If you can extend the file between the file size gathering (resulting in
a buffer allocation), and reading / writing to the file you can trigger a
TOC-TOU where you write out of bounds.
To solve this, add extra bound checks and make sure that write actions
always fail when going out of bounds.
The easiest way to trigger this is via a pipe, which is used in the
test, but it should be possible with a regular file and a quick race
condition as well.
Closes GH-20591.
C14N code expects namespace to be in-tree, but we store namespaces in a
different way out-of-tree to avoid reconciliations that break the tree
structure in a way unexpected by the DOM spec. In the DOM spec,
namespace nodes don't exist; they're regular attributes.
To solve this, we temporarily make fake namespace nodes that we later
remove.
Closes GH-20457.
If nothing was added to a smart_str, the interned empty string is
returned, and therefore ZVAL_NEW_STR is wrong as it'll set the
REFCOUNTED flag.
Closes GH-20773.
In eaee504c the session's save_path global was changed to a
zend_string pointer, but there are a few direct char-pointer accesses
in ext/session/mod_mm.c that slipped through the cracks. GCC-15
notices them and fails to build due to the incompatible pointer types.
Three ZSTR_* wrappers are all that is needed.
Gentoo-Bug: https://bugs.gentoo.org/967862
Closes GH-20772.
With macos Tahoe and clang "17.0.0" (Xcode) the ext/posix/tests/posix_getgrgid_macosx.phpt test crashes as follow:
ext/posix/posix.c:681:19: runtime error: load of misaligned address 0x60800000e972 for type 'char **', which requires 8 byte alignment
0x60800000e972: note: pointer points here
70 00 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
seems memcpy had been translated to a load instruction ?
anyhow, we force to copy a "proper" char * source.
close GH-20744
The current code causes the phar entry to remain in the fname cache.
This would be fine for uncompressed phars, but is a problem for
compressed phars when they try to reopen the file pointer.
The reopen code will try to use the compressed file pointer as if it
were an uncompressed file pointer. In that case, for the given test, the
file offsets are out of bounds for the compressed file pointer because
they are the uncompressed offsets. This results in empty files.
In other cases, it's possible to read compressed parts of the file that don't
belong to that particular file.
To solve this, we simply remove the phar entry from the fname cache if
the file pointer was closed but the phar is compressed. This will make
sure that reopening the phar will not go through the cache and instead
opens up a fresh file pointer with the right decompression settings.
Closes GH-20754.
This stopped working after e735d2bc3b because fp_refcount is increased,
making phar think that the file has open read pointers.
To fix this, the refcount shouldn't be increased but that would
re-introduce the previous bug.
Instead, we need to add a field that "locks" the existence of the
internal entry separate from the refcount.
Closes GH-20473.
The size of `got` was incorrect: it being unsigned means that the error
return codes are converted from -1 to SIZE_MAX. We should use ssize_t
instead.
Closes GH-20735.
The problem is that the code is doing `php_output_handler_free` in a loop on the output stack,
but prior to freeing the pointer on the stack in `php_output_handler_free` it calls
`php_output_handler_dtor` which can run user code that reallocates the stack,
resulting in a dangling pointer freed by php_output_handler_free.
Furthermore, OG(active) is set when creating a new output handler, but
the loop is supposed to clean up all handlers, so OG(active) must be
reset as well.
Closes GH-20356.
This procedure may be called during i_free_compiled_variables(), when
EG(current_execute_data) is unfortunately already reset to the parent frame.
EG(opline_before_exception) does not actually belong to this frame. Furthermore,
setting opline to EG(exception_op) early will miss a later
zend_rethrow_exception(), which will also miss installation of the correct
EG(opline_before_exception).
Fixes GH-20714
Closes GH-20716
* PHP-8.4:
Update NEWS with info about security issues
Fix GHSA-www2-q4fc-65wf
Fix GHSA-h96m-rvf9-jgm2
Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref
Fix GH-20584: Information Leak of Memory
* PHP-8.3:
Update NEWS with info about security issues
Fix GHSA-www2-q4fc-65wf
Fix GHSA-h96m-rvf9-jgm2
Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref
Fix GH-20584: Information Leak of Memory
* PHP-8.2:
Update NEWS with info about security issues
Fix GHSA-www2-q4fc-65wf
Fix GHSA-h96m-rvf9-jgm2
Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref
Fix GH-20584: Information Leak of Memory
* PHP-8.1:
Update NEWS with info about security issues
Fix GHSA-www2-q4fc-65wf
Fix GHSA-h96m-rvf9-jgm2
Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref
Fix GH-20584: Information Leak of Memory
Daniel Scherzer