Alexandre Daubois
7cceda1597
Merge branch 'PHP-8.3' into PHP-8.4
...
* PHP-8.3:
Fix GH-19577: avoid integer overflow when using a small offset and PHP_INT_MAX with LimitIterator (#19585 )
2025-09-05 08:10:22 +02:00
Alexandre Daubois
05133ac962
Fix GH-19577: avoid integer overflow when using a small offset and PHP_INT_MAX with LimitIterator ( #19585 )
2025-09-05 08:09:06 +02:00
Ilija Tovilo
5be04e25fd
[skip ci] Skip segfaulting OOM test in GH actions on Win
...
This only fails on the PHP-8.3 branch, most likely to be related to the
environment as discussed with Niels.
2025-08-06 14:28:47 +02:00
Niels Dossche
76b6b60b8c
Merge branch 'PHP-8.3' into PHP-8.4
...
* PHP-8.3:
Fix GH-19094: Attaching class with no Iterator implementation to MultipleIterator causes crash
2025-07-11 12:28:25 +02:00
Niels Dossche
71472268c0
Fix GH-19094: Attaching class with no Iterator implementation to MultipleIterator causes crash
...
Closes GH-19097.
2025-07-11 12:27:41 +02:00
Niels Dossche
4ff41cfb4b
Merge branch 'PHP-8.3' into PHP-8.4
...
* PHP-8.3:
Fix GH-18421: Integer overflow with large numbers in LimitIterator
2025-04-25 20:06:18 +02:00
Niels Dossche
a91d913901
Fix GH-18421: Integer overflow with large numbers in LimitIterator
...
Since we already know that `pos < intern->u.limit.offset` at this point,
we can reverse the expression.
Closes GH-18424.
2025-04-25 20:05:55 +02:00
Niels Dossche
fc63a98f17
Merge branch 'PHP-8.3' into PHP-8.4
...
* PHP-8.3:
Fix GH-18322: SplObjectStorage debug handler mismanages memory
2025-04-14 14:11:35 +02:00
Niels Dossche
67503870ca
Fix GH-18322: SplObjectStorage debug handler mismanages memory
...
This hack was once necessary before there was a proper get_gc handler,
but now it breaks the engine constraints.
Closes GH-18323.
2025-04-14 14:11:09 +02:00
Niels Dossche
a019fbd970
Merge branch 'PHP-8.3' into PHP-8.4
...
* PHP-8.3:
Fix GH-18309: ipv6 filter integer overflow
Fix GH-18304: Changing the properties of a DateInterval through dynamic properties triggers a SegFault
2025-04-11 23:36:12 +02:00
Niels Dossche
ba0853888d
Fix GH-18304: Changing the properties of a DateInterval through dynamic properties triggers a SegFault
...
For dynamic fetches the cache_slot will be NULL, so we have to check for
that when resetting the cache. For zip and xmlreader this couldn't
easily be tested because of a lack of writable properties.
Closes GH-18307.
2025-04-11 23:33:58 +02:00
Niels Dossche
d43d4684bd
Merge branch 'PHP-8.3' into PHP-8.4
...
* PHP-8.3:
Fix GH-18018: RC1 data returned from offsetGet causes UAF in ArrayObject
2025-03-13 19:11:24 +01:00
Niels Dossche
27affd8da1
Fix GH-18018: RC1 data returned from offsetGet causes UAF in ArrayObject
...
We should first check truthiness and only after that destroy the value.
Closes GH-18034.
2025-03-13 19:10:34 +01:00
David Carlier
c82e31b026
Fix GH-17516: SplFileTempObject::getPathInfo() crash on invalid class.
...
This no longer caught the case where an non SplFileInfo/inherited class
of nwas passed since the refactoring in 8.4.
close GH-17517
2025-01-19 18:01:02 +00:00
David Carlier
b1e0176455
Merge branch 'PHP-8.3' into PHP-8.4
2025-01-14 18:32:51 +00:00
David Carlier
e4473abefc
Fix GH-17463: SplTempFileObject::ftruncate() segfault on negative length.
...
close GH-465
2025-01-14 18:32:01 +00:00
Niels Dossche
b666dc9788
Fix GH-15833: Segmentation fault (access null pointer) in ext/spl/spl_array.c
...
We're accessing the object properties table directly in spl, but we're
not accounting for lazy objects. Upon accessing we should trigger the
initialization as spl is doing direct manipulations on the object
property table and expects a real object.
Closes GH-17235.
2025-01-09 19:58:00 +01:00
Niels Dossche
a02648087a
Merge branch 'PHP-8.3' into PHP-8.4
...
* PHP-8.3:
Fix GH-17225: NULL deref in spl_directory.c
2024-12-21 12:47:48 +01:00
Niels Dossche
4bfe69bbc4
Fix GH-17225: NULL deref in spl_directory.c
...
NULL checks for the glob stream are inconsistently applied. To solve
this generally, factor it out to a helper function so it's less likely
to be forgotten in the future.
Closes GH-17231.
2024-12-21 12:46:05 +01:00
Niels Dossche
5f13c62c77
Fix GH-17198: SplFixedArray assertion failure with get_object_vars
...
Because the properties table contains both a numeric index and a string
index that map to 0 in a symbol table, this causes an assertion failure.
Looking at the manual page of get_object_vars(), it seems that only real
properties must be included. Given that SplFixedArray's elements are not
accessible like properties, they should be excluded. This restores PHP
8.3 behaviour. The reason that this didn't cause problems on 8.3 is
because it used a different handler (get_properties).
Closes GH-17206.
2024-12-17 23:22:33 +01:00
Dmitry Stogov
ccc6c0f78c
Fix GH-15709: Crashing tests on Windows x64 ( #17095 )
...
This is a quick fix for the problem.
It'll work while all the JIT-ed functions have the same "fixed stack frame".
Unwinder uses hard-coded unwind data for this "fixed stack frame".
* Preallocate space for Win64 shadow args
* typo
* Setup unwinder for JIT functions
* Revert "Dynamically xfail test case which fails on CI"
This reverts commit 7cc327fd5abdde7971596d5962074f
2024-12-13 02:05:45 +03:00
Ilija Tovilo
66ad4ce699
Merge branch 'PHP-8.3' into PHP-8.4
...
* PHP-8.3:
Add NEWS entry
Also fix same issue in ArrayObject::exchangeArray()
Fix use-after-free in ArrayObject::unset() with destructor
2024-11-04 17:49:08 +01:00
Ilija Tovilo
dca438e6a3
Merge branch 'PHP-8.2' into PHP-8.3
...
* PHP-8.2:
Add NEWS entry
Also fix same issue in ArrayObject::exchangeArray()
Fix use-after-free in ArrayObject::unset() with destructor
2024-11-04 17:47:49 +01:00
Ilija Tovilo
f7222bd2de
Also fix same issue in ArrayObject::exchangeArray()
2024-11-04 17:46:17 +01:00
Ilija Tovilo
8910ac800d
Fix use-after-free in ArrayObject::unset() with destructor
...
Fixes GH-16646
Closes GH-16653
2024-11-04 17:45:56 +01:00
Niels Dossche
7a78ffcbb2
Merge branch 'PHP-8.3' into PHP-8.4
...
* PHP-8.3:
Fix GH-16604: Memory leaks in SPL constructors
2024-11-01 20:43:43 +01:00
Niels Dossche
eaa2b61acb
Merge branch 'PHP-8.2' into PHP-8.3
...
* PHP-8.2:
Fix GH-16604: Memory leaks in SPL constructors
2024-11-01 20:43:28 +01:00
Niels Dossche
886a5287ca
Fix GH-16604: Memory leaks in SPL constructors
...
Closes GH-16673.
2024-11-01 20:42:28 +01:00
David Carlier
6a0035b7f4
Merge branch 'PHP-8.3' into PHP-8.4
2024-10-28 21:25:39 +00:00
David Carlier
e039afffaf
Merge branch 'PHP-8.2' into PHP-8.3
2024-10-28 21:22:17 +00:00
David Carlier
eeec0939e0
Fix GH-14687 segfault on debugging a freed SplObjectIterator instance.
...
close GH-14711
2024-10-28 21:21:44 +00:00
Niels Dossche
396b995d76
Merge branch 'PHP-8.3' into PHP-8.4
...
* PHP-8.3:
Fix GH-16589: UAF in SplDoublyLinked->serialize()
2024-10-27 19:12:16 +01:00
Niels Dossche
d9947e8c42
Merge branch 'PHP-8.2' into PHP-8.3
...
* PHP-8.2:
Fix GH-16589: UAF in SplDoublyLinked->serialize()
2024-10-27 19:12:02 +01:00
Niels Dossche
8f60309a78
Fix GH-16589: UAF in SplDoublyLinked->serialize()
...
Closes GH-16611.
2024-10-27 19:11:37 +01:00
Gina Peter Banyard
5d993e9641
Fix GH-16477 (Segmentation fault when calling __debugInfo() after failed SplFileObject::__constructor)
...
Closes GH-16480
Closes GH-16604
2024-10-25 22:05:10 +01:00
Gina Peter Banyard
a19029fc8b
Fix GH-16477 (Segmentation fault when calling __debugInfo() after failed SplFileObject::__constructor)
...
Closes GH-16480
Closes GH-16604
2024-10-25 22:04:10 +01:00
Gina Peter Banyard
d353a89c49
Merge branch 'PHP-8.2' into PHP-8.3
...
* PHP-8.2:
Fix GH-16477 (Segmentation fault when calling __debugInfo() after failed SplFileObject::__constructor)
2024-10-25 22:03:29 +01:00
Gina Peter Banyard
9f5b5e34c3
Fix GH-16477 (Segmentation fault when calling __debugInfo() after failed SplFileObject::__constructor)
...
Closes GH-16480
Closes GH-16604
2024-10-25 22:02:38 +01:00
Niels Dossche
3599fd0c51
Merge branch 'PHP-8.3' into PHP-8.4
...
* PHP-8.3:
Fix GH-16588: UAF in Observer->serialize
2024-10-25 23:00:46 +02:00
Niels Dossche
cc88b1f824
Merge branch 'PHP-8.2' into PHP-8.3
...
* PHP-8.2:
Fix GH-16588: UAF in Observer->serialize
2024-10-25 23:00:24 +02:00
Niels Dossche
144d2ee29a
Fix GH-16588: UAF in Observer->serialize
...
Closes GH-16600.
2024-10-25 22:59:59 +02:00
Niels Dossche
e9283c0819
Fix GH-16574: Incorrect error "undefined method" messages
...
The `get_method` object handler may change the object pointer. SPL does
this in its iterator implementations. This causes the error message
to change to another class which is confusing to the user. JIT handles
this correctly. This patch aligns behaviour with JIT.
Closes GH-16576.
2024-10-25 18:33:24 +02:00
Ilija Tovilo
c82cea0c34
Merge branch 'PHP-8.3' into PHP-8.4
...
* PHP-8.3:
Fix uaf in SplFixedArray::unset()
2024-10-17 18:25:56 +02:00
Ilija Tovilo
0932b76d02
Merge branch 'PHP-8.2' into PHP-8.3
...
* PHP-8.2:
Fix uaf in SplFixedArray::unset()
2024-10-17 18:25:33 +02:00
Ilija Tovilo
7fe168d855
Fix uaf in SplFixedArray::unset()
...
Fixes GH-16478
Closes GH-16481
2024-10-17 18:23:55 +02:00
Ilija Tovilo
6d6b20f561
Merge branch 'PHP-8.3' into PHP-8.4
...
* PHP-8.3:
Fix use-after-free in SplObjectStorage::setInfo()
2024-10-17 18:21:51 +02:00
Ilija Tovilo
40e43ffd41
Merge branch 'PHP-8.2' into PHP-8.3
...
* PHP-8.2:
Fix use-after-free in SplObjectStorage::setInfo()
2024-10-17 18:21:31 +02:00
Ilija Tovilo
12c987fae2
Fix use-after-free in SplObjectStorage::setInfo()
...
Fixes GH-16479
Closes GH-16482
2024-10-17 18:20:42 +02:00
Ilija Tovilo
d15e227750
Merge branch 'PHP-8.3' into PHP-8.4
...
* PHP-8.3:
Fix uaf in SplDoublyLinkedList::offsetSet()
2024-10-16 23:05:36 +02:00
Ilija Tovilo
e5d837ca79
Merge branch 'PHP-8.2' into PHP-8.3
...
* PHP-8.2:
Fix uaf in SplDoublyLinkedList::offsetSet()
2024-10-16 23:05:15 +02:00
