h96m-rvf9-jgm2
Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref
Fix GH-20584: Information Leak of Memory
* PHP-8.1:
Update NEWS with info about security issues
Fix GHSA-www2-q4fc-65wf
Fix GHSA-h96m-rvf9-jgm2
Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref
Fix GH-20584: Information Leak of Memory
The string added had uninitialized memory due to
php_read_stream_all_chunks() not moving the buffer position, resulting
in the same data always being overwritten instead of new data being
added to the end of the buffer.
This is backport as there is a security impact as described in
GHSA-3237-qqm7-mfv7 .
According to @cmb69, PHP does not require VLA support
(https://github.com/php/php-src/pull/10304#discussion_r1069343092).
VLAs are a bad idea for several reasons, so let's get rid of them.
Two of the VLAs were probably unintended; unlike C++, C doesn't have
the concept of "constant expressions", so an array with a "const"
length is technically still a VLA. This is fixed by removing the
"const" variable, and using sizeof() instead.
(cherry picked from commit ff2a211d55)
The old Xcode sticks around, so make sure we sort in reverse to pick the newer
version. Technically we should use something like sort -Vr, but -V doesn't exist
on macOS. But that won't be a problem until Xcode 100, which my great great
grand children can worry about.
zval_get_string() can never return NULL, you need to use the try version
to get NULL. This is observable because the process will still spawn
even if an exception had occurred. To fix this, use the try variant.
Closes GH-20650.
This resolves a crash in release builds. This may be dropped again in the
future once the bugfix lands.
Co-authored by Alexandre Daubois <alex.daubois@gmail.com>
Co-authored by Arnaud Le Blanc <arnaud.lb@gmail.com>
Co-authored by Jakub Zelenka <bukka@php.net>
Closes GH-20669
