[pull] master from php:master

NEWS

@@ -96,6 +96,8 @@ PHP                                                                        NEWS
 
 - PCRE:
   . Upgraded to pre2lib from 10.44 to 10.45. (nielsdos)
+  . Remove PCRE2_EXTRA_ALLOW_LOOKAROUND_BSK from pcre compile options.
+    (mvorisek)
 
 - PDO_PGSQL:
   . Added Iterable support for PDO::pgsqlCopyFromArray. (KentarouTakeda)

UPGRADING

@@ -59,6 +59,11 @@ PHP 8.5 UPGRADE NOTES
   . pcntl_exec() now throws ValueErrors when entries or keys of the
     $env_vars parameter contain null bytes.
 
+- PCRE:
+  . The extension is compiled without semi-deprecated
+    PCRE2_EXTRA_ALLOW_LOOKAROUND_BSK compile option.
+    https://github.com/PCRE2Project/pcre2/issues/736#issuecomment-2754024651
+
 - PDO:
   . The constructor arguments set in conjunction with PDO::FETCH_CLASS now
     follow the usual CUFA (call_user_func_array) semantics.

Zend/zend_object_handlers.c

@@ -2451,17 +2451,9 @@ ZEND_API zend_result zend_std_get_closure(zend_object *obj, zend_class_entry **c
 		return FAILURE;
 	}
 	*fptr_ptr = Z_FUNC_P(func);
-
 	*ce_ptr = ce;
-	if ((*fptr_ptr)->common.fn_flags & ZEND_ACC_STATIC) {
-		if (obj_ptr) {
-			*obj_ptr = NULL;
-		}
-	} else {
-		if (obj_ptr) {
-			*obj_ptr = obj;
-		}
-	}
+	*obj_ptr = obj;
+
 	return SUCCESS;
 }
 /* }}} */

build/Makefile.global

@@ -89,7 +89,7 @@ PHP_TEST_SHARED_EXTENSIONS =  ` \
 			. $$i; $(top_srcdir)/build/shtool echo -n -- " -d zend_extension=$(top_builddir)/modules/$$dlname"; \
 		done; \
 	fi`
-PHP_DEPRECATED_DIRECTIVES_REGEX = '^(magic_quotes_(gpc|runtime|sybase)?|(zend_)?extension(_debug)?(_ts)?)[\t\ ]*='
+PHP_DEPRECATED_DIRECTIVES_REGEX = '^(magic_quotes_(gpc|runtime|sybase)?|(zend_)?extension(_debug)?(_ts)?|session\.sid_(length|bits_per_character))[\t\ ]*='
 
 test: all
 	@if test ! -z "$(PHP_EXECUTABLE)" && test -x "$(PHP_EXECUTABLE)"; then \

ext/intl/tests/dateformat_format_references.phpt

@@ -1,5 +1,7 @@
 --TEST--
 Fix dateformat_format() with array argument with values as references.
+--EXTENSIONS--
+intl
 --SKIPIF--
 <?php
 if (PHP_OS_FAMILY === "Windows") die("skip currently unsupported on Windows");

ext/pcre/php_pcre.c

@@ -199,13 +199,6 @@ static void php_pcre_efree(void *block, void *data)
 	efree(block);
 }
 
-#ifdef PCRE2_EXTRA_ALLOW_LOOKAROUND_BSK
-	/* pcre 10.38 needs PCRE2_EXTRA_ALLOW_LOOKAROUND_BSK, disabled by default */
-#define PHP_PCRE_DEFAULT_EXTRA_COPTIONS PCRE2_EXTRA_ALLOW_LOOKAROUND_BSK
-#else
-#define PHP_PCRE_DEFAULT_EXTRA_COPTIONS 0
-#endif
-
 #define PHP_PCRE_PREALLOC_MDATA_SIZE 32
 
 static void php_pcre_init_pcre2(uint8_t jit)
@@ -226,8 +219,6 @@ static void php_pcre_init_pcre2(uint8_t jit)
 		}
 	}
 
-	pcre2_set_compile_extra_options(cctx, PHP_PCRE_DEFAULT_EXTRA_COPTIONS);
-
 	if (!mctx) {
 		mctx = pcre2_match_context_create(gctx);
 		if (!mctx) {
@@ -590,7 +581,7 @@ PHPAPI pcre_cache_entry* pcre_get_compiled_regex_cache_ex(zend_string *regex, bo
 #else
 	uint32_t			 coptions = 0;
 #endif
-	uint32_t			 eoptions = PHP_PCRE_DEFAULT_EXTRA_COPTIONS;
+	uint32_t			 eoptions = 0;
 	PCRE2_UCHAR	         error[128];
 	PCRE2_SIZE           erroffset;
 	int                  errnumber;

ext/pcre/tests/bug70345.phpt

@@ -1,5 +1,10 @@
 --TEST--
 Bug #70345 (Multiple vulnerabilities related to PCRE functions)
+--SKIPIF--
+<?php
+if (PCRE_VERSION_MAJOR == 10 && PCRE_VERSION_MINOR < 38) {
+    die("skip old pcre version");
+}
 --FILE--
 <?php
 $regex = '/(?=xyz\K)/';
@@ -14,8 +19,8 @@ preg_match($regex, $subject, $matches);
 var_dump($matches);
 ?>
 --EXPECTF--
+Warning: preg_split(): Compilation failed: \K is not allowed in lookarounds (but see PCRE2_EXTRA_ALLOW_LOOKAROUND_BSK) at offset 9 in %s on line %d
 bool(false)
 
-Warning: preg_match(): Get subpatterns list failed in %s on line %d
-array(0) {
-}
+Warning: preg_match(): Compilation failed: \K is not allowed in lookarounds (but see PCRE2_EXTRA_ALLOW_LOOKAROUND_BSK) at offset 12 in %s on line %d
+NULL

ext/pcre/tests/bug70345_old.phpt

@@ -0,0 +1,26 @@
+--TEST--
+Bug #70345 (Multiple vulnerabilities related to PCRE functions)
+--SKIPIF--
+<?php
+if (PCRE_VERSION_MAJOR != 10 || PCRE_VERSION_MINOR >= 38) {
+    die("skip new pcre version");
+}
+--FILE--
+<?php
+$regex = '/(?=xyz\K)/';
+$subject = "aaaaxyzaaaa";
+
+var_dump(preg_split($regex, $subject));
+
+$regex = '/(a(?=xyz\K))/';
+$subject = "aaaaxyzaaaa";
+preg_match($regex, $subject, $matches);
+
+var_dump($matches);
+?>
+--EXPECTF--
+bool(false)
+
+Warning: preg_match(): Get subpatterns list failed in %s on line %d
+array(0) {
+}

ext/reflection/php_reflection.c

@@ -2671,7 +2671,7 @@ ZEND_METHOD(ReflectionParameter, __toString)
 
 /* }}} */
 
-/* {{{ Returns this parameters's name */
+/* {{{ Returns this parameter's name */
 ZEND_METHOD(ReflectionParameter, getName)
 {
 	reflection_object *intern;

ext/spl/spl_fixedarray.c

@@ -278,7 +278,6 @@ static zend_object *spl_fixedarray_object_new_ex(zend_class_entry *class_type, z
 {
 	spl_fixedarray_object *intern;
 	zend_class_entry      *parent = class_type;
-	bool                   inherited = false;
 
 	intern = zend_object_alloc(sizeof(spl_fixedarray_object), parent);
 
@@ -290,21 +289,10 @@ static zend_object *spl_fixedarray_object_new_ex(zend_class_entry *class_type, z
 		spl_fixedarray_copy_ctor(&intern->array, &other->array);
 	}
 
-	while (parent) {
-		if (parent == spl_ce_SplFixedArray) {
-			break;
-		}
-
-		parent = parent->parent;
-		inherited = true;
-	}
-
-	ZEND_ASSERT(parent);
-
-	if (UNEXPECTED(inherited)) {
+	if (UNEXPECTED(class_type != spl_ce_SplFixedArray)) {
 		/* Find count() method */
 		zend_function *fptr_count = zend_hash_find_ptr(&class_type->function_table, ZSTR_KNOWN(ZEND_STR_COUNT));
-		if (fptr_count->common.scope == parent) {
+		if (fptr_count->common.scope == spl_ce_SplFixedArray) {
 			fptr_count = NULL;
 		}
 		intern->fptr_count = fptr_count;
@@ -377,7 +365,7 @@ static zval *spl_fixedarray_object_read_dimension_helper(spl_fixedarray_object *
 {
 	/* we have to return NULL on error here to avoid memleak because of
 	 * ZE duplicating uninitialized_zval_ptr */
-	if (!offset) {
+	if (UNEXPECTED(!offset)) {
 		zend_throw_error(NULL, "[] operator not supported for SplFixedArray");
 		return NULL;
 	}
@@ -422,7 +410,7 @@ static zval *spl_fixedarray_object_read_dimension(zend_object *object, zval *off
 
 static void spl_fixedarray_object_write_dimension_helper(spl_fixedarray_object *intern, zval *offset, zval *value)
 {
-	if (!offset) {
+	if (UNEXPECTED(!offset)) {
 		/* '$array[] = value' syntax is not supported */
 		zend_throw_error(NULL, "[] operator not supported for SplFixedArray");
 		return;
@@ -438,10 +426,10 @@ static void spl_fixedarray_object_write_dimension_helper(spl_fixedarray_object *
 	} else {
 		/* Fix #81429 */
 		zval *ptr = &(intern->array.elements[index]);
-		zval tmp;
-		ZVAL_COPY_VALUE(&tmp, ptr);
-		ZVAL_COPY_DEREF(ptr, value);
-		zval_ptr_dtor(&tmp);
+		/* This should be guaranteed by the VM handler or argument parsing. */
+		ZEND_ASSERT(Z_TYPE_P(value) != IS_REFERENCE);
+		Z_TRY_ADDREF_P(value);
+		zend_safe_assign_to_variable_noref(ptr, value);
 	}
 }
 
@@ -472,10 +460,9 @@ static void spl_fixedarray_object_unset_dimension_helper(spl_fixedarray_object *
 	if (UNEXPECTED(index >= intern->array.size)) {
 		zend_throw_exception(spl_ce_OutOfBoundsException, "Index invalid or out of range", 0);
 	} else {
-		zval garbage;
-		ZVAL_COPY_VALUE(&garbage, &intern->array.elements[index]);
-		ZVAL_NULL(&intern->array.elements[index]);
-		zval_ptr_dtor(&garbage);
+		zval null = {0};
+		ZVAL_NULL(&null);
+		zend_safe_assign_to_variable_noref(&intern->array.elements[index], &null);
 	}
 }