Currently, resource IDs are limited to 32-bits. As resource IDs
are not reused, this means that resource ID overflow for
long-running processes is very possible.
This patch switches resource IDs to use zend_long instead, which
means that on 64-bit systems, 64-bit resource IDs will be used.
This makes resource ID overflow practically impossible.
The tradeoff is an 8 byte increase in zend_resource size.
Closes GH-7436.
When more than INT_MAX resource are created, throw a fatal error,
rather than reusing already allocated IDs, which will result in
assertion failures or crashes down the line.
This doesn't fix the fundamental problem, but makes the failure
more graceful with an obvious cause.
Inspired by https://bugs.php.net/bug.php?id=81399.
Closes GH-7428.
Quoting from UPGRADING:
- A leading dollar in a quoted string can now be escaped: "\${" will now be
interpreted as a string with contents `${`.
- Backslashes in double quoted strings are now more consistently treated as
escape characters. Previously, "foo\\" followed by something other than a
newline was not considered as a teminated string. It is now interpreted as a
string with contents `foo\`. However, as an exception, the string "foo\"
followed by a newline will continue to be treated as a valid string with
contents `foo\` rather than an unterminated string. This exception exists to
support naive uses of Windows file pahts as "C:\foo\".
Closes GH-7420.
basic_functions.c already has a macro for returning an ini
value to userland, so make use of it for get_cfg_var() as well,
after generalizing it to not write to return_value in particular.
In this case we should use the original internal handler. Otherwise
the trampoline will attempt to free the closure, but the function
being used is not actually part of a closure anymore.
We would end up freeing the function name twice here, once for
the original closure, and once for the rebound one.
Rather than further special casing the zend_closure_call_magic
case, always addref the function_name for internal functions,
the same we do for userland functions. To compensate, we need to
release the original function name when creating from callable
or call frame.
Fixes oss-fuzz #37695.
If we only store the biased pointer, the map ptr region will not
be recognized as reachable memory by leak checkers. This is
primarily problematic for fuzzing, because this is persistent
memory that may be reallocated during the request, without being
an actual leak.
Avoid this by simply storing both the real base pointer of the
allocation, as well as the biased base pointer used for accesses.
New resources may be created while closing resources during
shutdown. This may result in a reallocation of arData and use
after free.
This problem was exposed by 7f7a90b2bc,
which creates one resources less, and thus moved the reallocation
to shutdown for a number of existing tests. However, the general
problem already existed previously.
We don't try to also close the newly added resources -- we will
later perform a graceful reverse destroy of the table, which will
catch any remaining cases.
Dmitry Stogov