The "else branch" of `next_line` can reset the `buf_begin` field to
NULL, causing the next invocation to pass NULL to `memchr` with a 0
length. When UBSAN is enabled this causes an UBSAN abort. Real world
impact is likely none because of the 0 length.
To fix this, don't set the pointer to NULL, which means that the
`memchr` will return NULL and since
`self->bytes_in_buffer < self->bufsize` we return NULL and request more
data through `fill_buffer`. That function will reset `buf_begin` and
`bytes_in_buffer` so that the next invocation works fine.
I chose this solution so we have an invariant that `buf_begin` is never
NULL, which makes reasoning easier. An alternative solution is keeping
the NULLing of `buf_begin` and add an extra check at the top of
`next_line`, but I didn't like special casing this.
Closes GH-17000.
Only on Windows `IS_SLASH_P()` may read the previous byte, and so may
in unlikely cases read one byte out of bounds. Since `IS_SLASH_P()` is
in a public header (albeit not likely to be used by external extensions
or SAPIs), we introduce `IS_SLASH_P_EX()` which accepts a second
argument to prevent that OOB read.
It should be noted that the PHP userland function `dirname()` is not
affected by this issue, since it does not call `zend_dirname()` on
Windows.
Closes GH-16995.
When connecting to socket, it is possible to get EINTR. In such case,
there should be an another attempt to connect if we are not over the
timeout. The timeout should be adjusted accordingly in that case.
This fixes https://github.com/phpredis/phpredis/issues/1881
Closes GH-16606
It crashes because it's gonna try accessing the breakpoint which was cleared
by user code in `phpdbg_clear();`. Not all breakpoint data was properly
cleaned.
Closes GH-16953.
We should compare the block memory, not the block metadata (See
zend_mm_add_huge_block).
This caused random test failure for ext/ffi/tests/gh14626.phpt when the
malloc() performed by the FFI code lies close to the block metadata, and
the size of the block is large enough.
This was reported by https://github.com/php/php-src/issues/16902#issuecomment-2498310452
Closes GH-16938.
If `_DEBUG` is set, assertion failures and errors are directed to a
debug message window by default[1]. That causes a process to hang,
since these dialogs are modal. While we already cater to assertion
failures, errors have apparently been overlooked.
We choose a minimal fix for BC reasons; although passing `0` as
`reportMode` is undocumented, it obviously works fine for a long time.
We may consider to improve on this for the `master` branch.
[1] <https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/crtsetreportmode>
Closes GH-16850.
This testing code was never meant to be used this way, but fixing this
will at least stop fuzzers from complaining about this, so might still
be worthwhile.
Closes GH-16919.
The `vmactions/freebsd-vm` GitHub action rsyncs the work dir to to the
VM. This adds a lot of log output due to `rsync -v` usage.
Once the tests are compelte, the action copies the files _back_ by
running `rsync` in reverse. However, we do not need these files back
because we do not run any other steps that need access to the post-test
files.
Setting `copyback: false` disables this, and cuts the log size by about
5,000 lines.
Closes Closes GH-16916.
There doesn't seem to be a thread post-startup hook that runs after
zend_startup_cb() that could be used for this
this fix is similar to accel_startup_ok() as seen here: fc1db70f10/ext/opcache/ZendAccelerator.c (L2631-L2634)
Closes GH-16853.
While the test obviously succeeds on Windows, it may occasionally
conflict with file_put_contents_variation7-win32.phpt[1], so we skip it
like we do for many other of these tests which have win32 pendants.
[1] <https://github.com/php/php-src/actions/runs/11527743659/job/32093951818>
Closes GH-16722.
This fixes issues causing buffer over-read that leak heap content:
- RESP packet field default left over for COM_LIST
- RESP packet upsert filename
- OK packet message
- RESP packet for stmt row data
- ps_fetch_from_1_to_8_bytes
- ps_fetch_float
- ps_fetch_double
- ps_fetch_time
- ps_fetch_date
- ps_fetch_datetime
- ps_fetch_string
- ps_fetch_bit
- RESP packet for query row data (just possible overflow on 32bit)
It also adds various protocol tests using a new fake server.
