The rename code can error out prior to the reassignment of the filename,
which is why the test causes a crash.
The rename code can also error out at a later point,
which means it will have already assigned the new filename.
We detect in which case we are in and act accordingly.
Closes GH-19761.
PSFS_FEED_ME is supposed to be returned when the filter did not receive
enough data and did not generate buckets for the output brigade.
The test generates buckets anyway on the output brigade, and the stream
layer did not handle that case causing a memory leak.
To solve this, discard any such buckets as it would conflict with the
status code returned by the filter. This keeps BC and solves the leak.
Closes GH-18972.
This regressed in 8.4 when dba started mixing objects and resources
(streams).
The streams are first destroyed at a first step in shutdown, and in slow
shutdown then the symbol table is destroyed which destroys the dba
objects. The dba objects still use the streams but they have been
destroyed already, causing a UAF. Using dtor_obj instead of free_obj
would work around this but would cause issues like memory leaks because
dtor_obj may be skipped while free_obj may not be.
Instead, use the same solution as mysqlnd uses in that we fully manage
the stream lifecycle ourselves. This also avoids users from meddling
with the stream through get_resources().
This would be fixed 'automatically' in the future when we are using
objects for everything.
Closes GH-19710.
The case of returning 0 is inconsistent in when it returns an empty
array, furthermore the caller already returns an empty array.
Because the caller overwrites the return value in these cases, it can
cause a memory leak.
This is easier to trigger on master in some cases as different code paths
are taken with the new bundled glob. On some platforms it is also
triggerable on 8.3.
Closes GH-19715.
This one is not initialized. This is not hittable from userspace code
because all locations within first-party php-src code have a valid
`option` argument.
Closes GH-19714.
Range analysis may fail to converge (the process hangs) when the transfer
function zend_inference_calc_range produces a smaller range.
Fix by ensuring that the widening operator zend_inference_widening_meet
allows only widening. This matches the inference rules in figure 13 of the
paper.
Fixes GH-19679
Closes GH-19683
This code is very similar to code on PHP 8.4 and higher, but the
mitigation is extended to entity references and to attribute children.
Closes GH-19620.
The value is temporarily duplicated. While the value is allocated persistently,
it will be freed if the ini value can't be set. This is safe, given the value
has not actually been stored.
Exposed by GH-19619
Closes GH-19671
