If you can extend the file between the file size gathering (resulting in
a buffer allocation), and reading / writing to the file you can trigger a
TOC-TOU where you write out of bounds.
To solve this, add extra bound checks and make sure that write actions
always fail when going out of bounds.
The easiest way to trigger this is via a pipe, which is used in the
test, but it should be possible with a regular file and a quick race
condition as well.
Closes GH-20591.
With macos Tahoe and clang "17.0.0" (Xcode) the ext/posix/tests/posix_getgrgid_macosx.phpt test crashes as follow:
ext/posix/posix.c:681:19: runtime error: load of misaligned address 0x60800000e972 for type 'char **', which requires 8 byte alignment
0x60800000e972: note: pointer points here
70 00 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
seems memcpy had been translated to a load instruction ?
anyhow, we force to copy a "proper" char * source.
close GH-20744
This stopped working after e735d2bc3b because fp_refcount is increased,
making phar think that the file has open read pointers.
To fix this, the refcount shouldn't be increased but that would
re-introduce the previous bug.
Instead, we need to add a field that "locks" the existence of the
internal entry separate from the refcount.
Closes GH-20473.
The size of `got` was incorrect: it being unsigned means that the error
return codes are converted from -1 to SIZE_MAX. We should use ssize_t
instead.
Closes GH-20735.
The problem is that the code is doing `php_output_handler_free` in a loop on the output stack,
but prior to freeing the pointer on the stack in `php_output_handler_free` it calls
`php_output_handler_dtor` which can run user code that reallocates the stack,
resulting in a dangling pointer freed by php_output_handler_free.
Furthermore, OG(active) is set when creating a new output handler, but
the loop is supposed to clean up all handlers, so OG(active) must be
reset as well.
Closes GH-20356.
This procedure may be called during i_free_compiled_variables(), when
EG(current_execute_data) is unfortunately already reset to the parent frame.
EG(opline_before_exception) does not actually belong to this frame. Furthermore,
setting opline to EG(exception_op) early will miss a later
zend_rethrow_exception(), which will also miss installation of the correct
EG(opline_before_exception).
Fixes GH-20714
Closes GH-20716
* PHP-8.2:
Update NEWS with info about security issues
Fix GHSA-www2-q4fc-65wf
Fix GHSA-h96m-rvf9-jgm2
Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref
Fix GH-20584: Information Leak of Memory
* PHP-8.1:
Update NEWS with info about security issues
Fix GHSA-www2-q4fc-65wf
Fix GHSA-h96m-rvf9-jgm2
Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref
Fix GH-20584: Information Leak of Memory
zval_get_string() can never return NULL, you need to use the try version
to get NULL. This is observable because the process will still spawn
even if an exception had occurred. To fix this, use the try variant.
Closes GH-20650.
All other code caters to dereferencing array elements, except the
unserialize handler. This causes references to be present in the fixed
array even though this seems not intentional as reference assign is
otherwise impossible.
On 8.5+ this causes an assertion failure. On 8.3+ this causes references
to be present where they shouldn't be.
Closes GH-20616.
The string added had uninitialized memory due to
php_read_stream_all_chunks() not moving the buffer position, resulting
in the same data always being overwritten instead of new data being
added to the end of the buffer.
Closes GH-20592.
The issue is specific to SLES15.
Arguably this should be reported to them as it seems to me they meddled
with the oniguruma source code.
The definition in oniguruma.h on that platform looks like this (same as upstream):
```c
ONIG_EXTERN
int onig_error_code_to_str PV_((OnigUChar* s, int err_code, ...));
```
Where `PV_` is defined as (differs):
```c
#ifndef PV_
#ifdef HAVE_STDARG_PROTOTYPES
# define PV_(args) args
#else
# define PV_(args) ()
#endif
#endif
```
So that means that `HAVE_STDARG_PROTOTYPES` is unset.
This can be set if we define `HAVE_STDARG_H`,
which we can do because PHP requires at least C99 in which the header
is always available.
We could also use an autoconf check, but this isn't really necessary as
it will always succeed.
The return type has been zip_int64_t since 2009, so we shouldn't
truncate to an int because the user may have requested a size that won't
fit in an int.
Closes GH-20509.
When type == 2, the zval is not initialized, so zval_ptr_dtor() on it
will crash.
Unfortunately couldn't test with property_exists() or Reflection because
they have fast paths that go through the property info, but fortunately
there are paths that don't implement a fast path (e.g. because it
doesn't make sense at that point), like with array_column().
So we use array_column() to trigger the crash.
Closes GH-20496.
In 61884c3b52 I added these FIXME comments after I noticed that this
would cause an assertion failure. At that time I did not yet know what
to do here. I took a look at the code now and other streams return -1
and leave the file position untouched. So we do the same for phar.
This fixes the assertion failure and subsequent crashes, but also
changes one test output. However, I believe the new test output is
correct.
Closes GH-20475.
This aligns the behaviour with what the stubs say.
And even if one fixes the stubs the behaviour is not identical due to missing indirect handling.
This indicates that using objects is never done, so do the easy fix of changing the ZPP specifier.
Closes GH-20465
We would need to escape the attributes, but there's no builtin method
that we can call in libxml2 to do so in a way consistent with the
attribute escape rules and expat.
In fact, expat just repeats the input, while we reconstruct it.
To fix the issue, and fix consistency with expat, we repeat the input as
well. This works by seeking to the start and end of the tag and passing
it to the default handler. This is fine for the parser because the
parser used in ext/xml is always in non-progressive mode, so we have
access to the entire input buffer.
Functions are case insensitive. The flush code already takes this into
account by checking for the __halt_compiler() symbol in a case
insensitive manner; however the parsing code did not do that yet.
Closes GH-20445.
Jakub Zelenka