While parent:: should inherit the called scope, it should only do
so if it is compatible. If there is no called scope, or it is not
a subtype of the scope, we should fall back to the scope.
Trying to allocate a `zend_string` with a length only slighty smaller
than `SIZE_MAX` causes an integer overflow, so callers may need to
check that explicitly. To make that easy in a portable way, we
introduce `ZSTR_MAX_LEN`.
Closes GH-7294.
Some extensions try to use the date features in their own shutdown,
most notably some logging functions. Because of that, move the
cache tear down until after these resources have been cleaned up.
Adding two `zend_long`s may overflow, and casting `size_t` to
`zend_long` may truncate; we can avoid this here by enforcing unsigned
arithmetic.
Closes GH-7240.
For a particular assignment, a non-coerced constant assignment
value will remain valid. However, opcache merges cache slots for
all identical property references, which means that this
optimization also disables property type checks for all other
operands on the property that occur in the same functions.
This could be addressed by blocking cache slot merging in opcache,
but I prefer dropping it entirely instead. It does not seem
important enough to warrant doing that.
Encoding a negative zero as `-0` is likely to loose the sign when
decoding (at least it does with `json_decode()`). Therefore, we encode
it as if `JSON_PRESERVE_ZERO_FRACTION` was specified, i.e. as `-0.0`.
Closes GH-7234.
Trimming a potentially over-allocated string appears to be reasonable,
so we drop the condition altogether.
We also re-allocate twice the size needed in the first place, and not
roughly tripple the size.
Closes GH-7231.
We must not assume that `usearch_last()` gives the proper result for
negative offsets. Instead we'd need to continue to search backwards
(`usearch_previous`) until we find a proper match. However, apparently
searching backwards is broken, so we work around by searching forward
from the start of the string until we pass the `offset_pos`, and then
use the previous result.
Closes GH-7189.
The analysis in the bug report wasn't correct (at least not in
this case -- there may still be a more general problem here),
the issue was that write_property returned the original variable_ptr
rather than the zend_assign_to_variable() return value, which will
DEREF the variable before overwriting it.
In this case we ended up creating an ASSIGN_OBJ_REF with VAR
result operand, which was not freed.
Fix this by implementing assign_ref_znode the same was as
assign_znode, i.e. performing an assignment with result and
then freeing the result, which will result mark the result as
UNUSED. This is more robust than the special handling for
result == NULL that was used before.
This fixes one of the issues reported in bug #81190.
The built-in Webserver's `on_path`, `on_query_string` and `on_url`
callbacks may be called multiple times from the parser; we must not
simply replace the old values, but need to concatenate the new values
instead.
This appears to be tricky for `on_path` due to the path normalization,
so we fail if the function is called again.
The built-in Webserver logs errors during request parsing to stderr,
but this is ignored by the php_cli_server framework, and apparently the
Webserver does not send a resonse at all in such cases (instead of an
4xx). Thus we can only check that a request with an overly long path
fails.
Closes GH-7207.
When the time limit for a script is changed, when the script ends,
its INI value will be reset. This calls the event handler for the
timeout change, which will unset then reset the timeout. However,
this is done even if the script is done executing, and say, the CGI
or CLI web server process is idle.
This is probably incorrect, but isn't a problem on most platforms,
because PHP uses a timer that only ticks when the process is active
(that is, executing code). Since when it's idle, it's blocking on
listen/read, it won't tick because nothing executes. However, on
platforms where only the real-time timer is supported, (Cygwin/PASE)
it ticks regardless of if PHP is even executing. This means that the
idle processes are subject to timeouts from the INI reset on script
end.
This makes it so the timer is never set if the state is deactivating.
Testing with the CLI web server indicates the timer no longer
spuriously activates under PASE.
Closes GH-6683.
GMT+00:00 is recognized by ICU, and is normalized to GMT. There are no
issues when GMT+00:00 is passed to `IntlTimeZone::createTimeZone()`,
but passing it to IntlDateFormatter::__construct() causes a failure,
since there is an additional check regarding the validity. While
checking the validity of the result of `TimeZone::createTimeZone()`[1]
is a good idea, comparing the IDs is overly restrictive. Instead we
just check that the timezone is supported by ICU.
[1] <https://unicode-org.github.io/icu-docs/apidoc/dev/icu4c/classicu_1_1TimeZone.html#a35da0507b62754ffe5d8d59c19775cdb>
Closes GH-7190.
* PHP-7.3:
Update NEWS
Fix#76448: Stack buffer overflow in firebird_info_cb
Fix#76449: SIGSEGV in firebird_handle_doer
Fix#76450: SIGSEGV in firebird_stmt_execute
Fix#76452: Crash while parsing blob data in firebird_fetch_blob
Fix#81122: SSRF bypass in FILTER_VALIDATE_URL
We need to verify that the `result_size` is not larger than our buffer,
and also should make sure that the `len` which is passed to
`isc_vax_integer()` has a permissible value; otherwise we bail out.
We need to verify that the `result_size` is not larger than our buffer,
and also should make sure that the `len` which is passed to
`isc_vax_integer()` has a permissible value; otherwise we bail out.
The way to fix it is to disable certain match start optimizaions. The
observed performance impact appears negligible ATM, compared to the
functional regression revealed.
A possible side effect might occur if a pattern uses (*COMMIT) or
(*MARK), which is however not a very broadly used syntax in PHP. Still
this should be observed and handled by possibly adding a possibility to
reverse PCRE2_NO_START_OPTIMIZE on the user side.
One test shows a behavior change, where instead of int 0 the match
would produce an error and return false. Except strict comparison
is used, this should be acceptable.
Signed-off-by: Anatol Belski <ab@php.net>
(cherry picked from commit d188ca7688)
Signed-off-by: Anatol Belski <ab@php.net>
That happens on Travis s390x for whatever reasons. Thus, instead of
checking for `fallocate -h`, we attempt the real allocation and skip if
that fails.
When mapping the file, we need to pass the proper `dwFileOffsetHigh`
instead of `0`.
Co-authored-by: Nikita Popov <nikita.ppv@gmail.com>
Closes GH-7158.
This test is supposed to verify the path of the default OpenSSL config
file; it will fail, though, if OPENSSL_CONF is explicitly set, so we
explicitly unset this environment variable for this test.
This issue is properly fixed by GH-7121 on master. For older
branches, disable the use of range information in SCCP, to
reduce impact of potentially incorrect ranges.
When doing a non finishing flush, BZ2_bzCompress() returns BZ_FLUSH_OK
(not BZ_FINISH_OK) what requires us to do further flushes right away.
We also refactor the while-loop as do-loop.
Closes GH-7113.
When the memory limit is restored during shutdown, we may still
be using a lot of memory. Ignore the failure at that point and
set it again after the MM is shut down, at which point memory
usage should be at its lowest point.
