Libxml versions prior to 2.13 cannot correctly handle a call to
xmlNodeSetName() with a name longer than 2G. It will leave the node
object in an invalid state with a NULL name. This later causes a NULL
pointer dereference when using the name during message serialization.
To solve this, implement a workaround that resets the name to the
sentinel name if this situation arises.
Versions of libxml of 2.13 and higher are not affected.
This can be exploited if a SoapVar is created with a fully qualified
name that is longer than 2G. This would be possible if some application
code uses a namespace prefix from an untrusted source like from a remote
SOAP service.
Co-authored-by: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
This adds error checks for escape function is pgsql and pdo_pgsql
extensions. It prevents possibility of storing not properly escaped
data which could potentially lead to some security issues.
This fixes stream_socket_client() and fsockopen().
Specifically it adds a check to parse_ip_address_ex and it also makes
sure that the \0 is not ignored in fsockopen() hostname formatting.
Property hooks were not handled for JIT+trait+preloading.
Split the existing functions that handle op arrays, and add iterations
for property hooks.
Closes GH-18923.
The ptrdiff_t is a C89 standard type defined in `<stddef.h>` and widely
available on current platforms. Using it conditionally as in these
occurrences is not needed anymore.
ParentNode::$children returns a HTMLCollection of all directly
descendant child elements of a container.
I had to move around some properties such that the ParentNode property
offsets are always at a fixed offset, to simplify the code.
This also adds the necessary code to deal with GC cycles in
HTMLCollections.
Furthermore, we also disable cloning a HTMLCollection as that never
worked and furthermore it also conflicts with the [[SameObject]] WebIDL
requirement of $children.
Only covers constants declared via stub files, others will be handled
separately in a later commit.
Does not include the intl extension, since that had some errors relating to the
cpp code; that extension will be updated separately.
When the array functions perform their operation in-place, the
`@refcount 1` annotation is wrong and causes a failure under
`ZEND_VERIFY_FUNC_INFO`.
The test file tests all functions that have the in-place optimization,
even those that didn't have the refcount annotation, just to prevent
future regressions.
Closes GH-18929.
This functionality is not part of the POSIX interface.
- On FreeBSD, the wait6 system call provides it
- On Linux, the raw waitid system call provides it (glibc does not)
close GH-15921
Like in other languages, and especially C where printf originates from,
a missing precision should be treated as a 0 precision.
Because the ADJ_PRECISION flag was not set, the double formatting code
resetted the precision to the default float precision of 6.
Prior to this commit the exit code of the sendmail command, called by
the mail function was lost, since the mail function only returns true or
false. Add additional logging to the mail function to capture the exit
code when the sendmail command fails.
Prior to this commit the return code of the pclose function was assumed
to be the exit code of the process. However, the returned value as
specified in wait(2) is a bit packed integer and must be interpreted
with the provided macros. This has no effect in success cases as the
integer is still zero, but in failure cases the wrong value is used,
since the 8 least significant bits contain the status code. After this
commit we use the macros to obtain the status code, which fixes the
EX_TEMPFAIL conditional.
For WIN32 the TSRM popen_ex and pclose function are used. The return
value of TSRM's pclose is not bit packed so we only check if the return
value is non-zero, which should solve, #43327,
https://bugs.php.net/bug.php?id=43327
During persisting, the JIT may trigger and fill in the call graph.
The call graph info is allocated on the arena which will be gone after preloading.
To prevent invalid accesses during normal requests, the arena data should be cleared.
This has to be done after all scripts have been persisted because shared op arrays between
scripts can change the call graph.
Closes GH-18916.
ZEND_FUNC_INFO() can not be used on internal CE's. If preloading makes a
CE that's an alias of an internal class, the invalid access happens when
setting the FUNC_INFO.
While we could check the class type to be of user code, we can just skip
aliases altogether anyway which may be faster.
Closes GH-18915.
Clearly nobody has used this in a while given the compile errors and
warnings.
This patch fixes them so there are no errors nor warnings anymore.
Closes GH-18910.
