From 8d116a4ba10703c54d947d95e152d25d75d45aa0 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Sun, 29 Jun 2025 14:29:28 +0200 Subject: [PATCH 1/4] Implement GH-15483: Use C23 memset_explicit() for ZEND_SECURE_ZERO() if available (#18713) --- Zend/zend_portability.h | 2 ++ configure.ac | 1 + main/explicit_bzero.c | 6 ++++-- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/Zend/zend_portability.h b/Zend/zend_portability.h index 97bd038ecf3d8..7a41a496a0ed7 100644 --- a/Zend/zend_portability.h +++ b/Zend/zend_portability.h @@ -496,6 +496,8 @@ extern "C++" { #ifdef ZEND_WIN32 #define ZEND_SECURE_ZERO(var, size) RtlSecureZeroMemory((var), (size)) +#elif defined(HAVE_MEMSET_EXPLICIT) +#define ZEND_SECURE_ZERO(var, size) memset_explicit((var), 0, (size)) #else #define ZEND_SECURE_ZERO(var, size) explicit_bzero((var), (size)) #endif diff --git a/configure.ac b/configure.ac index f6f305ba053a8..e4a8c31de474f 100644 --- a/configure.ac +++ b/configure.ac @@ -564,6 +564,7 @@ AC_CHECK_FUNCS(m4_normalize([ memmem mempcpy memrchr + memset_explicit mkstemp mmap nice diff --git a/main/explicit_bzero.c b/main/explicit_bzero.c index 75cd126ee9a56..c49bdede66247 100644 --- a/main/explicit_bzero.c +++ b/main/explicit_bzero.c @@ -28,8 +28,10 @@ PHPAPI void php_explicit_bzero(void *dst, size_t siz) { -#ifdef HAVE_EXPLICIT_MEMSET - explicit_memset(dst, 0, siz); +#ifdef HAVE_MEMSET_EXPLICIT /* C23 */ + memset_explicit(dst, 0, siz); +#elif defined(HAVE_EXPLICIT_MEMSET) /* NetBSD-specific */ + explicit_memset(dst, 0, siz); #elif defined(PHP_WIN32) RtlSecureZeroMemory(dst, siz); #elif defined(__GNUC__) From 1d5da8660b2a1a905b7695d83dc25a7501e0aeed Mon Sep 17 00:00:00 2001 From: David CARLIER Date: Sun, 29 Jun 2025 13:58:58 +0100 Subject: [PATCH 2/4] ext/sqlite3: relax sqlite3 explain test conditions (#18949) --- ext/sqlite3/tests/sqlite3_explain.phpt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ext/sqlite3/tests/sqlite3_explain.phpt b/ext/sqlite3/tests/sqlite3_explain.phpt index f580783ca1d14..40648588733c6 100644 --- a/ext/sqlite3/tests/sqlite3_explain.phpt +++ b/ext/sqlite3/tests/sqlite3_explain.phpt @@ -79,7 +79,7 @@ array(%d) { ["addr"]=> int(1) ["opcode"]=> - string(13) "InitCoroutine" + string(%d) "%s" ["p1"]=> int(3) ["p2"]=> @@ -87,7 +87,7 @@ array(%d) { ["p3"]=> int(2) ["p4"]=> - NULL + %s ["p5"]=> int(0) ["comment"]=> @@ -368,7 +368,7 @@ array(1) { ["parent"]=> int(0) ["notused"]=> - int(0) + int(%d) ["detail"]=> string(17) "SCAN test_explain" } From 1a5128f51e1c51c603c3fd3c0f311209c23b8868 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Sun, 29 Jun 2025 16:51:23 +0200 Subject: [PATCH 3/4] [ci skip] Fix comment typo in opcache --- ext/opcache/zend_accelerator_module.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/opcache/zend_accelerator_module.c b/ext/opcache/zend_accelerator_module.c index 203a41d93b40a..a4f632872f546 100644 --- a/ext/opcache/zend_accelerator_module.c +++ b/ext/opcache/zend_accelerator_module.c @@ -323,7 +323,7 @@ ZEND_INI_BEGIN() STD_PHP_INI_ENTRY("opcache.jit_max_root_traces" , "1024", PHP_INI_SYSTEM, OnUpdateLong, max_root_traces, zend_jit_globals, jit_globals) STD_PHP_INI_ENTRY("opcache.jit_max_side_traces" , "128", PHP_INI_SYSTEM, OnUpdateLong, max_side_traces, zend_jit_globals, jit_globals) STD_PHP_INI_ENTRY("opcache.jit_max_exit_counters" , "8192", PHP_INI_SYSTEM, OnUpdateLong, max_exit_counters, zend_jit_globals, jit_globals) - /* Defautl value should be a prime number, to reduce the chances of loop iterations being a factor of opcache.jit_hot_loop */ + /* Default value should be a prime number, to reduce the chances of loop iterations being a factor of opcache.jit_hot_loop */ STD_PHP_INI_ENTRY("opcache.jit_hot_loop" , "61", PHP_INI_SYSTEM, OnUpdateCounter, hot_loop, zend_jit_globals, jit_globals) STD_PHP_INI_ENTRY("opcache.jit_hot_func" , "127", PHP_INI_SYSTEM, OnUpdateCounter, hot_func, zend_jit_globals, jit_globals) STD_PHP_INI_ENTRY("opcache.jit_hot_return" , "8", PHP_INI_SYSTEM, OnUpdateCounter, hot_return, zend_jit_globals, jit_globals) From 865739e5b196390f2eb1c5aeb2a7551e31da87cb Mon Sep 17 00:00:00 2001 From: David Carlier Date: Sun, 29 Jun 2025 13:03:43 +0100 Subject: [PATCH 4/4] Fix GH-18976: pack with h or H format string overflow. adding with its own remainder, INT_MAX overflows here (negative values are discarded). close GH-18977 --- NEWS | 2 ++ ext/standard/pack.c | 2 +- ext/standard/tests/strings/gh18976.phpt | 14 ++++++++++++++ 3 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 ext/standard/tests/strings/gh18976.phpt diff --git a/NEWS b/NEWS index 61e1697b62dd9..267681cfa265e 100644 --- a/NEWS +++ b/NEWS @@ -33,6 +33,8 @@ PHP NEWS - Standard: . Fix misleading errors in printf(). (nielsdos) . Fix RCN violations in array functions. (nielsdos) + . Fixed GH-18976 pack() overflow with h/H format and INT_MAX repeater value. + (David Carlier) - Streams: . Fixed GH-13264 (fgets() and stream_get_line() do not return false on filter diff --git a/ext/standard/pack.c b/ext/standard/pack.c index 8f72164a26956..46798e7403daf 100644 --- a/ext/standard/pack.c +++ b/ext/standard/pack.c @@ -388,7 +388,7 @@ PHP_FUNCTION(pack) switch ((int) code) { case 'h': case 'H': - INC_OUTPUTPOS((arg + (arg % 2)) / 2,1) /* 4 bit per arg */ + INC_OUTPUTPOS((arg / 2) + (arg % 2),1) /* 4 bit per arg */ break; case 'a': diff --git a/ext/standard/tests/strings/gh18976.phpt b/ext/standard/tests/strings/gh18976.phpt new file mode 100644 index 0000000000000..aa58167f9d45b --- /dev/null +++ b/ext/standard/tests/strings/gh18976.phpt @@ -0,0 +1,14 @@ +--TEST-- +GH-18976 (pack overflow with h/H format) +--INI-- +memory_limit=-1 +--FILE-- + +--EXPECTF-- + +Warning: pack(): Type h: not enough characters in string in %s on line %d + +Warning: pack(): Type H: not enough characters in string in %s on line %d