Skip to content

[pull] master from php:master#859

Merged
pull[bot] merged 7 commits intoturkdevops:masterfrom
php:master
Apr 13, 2026
Merged

[pull] master from php:master#859
pull[bot] merged 7 commits intoturkdevops:masterfrom
php:master

Conversation

@pull
Copy link
Copy Markdown

@pull pull bot commented Apr 12, 2026
edited
Loading

See Commits and Changes for more details.

Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

iliaal and others added 7 commits April 12, 2026 18:43
@iliaal
Fix GH-21730: Mt19937::__debugInfo() leaks state HashTable when the s…
5e6b90e 
…erialize callback fails (#21733)

Mt19937::__debugInfo() allocates a temporary HashTable with
array_init(&t), calls the engine's serialize callback, and then
inserts t into the return value. If the callback returns false, the
method throws and hits RETURN_THROWS() before inserting t, so the
HashTable leaks. PcgOneseq128XslRr64 and Xoshiro256StarStar alias
the same method and share the leak.

Niels Dossche fixed the same pattern in __serialize() via GH-20383
(720e006). That cleanup didn't touch __debugInfo(). Apply the
same reordering here: insert t into return_value first, then let
the callback populate it. RETURN_THROWS() then unwinds the return
value cleanly.

The path is latent in stock PHP because the three built-in serialize
callbacks (mt19937, pcg, xoshiro) all return true, so no user code
reaches the leak today. I'm fixing it for symmetry with GH-20383 and
to keep the pattern from regressing if a future engine grows a
failing serialize path.

Closes GH-21730
@TimWolla
Merge branch 'PHP-8.4' into PHP-8.5
46940a0 
* PHP-8.4:
  Fix GH-21730: Mt19937::__debugInfo() leaks state HashTable when the serialize callback fails (#21733)
@TimWolla
Merge branch 'PHP-8.5'
7415c50 
* PHP-8.5:
  Fix GH-21730: Mt19937::__debugInfo() leaks state HashTable when the serialize callback fails (#21733)
@iliaal
Fix GH-21731: Random\Engine\Xoshiro256StarStar::__unserialize() accep…
1a428e5 
…ts all-zero state (#21732)

The constructor rejects a seed that would leave the internal state
all zero, because xoshiro256** with zero state produces 0 on every
call forever. The unserialize callback didn't check the same
invariant. A caller feeding a crafted serialized payload through
__unserialize() ended up with a live engine that returned 0 from
every operation.

Match the constructor: reject the all-zero state from the unserialize
callback too. The Mt19937-aliased __unserialize() wrapper turns the
false return into the standard "Invalid serialization data" exception.

Closes GH-21731
@TimWolla
Fix order in NEWS
f90e532
@TimWolla
Merge branch 'PHP-8.4' into PHP-8.5
73eace2 
* PHP-8.4:
  Fix GH-21731: Random\Engine\Xoshiro256StarStar::__unserialize() accepts all-zero state (#21732)
@TimWolla
Merge branch 'PHP-8.5'
2181129 
* PHP-8.5:
  Fix order in NEWS
  Fix GH-21731: Random\Engine\Xoshiro256StarStar::__unserialize() accepts all-zero state (#21732)
@pull pull bot locked and limited conversation to collaborators Apr 12, 2026
@pull pull bot added the ⤵️ pull label Apr 12, 2026
@pull pull bot merged commit 2181129 into turkdevops:master Apr 13, 2026
4 of 5 checks passed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

⤵️ pull

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@iliaal @TimWolla