From 54f93f127ee93e43233c1620e19a20414283f94d Mon Sep 17 00:00:00 2001 From: Pierrick Charron Date: Thu, 13 Mar 2025 13:14:37 -0400 Subject: [PATCH 1/9] [skip ci] Fix release date of 8.3.19 --- NEWS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 39ee4c46becda..defd19e93f4ee 100644 --- a/NEWS +++ b/NEWS @@ -23,7 +23,7 @@ PHP NEWS - Treewide: . Fixed bug GH-17736 (Assertion failure zend_reference_destroy()). (nielsdos) -13 Feb 2025, PHP 8.3.19 +13 Mar 2025, PHP 8.3.19 - BCMath: . Fixed bug GH-17398 (bcmul memory leak). (SakiTakamachi) From c62523666c9fef743d34f2adc1d6c7de479e4870 Mon Sep 17 00:00:00 2001 From: Pierrick Charron Date: Thu, 13 Mar 2025 13:45:08 -0400 Subject: [PATCH 2/9] [skip ci] Fix invalid release date of 8.1.1 --- NEWS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 67f6b8f728be7..f34fc5c90e5de 100644 --- a/NEWS +++ b/NEWS @@ -1590,7 +1590,7 @@ PHP NEWS . Fixed bug GH-7815 (php_uname doesn't recognise latest Windows versions). (David Warner) -02 Dec 2021, PHP 8.1.1 +16 Dec 2021, PHP 8.1.1 - IMAP: . Fixed bug #81649 (imap_(un)delete accept sequences, not single numbers). From 200342145410e71654e2327e80febfd7d9c93483 Mon Sep 17 00:00:00 2001 From: Pierrick Charron Date: Thu, 13 Mar 2025 13:48:38 -0400 Subject: [PATCH 3/9] [skip ci] Fix release dates on NEWS --- NEWS | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/NEWS b/NEWS index defd19e93f4ee..4fa4fee3d849e 100644 --- a/NEWS +++ b/NEWS @@ -199,7 +199,7 @@ PHP NEWS . Fixed bug GH-17139 (Fix zip_entry_name() crash on invalid entry). (nielsdos) -02 Jan 2025, PHP 8.3.16 +16 Jan 2025, PHP 8.3.16 - Core: . Fixed bug GH-17106 (ZEND_MATCH_ERROR misoptimization). (ilutov) @@ -398,7 +398,7 @@ PHP NEWS - Windows: . Fixed bug GH-16849 (Error dialog causes process to hang). (cmb) -07 Nov 2024, PHP 8.3.14 +21 Nov 2024, PHP 8.3.14 - CLI: . Fixed bug GH-16373 (Shebang is not skipped for router script in cli-server @@ -919,7 +919,7 @@ PHP NEWS . Fixed bug GH-14834 (Error installing PHP when --with-pear is used). (nielsdos) -20 Jun 2024, PHP 8.3.9 +04 Jul 2024, PHP 8.3.9 - Core: . Fixed bug GH-14315 (Incompatible pointer type warnings). (Peter Kokot) @@ -1151,7 +1151,7 @@ PHP NEWS - Treewide: . Fix gcc-14 Wcalloc-transposed-args warnings. (Cristian Rodríguez) -28 Mar 2024, PHP 8.3.5 +11 Apr 2024, PHP 8.3.6 - Core: . Fixed GH-13569 (GC buffer unnecessarily grows up to GC_MAX_BUF_SIZE when @@ -1420,7 +1420,7 @@ PHP NEWS . Fixed bug GH-12980 (tidynode.props.attribute is missing "Boolean Attributes" and empty attributes). (nielsdos) -07 Dec 2023, PHP 8.3.1 +21 Dec 2023, PHP 8.3.1 - Core: . Fixed bug GH-12758 / GH-12768 (Invalid opline in OOM handlers within From a3aaedc76c5ede48bd49c93f08eb7e828133a425 Mon Sep 17 00:00:00 2001 From: Pierrick Charron Date: Thu, 13 Mar 2025 13:50:06 -0400 Subject: [PATCH 4/9] [skip ci] Fix release dates on NEWS --- NEWS | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/NEWS b/NEWS index f2bd84c21c4c2..7f7a616bc1c26 100644 --- a/NEWS +++ b/NEWS @@ -162,7 +162,7 @@ PHP NEWS . Fix memory leak when encoding check fails. (nielsdos) . Fix zlib support for large files. (nielsdos) -30 Jan 2025, PHP 8.4.4 +13 Feb 2025, PHP 8.4.4 - Core: . Fixed bug GH-17234 (Numeric parent hook call fails with assertion). @@ -281,7 +281,7 @@ PHP NEWS . Fixed bug GH-17139 (Fix zip_entry_name() crash on invalid entry). (nielsdos) -02 Jan 2025, PHP 8.4.3 +16 Jan 2025, PHP 8.4.3 - BcMath: . Fixed bug GH-17049 (Correctly compare 0 and -0). (Saki Takamachi) @@ -410,7 +410,7 @@ PHP NEWS - XML: . Fixed bug GH-1718 (unreachable program point in zend_hash). (nielsdos) -05 Dec 2024, PHP 8.4.2 +19 Dec 2024, PHP 8.4.2 - BcMath: . Fixed bug GH-16978 (Avoid unnecessary padding with leading zeros). From 27affd8da173db7f7db5535c4caaf55d2986f925 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Wed, 12 Mar 2025 19:39:58 +0100 Subject: [PATCH 5/9] Fix GH-18018: RC1 data returned from offsetGet causes UAF in ArrayObject We should first check truthiness and only after that destroy the value. Closes GH-18034. --- NEWS | 4 ++++ ext/spl/spl_array.c | 6 ++++-- ext/spl/tests/gh18018.phpt | 20 ++++++++++++++++++++ 3 files changed, 28 insertions(+), 2 deletions(-) create mode 100644 ext/spl/tests/gh18018.phpt diff --git a/NEWS b/NEWS index 4fa4fee3d849e..58de3a7ed3cd8 100644 --- a/NEWS +++ b/NEWS @@ -20,6 +20,10 @@ PHP NEWS . Fixed bug GH-17989 (mb_output_handler crash with unset http_output_conv_mimetypes). (nielsdos) +- SPL: + . Fixed bug GH-18018 (RC1 data returned from offsetGet causes UAF in + ArrayObject). (nielsdos) + - Treewide: . Fixed bug GH-17736 (Assertion failure zend_reference_destroy()). (nielsdos) diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index bd03a8aae0189..8d4541797a1c5 100644 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -641,12 +641,14 @@ static bool spl_array_has_dimension_ex(bool check_inherited, zend_object *object } } + /* empty() check the value is not falsy, isset() only check it is not null */ + bool result = check_empty ? zend_is_true(value) : Z_TYPE_P(value) != IS_NULL; + if (value == &rv) { zval_ptr_dtor(&rv); } - /* empty() check the value is not falsy, isset() only check it is not null */ - return check_empty ? zend_is_true(value) : Z_TYPE_P(value) != IS_NULL; + return result; } /* }}} */ static int spl_array_has_dimension(zend_object *object, zval *offset, int check_empty) /* {{{ */ diff --git a/ext/spl/tests/gh18018.phpt b/ext/spl/tests/gh18018.phpt new file mode 100644 index 0000000000000..06fa7fc3d0e55 --- /dev/null +++ b/ext/spl/tests/gh18018.phpt @@ -0,0 +1,20 @@ +--TEST-- +GH-18018 (RC1 data returned from offsetGet causes UAF in ArrayObject) +--FILE-- + 1]; + +$object = new Crap($values); + +var_dump(empty($object['qux'])); +?> +--EXPECT-- +bool(false) From 3c17d3fc054e3b964b77c7a12a632201bd53b027 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Thu, 13 Mar 2025 19:11:53 +0100 Subject: [PATCH 6/9] [ci skip] Fix NEWS order --- NEWS | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index 4cb6bbb091203..43f43d7757fe3 100644 --- a/NEWS +++ b/NEWS @@ -28,6 +28,10 @@ PHP NEWS . Fixed bug GH-17991 (Assertion failure dom_attr_value_write). (nielsdos) . Fix weird unpack behaviour in DOM. (nielsdos) +- GD: + . Fixed bug GH-17984 (calls with arguments as array with references). + (David Carlier) + - Mbstring: . Fixed bug GH-17989 (mb_output_handler crash with unset http_output_conv_mimetypes). (nielsdos) @@ -40,10 +44,6 @@ PHP NEWS - Standard: . Fix memory leaks in array_any() / array_all(). (nielsdos) -- GD: - . Fixed bug GH-17984 (calls with arguments as array with references). - (David Carlier) - - SPL: . Fixed bug GH-18018 (RC1 data returned from offsetGet causes UAF in ArrayObject). (nielsdos) From 70c2ebb69807d517fa38487e690462454c83f1ec Mon Sep 17 00:00:00 2001 From: Jakub Zelenka Date: Thu, 13 Mar 2025 22:24:49 +0100 Subject: [PATCH 7/9] Fix typo in GHSA-hgf5-96fm-v528 NEWS entry --- NEWS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/NEWS b/NEWS index f34fc5c90e5de..29400e6ef5b5c 100644 --- a/NEWS +++ b/NEWS @@ -12,7 +12,7 @@ PHP NEWS when requesting a redirected resource). (CVE-2025-1219) (timwolla) - Streams: - . Fixed GHSA-hgf54-96fm-v528 (Stream HTTP wrapper header check might omit + . Fixed GHSA-hgf5-96fm-v528 (Stream HTTP wrapper header check might omit basic auth header). (CVE-2025-1736) (Jakub Zelenka) . Fixed GHSA-52jp-hrpf-2jff (Stream HTTP wrapper truncate redirect location to 1024 bytes). (CVE-2025-1861) (Jakub Zelenka) From a7d2703246cb4acdcb48ecb3682386a102702c43 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Thu, 13 Mar 2025 21:18:35 +0100 Subject: [PATCH 8/9] Correct check for maximum string length in JIT helpers This is a bit of a theoretical issue, but the maximum string length is actually ZSTR_MAX_LEN instead of SIZE_MAX. The resulting check is a bit slower but should still be relatively cheap. Closes GH-18049. --- ext/opcache/jit/zend_jit_helpers.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ext/opcache/jit/zend_jit_helpers.c b/ext/opcache/jit/zend_jit_helpers.c index a79f2b5173d53..26e368dce6617 100644 --- a/ext/opcache/jit/zend_jit_helpers.c +++ b/ext/opcache/jit/zend_jit_helpers.c @@ -1636,7 +1636,7 @@ static void ZEND_FASTCALL zend_jit_fast_assign_concat_helper(zval *op1, zval *op zend_string *result_str; uint32_t flags = ZSTR_GET_COPYABLE_CONCAT_PROPERTIES_BOTH(Z_STR_P(op1), Z_STR_P(op2)); - if (UNEXPECTED(op1_len > SIZE_MAX - op2_len)) { + if (UNEXPECTED(op1_len > ZSTR_MAX_LEN - op2_len)) { zend_throw_error(NULL, "String size overflow"); return; } @@ -1672,7 +1672,7 @@ static void ZEND_FASTCALL zend_jit_fast_concat_helper(zval *result, zval *op1, z zend_string *result_str; uint32_t flags = ZSTR_GET_COPYABLE_CONCAT_PROPERTIES_BOTH(Z_STR_P(op1), Z_STR_P(op2)); - if (UNEXPECTED(op1_len > SIZE_MAX - op2_len)) { + if (UNEXPECTED(op1_len > ZSTR_MAX_LEN - op2_len)) { zend_throw_error(NULL, "String size overflow"); return; } @@ -1696,7 +1696,7 @@ static void ZEND_FASTCALL zend_jit_fast_concat_tmp_helper(zval *result, zval *op zend_string *result_str; uint32_t flags = ZSTR_GET_COPYABLE_CONCAT_PROPERTIES_BOTH(Z_STR_P(op1), Z_STR_P(op2)); - if (UNEXPECTED(op1_len > SIZE_MAX - op2_len)) { + if (UNEXPECTED(op1_len > ZSTR_MAX_LEN - op2_len)) { zend_throw_error(NULL, "String size overflow"); return; } From 413938143b31405817abbdf0f8effb7c09ed0862 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Thu, 13 Mar 2025 21:05:33 +0100 Subject: [PATCH 9/9] Fix GH-18037: SEGV Zend/zend_execute.c A frameless icall with 3 arguments is a special case because it uses OP_DATA, but this was not added to the list, so the opline pointed to the wrong address resulting in UBSAN report or crash. Closes GH-18048. --- NEWS | 1 + ext/opcache/jit/zend_jit_ir.c | 1 + ext/opcache/tests/jit/gh18037.phpt | 24 ++++++++++++++++++++++++ 3 files changed, 26 insertions(+) create mode 100644 ext/opcache/tests/jit/gh18037.phpt diff --git a/NEWS b/NEWS index 309bf290f28f8..72b890d29855d 100644 --- a/NEWS +++ b/NEWS @@ -40,6 +40,7 @@ PHP NEWS . Fixed bug GH-15834 (Segfault with hook "simple get" cache slot and minimal JIT). (nielsdos) . Fixed bug GH-17966 (Symfony JIT 1205 assertion failure). (nielsdos) + . Fixed bug GH-18037 (SEGV Zend/zend_execute.c). (nielsdos) - Standard: . Fix memory leaks in array_any() / array_all(). (nielsdos) diff --git a/ext/opcache/jit/zend_jit_ir.c b/ext/opcache/jit/zend_jit_ir.c index 32c58f24c7cd2..7ff6522ba2c4a 100644 --- a/ext/opcache/jit/zend_jit_ir.c +++ b/ext/opcache/jit/zend_jit_ir.c @@ -4209,6 +4209,7 @@ static int zend_jit_handler(zend_jit_ctx *jit, const zend_op *opline, int may_th case ZEND_ASSIGN_STATIC_PROP_OP: case ZEND_ASSIGN_STATIC_PROP_REF: case ZEND_ASSIGN_OBJ_REF: + case ZEND_FRAMELESS_ICALL_3: zend_jit_set_last_valid_opline(jit, opline + 2); break; default: diff --git a/ext/opcache/tests/jit/gh18037.phpt b/ext/opcache/tests/jit/gh18037.phpt new file mode 100644 index 0000000000000..26de60228e8cb --- /dev/null +++ b/ext/opcache/tests/jit/gh18037.phpt @@ -0,0 +1,24 @@ +--TEST-- +GH-18037 (SEGV Zend/zend_execute.c) +--EXTENSIONS-- +opcache +--INI-- +opcache.jit=1201 +--FILE-- +matches(); +} + +test_helper(); +?> +--EXPECTF-- +Warning: Undefined array key 0 in %s on line %d + +Fatal error: Uncaught Error: Call to a member function matches() on array in %s:%d +Stack trace: +#0 %s(%d): test_helper() +#1 {main} + thrown in %s on line %d