Static analysis reports that the bounds check comes after reading the
byte from the buffer.
In practice, this is tagged data that loops until the end tag is found
and therefore there isn't really a bug. The extra length check is only
there for extra hardening.
So we simply silence the static analysers and improve the hardening.
See also https://docwiki.embarcadero.com/InterBase/15/en/Isc_dsql_sql_info()
If you can extend the file between the file size gathering (resulting in
a buffer allocation), and reading / writing to the file you can trigger a
TOC-TOU where you write out of bounds.
To solve this, add extra bound checks and make sure that write actions
always fail when going out of bounds.
The easiest way to trigger this is via a pipe, which is used in the
test, but it should be possible with a regular file and a quick race
condition as well.
Closes GH-20591.
C14N code expects namespace to be in-tree, but we store namespaces in a
different way out-of-tree to avoid reconciliations that break the tree
structure in a way unexpected by the DOM spec. In the DOM spec,
namespace nodes don't exist; they're regular attributes.
To solve this, we temporarily make fake namespace nodes that we later
remove.
Closes GH-20457.
If the system wgetrc has the `content-disposition = on` option, the file is
actually saved as `PHP-Parser-5.0.0.tar.gz`, causing a subsequent failure.
Even with `content-disposition = off`, if for any reason the download file
already exists and is corrupted, it won't be overwritten, and a new file
such as `v5.0.0.tar.gz.1` is saved instead.
We solve both problems by enforcing the name of the downloaded file.
Also, if for any other reason the unpacking should fail, remove the created
directory to allow further attempts.
If nothing was added to a smart_str, the interned empty string is
returned, and therefore ZVAL_NEW_STR is wrong as it'll set the
REFCOUNTED flag.
Closes GH-20773.
In eaee504c the session's save_path global was changed to a
zend_string pointer, but there are a few direct char-pointer accesses
in ext/session/mod_mm.c that slipped through the cracks. GCC-15
notices them and fails to build due to the incompatible pointer types.
Three ZSTR_* wrappers are all that is needed.
Gentoo-Bug: https://bugs.gentoo.org/967862
Closes GH-20772.
With macos Tahoe and clang "17.0.0" (Xcode) the ext/posix/tests/posix_getgrgid_macosx.phpt test crashes as follow:
ext/posix/posix.c:681:19: runtime error: load of misaligned address 0x60800000e972 for type 'char **', which requires 8 byte alignment
0x60800000e972: note: pointer points here
70 00 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
seems memcpy had been translated to a load instruction ?
anyhow, we force to copy a "proper" char * source.
close GH-20744
