This was only partially fixed in PHP-8.3. Backports and fixes the case for both
initialized and uninitialized property writes.
Fixes GH-14969
Closes GH-14971
According to the docs (https://www.php.net/manual/en/function.imagecreatefromwebp.php and https://www.php.net/manual/en/function.imagewebp.php), `false` should be returned on errors (similar to other functions of the `gd` extension), but actually all errors result in a `Fatal Error`. It doesn't look normal when trying to read an empty file or a file in the wrong format causes the program to stop. The problem seems to be related to a mega-patch that replaced `zend_error` with `zend_error_noreturn` almost everywhere. My patch fixes this behavior by switching from `zend_error_noerror` to `gd_error` (i.e. to `E_WARNING` level). All necessary memory cleanup is already in the code (as it was before the "zend_error_noreturn" patch).
Close GH-13774
The LICENSE file of libmagic had been inadvertently removed when the
lib had been upgraded to 5.43. So we add the file `COPYING` from that
release[1], and rename it to `LICENSE`.
[1] <https://github.com/file/file/releases/tag/FILE5_43>
Closes GH-14917.
The create_obj handler of InternalIterator is overwritten, but not the
clone_obj handler. This is not allowed.
In PHP 8.2 this didn't cause a segfault because the standard object
handler was used for the clone instead of the internal handler.
So then it allocates and frees the object using the standard object handlers.
In 8.3 however, the object is created using the standard object handler and
freed using the custom handler, resulting in the buffer overflow.
Even though bisect points to 1e1ea4f this only reveals the bug.
Closes GH-14882.
When dealing with a file, we must free the contents if the function
fails. While here, also fix the error message because previously it
sounded like the filename was too long while in fact the file itself
is too large.
Closes GH-14862.
`spl_object_storage_attach_handle` creates an entry already, but only
fills it in at the end with `spl_object_storage_create_element` which
allocates memory. In this case the allocation fails and we're left with
a NULL slot. Doing the allocation first isn't an option because we want
to check whether the slot is occupied before allocating memory.
The simplest solution is to set the entry to NULL and check for a NULL
pointer upon destruction.
Closes GH-14849.
libxml2 2.13 makes changes to how the parsing state is set, update our
code accordingly. In particular, it started reporting entities within
attributes, while it should only report entities inside text nodes.
Closes GH-14837.
* PHP-8.2:
NEWS for compatibility in XML
Stop setting parse options directly
Stop relying on lastError directly
Stop relying on the sax2 flag directly
Port XML_GetCurrentByteIndex to public APIs
This broke in 6318040df2 when phpdbg
stopped using its custom printing routines. By relying on standard
printing routines, the embedded NUL bytes are causing the strings to be
cut off, even when using %.*s. Solve this by going straight to the
output routine, which is what the printf routine would've done anyway.
Closes GH-14822.
* PHP-8.2:
NEWS for GH-14814
ext/standard/tests: strings/wordwrap_memory_limit_32bit.phpt has two outputs
ext/standard/tests: 32bit wordwrap tests aren't just for Windows
You cannot return or yield a reference to a nullsafe chain. This was
checked already in zend_compile_return but not yet in
zend_compile_yield.
Closes GH-14716.
Remove xmlErrMemory from the export section for Windows, this fixes the
build. Even though the original function was renamed [1] it is hidden,
so removing this should be sufficient and not be a BC break.
[1] 130436917c
Closes GH-14719.
The xinclude code from libxml removes the fallback node,
but the fallback node is still reference via $fallback.
The solution is to detach the nodes that are going to be removed in
advance.
Closes GH-14704.
Values retrieved from zend_getenv should be freed.
Note: The only possible value for `zend_getenv` is `sapi_getenv` which uses
zend alloc to duplicate the string that it reads from the SAPI module.
Closes GH-14708.
The error handling code isn't entirely right in two places.
One of the code blocks is dead because of an always-false condition, and
another code block is missing the assignment of a NULL pointer.
Getting the exact same behaviour is not entirely possible because you
can't extend the size of a shared memory region after it was made with
the Windows APIs we use, unless we destroy the region and recreate it,
but that has other consequences.
However, it certainly shouldn't crash.
Closes GH-14707.
