Makes it like ext/standard/tests/file/filetype_variation.phpt; it's not
just Windows that can have a missing posix_mkfifo, but also a minimal
build, like the ones suggested that RMs test with (using --disable-all).
(cherry picked from commit bd484ed65f)
Static analysis reports that the bounds check comes after reading the
byte from the buffer.
In practice, this is tagged data that loops until the end tag is found
and therefore there isn't really a bug. The extra length check is only
there for extra hardening.
So we simply silence the static analysers and improve the hardening.
See also https://docwiki.embarcadero.com/InterBase/15/en/Isc_dsql_sql_info()
If you can extend the file between the file size gathering (resulting in
a buffer allocation), and reading / writing to the file you can trigger a
TOC-TOU where you write out of bounds.
To solve this, add extra bound checks and make sure that write actions
always fail when going out of bounds.
The easiest way to trigger this is via a pipe, which is used in the
test, but it should be possible with a regular file and a quick race
condition as well.
Closes GH-20591.
With macos Tahoe and clang "17.0.0" (Xcode) the ext/posix/tests/posix_getgrgid_macosx.phpt test crashes as follow:
ext/posix/posix.c:681:19: runtime error: load of misaligned address 0x60800000e972 for type 'char **', which requires 8 byte alignment
0x60800000e972: note: pointer points here
70 00 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
seems memcpy had been translated to a load instruction ?
anyhow, we force to copy a "proper" char * source.
close GH-20744
This stopped working after e735d2bc3b because fp_refcount is increased,
making phar think that the file has open read pointers.
To fix this, the refcount shouldn't be increased but that would
re-introduce the previous bug.
Instead, we need to add a field that "locks" the existence of the
internal entry separate from the refcount.
Closes GH-20473.
The size of `got` was incorrect: it being unsigned means that the error
return codes are converted from -1 to SIZE_MAX. We should use ssize_t
instead.
Closes GH-20735.
* PHP-8.2:
Update NEWS with info about security issues
Fix GHSA-www2-q4fc-65wf
Fix GHSA-h96m-rvf9-jgm2
Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref
Fix GH-20584: Information Leak of Memory
* PHP-8.1:
Update NEWS with info about security issues
Fix GHSA-www2-q4fc-65wf
Fix GHSA-h96m-rvf9-jgm2
Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref
Fix GH-20584: Information Leak of Memory
The string added had uninitialized memory due to
php_read_stream_all_chunks() not moving the buffer position, resulting
in the same data always being overwritten instead of new data being
added to the end of the buffer.
This is backport as there is a security impact as described in
GHSA-3237-qqm7-mfv7 .
zval_get_string() can never return NULL, you need to use the try version
to get NULL. This is observable because the process will still spawn
even if an exception had occurred. To fix this, use the try variant.
Closes GH-20650.
All other code caters to dereferencing array elements, except the
unserialize handler. This causes references to be present in the fixed
array even though this seems not intentional as reference assign is
otherwise impossible.
On 8.5+ this causes an assertion failure. On 8.3+ this causes references
to be present where they shouldn't be.
Closes GH-20616.
