Libxml versions prior to 2.13 cannot correctly handle a call to
xmlNodeSetName() with a name longer than 2G. It will leave the node
object in an invalid state with a NULL name. This later causes a NULL
pointer dereference when using the name during message serialization.
To solve this, implement a workaround that resets the name to the
sentinel name if this situation arises.
Versions of libxml of 2.13 and higher are not affected.
This can be exploited if a SoapVar is created with a fully qualified
name that is longer than 2G. This would be possible if some application
code uses a namespace prefix from an untrusted source like from a remote
SOAP service.
Co-authored-by: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
This adds error checks for escape function is pgsql and pdo_pgsql
extensions. It prevents possibility of storing not properly escaped
data which could potentially lead to some security issues.
This fixes stream_socket_client() and fsockopen().
Specifically it adds a check to parse_ip_address_ex and it also makes
sure that the \0 is not ignored in fsockopen() hostname formatting.
When the array functions perform their operation in-place, the
`@refcount 1` annotation is wrong and causes a failure under
`ZEND_VERIFY_FUNC_INFO`.
The test file tests all functions that have the in-place optimization,
even those that didn't have the refcount annotation, just to prevent
future regressions.
Closes GH-18929.
During persisting, the JIT may trigger and fill in the call graph.
The call graph info is allocated on the arena which will be gone after preloading.
To prevent invalid accesses during normal requests, the arena data should be cleared.
This has to be done after all scripts have been persisted because shared op arrays between
scripts can change the call graph.
Closes GH-18916.
ZEND_FUNC_INFO() can not be used on internal CE's. If preloading makes a
CE that's an alias of an internal class, the invalid access happens when
setting the FUNC_INFO.
While we could check the class type to be of user code, we can just skip
aliases altogether anyway which may be faster.
Closes GH-18915.
Clearly nobody has used this in a while given the compile errors and
warnings.
This patch fixes them so there are no errors nor warnings anymore.
Closes GH-18910.
We prevent signed overflow by making the count unsigned. The actual
interpretation of the count doesn't matter as it's just used to denote a
limit.
The test output for some limit values looks strange though, so that may
need extra investigation. However, that's orthogonal to this fix.
Closes GH-18906.
This happens because there are no checks in php_stream_fill_read_buffer
calls. This should not fail always but only on fatal error so special
flag is needed for that.
Closes GH-18778
These tests attempt to test that no memory is leaked for stream calls. However,
it is incorrect to assume the memory will not increase for other reasons, e.g.
when growing resource buffers, for the output buffer, etc. This was discovered
through 9cacc57350 with USE_TRACKED_ALLOC=1, but
this can also fail with USE_ZEND_ALLOC=1 when increasing loop iterations.
Turns out that the instrumentation added for gcov can change inlining
decisions of the compiler, which results in a mismatch between the
profile data CFG and the actual generated CFG between compiles.
There are two functions that suffer from this issue:
1. _PHP_XXH3_Init: Removing the inline hint fixes this one. In fact,
always inlining this makes no sense as there's no real opportunity
for specialising. It just bloats the binary and increases I$ pressure.
So besides fixing this issue it's beneficial on its own to drop the
attribute.
2. PHP_XXH3_128_Final: Sometimes XXH128_canonicalFromHash gets inlined
and sometimes not. Make sure it gets always inlined.
Closes GH-18814.
This is backport for 8.3 of b222c020bf
that originally targeted only 8.4+. This is however a bug fix.
Following 68f6ab7113, the ext/curl doesn't
need to be linked against OpenSSL anymore, if curl_version_info_data
ssl_version is OpenSSL/1.1 or later.
With OpenSSL 3 and later the check for old SSL crypto locking callbacks
was detected here.
This also uses a common PHP_SETUP_OPENSSL macro for checking OpenSSL and
syncs the minimum OpenSSL version (currently 1.0.2 or later) across the
PHP build system.
This issue happens because http wrapper sets peer_name but then does not
remove so it stays in the context. The fix removes the peer name from
the context after enabling crypto.
In addition to bug #74796, this also fixes bug #76196.
In addition it should be a final fix for those SOAP bugs:
bug #69783
bug #52913
bug #61463
The resource check makes no sense, and the is_array() check doesn't
achieve anything. Drop the former, and replace the latter with a !
check.
Discovered while working on GH-18729.
Closes GH-18731.
`/./` matches all characters but newlines, so if `random_bytes`
generates a string with newlines in it, the resulting string is not
empty. Fix this by adding the `s` modifier.
The overflow checking code already existed, but didn't work because the
math was done on signed numbers instead of unsigned numbers.
In the process I also discovered a pre-existing issue that needs to be
fixed (and seems that other stream wrappers can have this issue too).
Closes GH-18644.
Introducing a new attribute macro in lower branches is an ABI break and
not allowed. However, we still need to fix the warnings such that
-Werror builds don't break. So we copy the macro from the master branch
to the C files in the appropriate places.
Ahmed Lekssays