The array merging function may still hold the properties array while the
object is already being destroyed. Therefore, we should take into
account the refcount in simplexml's destruction code.
It may be possible to trigger this in other ways too.
Closes GH-17421.
Internal function won't need their refcount increased as they outlive
the debugger session, and userland functions won't be unloaded either.
So no refcount management is necessary for registered functions.
We port the respective upstream fix[1]. We only run the test against
bundled libgd, since external libgd may yield different results.
Cf. <2b26be874d>.
Closes GH-17380.
We apply the same fix that has been applied to external libgd at least
as of 2.0.29.
To avoid issues regarding minor FreeType rendering differences, the
test case does not compare against an image, but rather checks that all
pixels outside the clipping rect have the background color.
Closes GH-17374.
This is a follow-up on GH-17343 to implement GC cycle management.
Previously the objects lived too long due to the strong cycle.
This patch adds get_gc handlers to break the cycle.
Closes GH-17355.
This is porting the relevant part of a previous upstream commit[1] to
align the behavior of our bundled libgd with upstream. It should be
noted that this only works if the image actually has a transparent
color.
[1] <4770e2b2d5>
Closes GH-17351.
The segfault happens because zoi->wrapping_obj points to an object that has been freed.
This wrapping_obj is set in IntlIterator_from_StringEnumeration().
Notice how the refcount is not increased in this function.
By switching to ZVAL_OBJ_COPY, the segfault disappears.
We also need to move the responsibility of destroying the iterator to
the iterator itself and keep the object data destruction in the object
destruction. The existing code used a weird recursive destruction
between the iterator and object that was too hard to understand to be
honest. This patch simplifies everything and in the process gets rid of
the leak.
Iterators that are embedded are now responsible for their own
memory cleanup.
Closes GH-17343.
This adds wrappers around recv(), send(), and php_pollfd_for_ms() to
handle EINTR.
This is a bit hard to test on its own, but it is testable manually using
the following script:
```php
pcntl_signal(SIGUSR1, function() {
var_dump(func_get_args());
}, false);
var_dump(getmypid());
sleep(10);
$ftp = ftp_connect('127.0.0.1');
ftp_login($ftp, 'user', 'pass');
ftp_put($ftp, 'testfile', 'testfile');
```
in combination with an infinite while loop that sends SIGUSR1 to the
process.
Closes GH-17327.
We convert the test to use the CLI test server to not require online
availability.
As of PHP 8.3, the test is supposed to fail, because the timeout is too
large. Since exactly this scenario is already tested by gh16810.phpt,
we drop the test for PHP-8.3 and up.
Closes GH-17315.
* Fix FD getting code on big endian (PHP 8.3)
stream casting as FD returns a php_socket_t, which is an int, but
zend_long is 64-bit (on those platforms). This works on LE by
accidental (unless it forgets to clear the high word), but is fatal
on big endian.
* change cast to match sig
The reason this breaks is because of a type mismatch.
The following line uses fields of the timeval struct which are both 8 bytes on
Alpine 32-bit, which results in a computed value of also 8 bytes:
b09ed9a0f2/sapi/fpm/fpm/fpm_status.c (L611)
However, it is passed to a format string which expects 4 bytes
(`unsigned long` and thus the `%lu` format specifier is 4 bytes on Alpine 32-bit),
resulting in argument corruption.
Since the value is generally small, truncating to 4 bytes is sufficient to fix this.
Closes GH-17286.
A bunch of different issues:
1) The referenced value is copied without incrementing the refcount.
The reason the refcount isn't incremented is because otherwise
the array modifications would violate the RC1 constraints.
Solve this by copying the reference itself instead and always
read the referenced value.
2) No type checks on the array data, so malicious scripts could
cause type confusion bugs.
3) Potential overflow when the arrays resize and we access ctag.
Closes GH-17205.
This was a bug in both libxml and PHP.
We follow up with the same change as done in GNOME/libxml@b3871dd138.
Changing away from `xmlOutputBufferCreateFilenameDefault` is not
possible yet because this is a stable branch and would break BC.
Closes GH-17254.
The FFI call return values follow widening rules.
We must widen to `ffi_arg` in the case we're handling a return value for types shorter than the machine width.
From http://www.chiark.greenend.org.uk/doc/libffi-dev/html/The-Closure-API.html:
> In most cases, ret points to an object of exactly the size of the type specified when cif was constructed.
> However, integral types narrower than the system register size are widened.
> In these cases your program may assume that ret points to an ffi_arg object.
If we don't do this, we get wrong values when reading the return values.
Closes GH-17255.
Co-authored-by: Dmitry Stogov <dmitry@zend.com>
The issue that BMP RLE occasionally swallowed some pixels[1] had been
fixed long ago in libgd, but apparently it has been overlooked to port
it to our bundled libgd.
We also introduce the test helper `test_image_equals_image()` which
compares in-memory images for equality.
[1] <https://github.com/libgd/libgd/issues/276>
Closes GH-17250.
This bug happens because of a nested `SHM_UNPROTECT()` sequence.
In particular:
```
unprotect memory at ext/opcache/ZendAccelerator.c:2127
protect memory at ext/opcache/ZendAccelerator.c:2160
unprotect memory at ext/opcache/ZendAccelerator.c:2164
unprotect memory at ext/opcache/jit/zend_jit_trace.c:7464
^^^ Nested
protect memory at ext/opcache/jit/zend_jit_trace.c:7591
^^^ Problem is here: it should not protect again due to the nested unprotect
protect memory at ext/opcache/ZendAccelerator.c:2191
^^^ This one should actually protect, not the previous one
```
The reason this nesting happen is because:
1. We try to include the script, this eventually calls `cache_script_in_shared_memory`
2. `zend_optimize_script` will eventually run SCCP as part of the DFA pass.
3. SCCP will try to replace constants, but can also run destructors when a partial array is destructed here:
4e9cde758e/Zend/Optimizer/sccp.c (L2387-L2389)
In this case, this destruction invokes the GC which invokes the tracing JIT,
leading to the nested unprotects.
This patch disables the GC to prevent invoking user code, as user code
is not supposed to run during the optimizer pipeline.
Closes GH-17249.
Co-authored-by: Dmitry Stogov <dmitry@zend.com>
NULL checks for the glob stream are inconsistently applied. To solve
this generally, factor it out to a helper function so it's less likely
to be forgotten in the future.
Closes GH-17231.
The error handling is incomplete on argument cleanup.
1. The fci is not cleared which means that zend_free_trampoline() is
never called.
2. The cleaning for extra named arguments was missing, resulting in
memory leak.
Closes GH-17219.
When observer is enabled, we normally add an extra temporary to all
functions, to store the previously observed frame. However, this is done in
zend_observer_post_startup() so it doesn't happen to dl'ed() functions.
One possible fix would be to move that from zend_observer_post_startup()
to zend_register_functions(), but this would be too early: Observer may
not be enabled when zend_register_functions() is called, and may still be
enabled later.
However, when zend_register_functions() is called at run-time (during dl()),
we know definitively whether observer is enabled.
Here I update zend_register_functions() to add a temporary to dl'ed()
functions when observer is enabled.
Fixes: GH-17211
Closes: GH-17220
The gettext() family of functions under musl does not support codeset
suffixes like ".UTF-8", because the only codeset it understands is
UTF-8. (Yes, it is annoying that it doesn't support the suffix for the
codeset that it does understand; no, I am not in charge.) Thanks to
this, we have six failing tests on musl,
* FAIL Gettext basic test with en_US locale that should be on nearly
every system
[ext/gettext/tests/gettext_basic-enus.phpt]
* FAIL Test if bindtextdomain() returns string id if no directory path
is set( if directory path is 'null')
[ext/gettext/tests/gettext_bindtextdomain-cwd.phpt]
* FAIL Test dcgettext() functionality
[ext/gettext/tests/gettext_dcgettext.phpt]
* FAIL Test dgettext() functionality
[ext/gettext/tests/gettext_dgettext.phpt]
* FAIL Test if dngettext() returns the correct translations
(optionally plural).
[ext/gettext/tests/gettext_dngettext-plural.phpt]
* FAIL Test ngettext() functionality
[ext/gettext/tests/gettext_ngettext.phpt]
These are all fixed by symlinking the en_US.UTF-8 message data to en_US,
where musl is able to find it.
This does not make the situation any better for developers (who don't
know what libc their users will be running), but that problem is
inhereted from C and is not the fault of the gettext extension.
This partially addresses GH #13696
Musl has two quirks that are leading to failed internationalization
tests. First is that the return value of bindtextdomain(..., NULL)
will always be false, rather than an "implementation-defined default
directory," because musl does not have an implementation-defined
default directory. One test needs a special case for this.
Second is that the musl implementation of bind_textdomain_codeset()
always returns NULL. The POSIX-correctness of this is debatable, but
it is roughly equivalent to correct, because musl only support UTF-8,
so the NULL value indicating that the codeset is unchanged from the
locale's codeset (UTF-8) is accurate.
PHP's bind_textdomain_codeset() function however treats NULL as
failure, unconditionally:
* https://github.com/php/doc-en/issues/4311
* https://github.com/php/php-src/issues/17163
This unfortunately causes false to be returned consistently on musl --
even when nothing unexpected has happened -- and naturally this is
affecting several tests. For now we change two tests to accept "false"
in addition to "UTF-8" so that they may pass on musl. If PHP's
bind_textdomain_codeset() is updated to differentiate between NULL and
NULL-with-errno-set, these tests can also be updated once again to
reject the NULL-with-errno result.
This partially addresses GH #13696
