As explained by Snape3058: On 64-bit machines, we typically have 7 bytes
of padding between the zend_string.val[0] char and the following char[].
This means that zend_string.val[1-7] write to and read from the struct
padding, which is a bad idea.
Allocate the given string separately instead.
Fixes GH-17564
Closes GH-17576
If both the driver object and statement end up in the GC buffer and are
freed by the GC, then the destruction order is not deterministic and it
is possible that the driver object is freed before the statement. In
that case, accessing S->H will cause a UAF. As the resources are already
released we simply skip the destruction if the driver object is already
destroyed.
`zend_test_create_throwing_resource` sets the exception in the `test`
call frame and unwinds to `main`. It then throws for the `resource`
variable and verifies that the exception opline is set. However, it
wasn't set in `main`, it was set at the `test` call frame and rethrown later.
The assertion is too conservative, but the end result is right, so drop
the assertion.
Closes GH-17533.
Co-authored-by: Ilija Tovilo <ilija.tovilo@me.com>
The array merging function may still hold the properties array while the
object is already being destroyed. Therefore, we should take into
account the refcount in simplexml's destruction code.
It may be possible to trigger this in other ways too.
Closes GH-17421.
We port the respective upstream fix[1]. We only run the test against
bundled libgd, since external libgd may yield different results.
Cf. <2b26be874d>.
Closes GH-17380.
We apply the same fix that has been applied to external libgd at least
as of 2.0.29.
To avoid issues regarding minor FreeType rendering differences, the
test case does not compare against an image, but rather checks that all
pixels outside the clipping rect have the background color.
Closes GH-17374.
This is a follow-up on GH-17343 to implement GC cycle management.
Previously the objects lived too long due to the strong cycle.
This patch adds get_gc handlers to break the cycle.
Closes GH-17355.
This is porting the relevant part of a previous upstream commit[1] to
align the behavior of our bundled libgd with upstream. It should be
noted that this only works if the image actually has a transparent
color.
[1] <4770e2b2d5>
Closes GH-17351.
The segfault happens because zoi->wrapping_obj points to an object that has been freed.
This wrapping_obj is set in IntlIterator_from_StringEnumeration().
Notice how the refcount is not increased in this function.
By switching to ZVAL_OBJ_COPY, the segfault disappears.
We also need to move the responsibility of destroying the iterator to
the iterator itself and keep the object data destruction in the object
destruction. The existing code used a weird recursive destruction
between the iterator and object that was too hard to understand to be
honest. This patch simplifies everything and in the process gets rid of
the leak.
Iterators that are embedded are now responsible for their own
memory cleanup.
Closes GH-17343.
This adds wrappers around recv(), send(), and php_pollfd_for_ms() to
handle EINTR.
This is a bit hard to test on its own, but it is testable manually using
the following script:
```php
pcntl_signal(SIGUSR1, function() {
var_dump(func_get_args());
}, false);
var_dump(getmypid());
sleep(10);
$ftp = ftp_connect('127.0.0.1');
ftp_login($ftp, 'user', 'pass');
ftp_put($ftp, 'testfile', 'testfile');
```
in combination with an infinite while loop that sends SIGUSR1 to the
process.
Closes GH-17327.
We convert the test to use the CLI test server to not require online
availability.
As of PHP 8.3, the test is supposed to fail, because the timeout is too
large. Since exactly this scenario is already tested by gh16810.phpt,
we drop the test for PHP-8.3 and up.
Closes GH-17315.
* Fix FD getting code on big endian (PHP 8.3)
stream casting as FD returns a php_socket_t, which is an int, but
zend_long is 64-bit (on those platforms). This works on LE by
accidental (unless it forgets to clear the high word), but is fatal
on big endian.
* change cast to match sig
