From 55717656097918baf21fe272a788db501ed33854 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Fri, 19 Jun 2020 09:27:19 +0200
Subject: [PATCH 1/4] Forbid use of <?= as a semi-reserved identifier

One of the weirdest pieces of PHP code I've ever seen. In terms
of tokens, this gets internally translated to

    use x as y; echo as my_echo;

On master it crashes because this "echo" does not have attached
identifier metadata. Make sure it is added and then reject the
use of "<?=" as an identifier inside zend_lex_tstring.

Fixes oss-fuzz #23547.
---
 Zend/tests/short_echo_as_identifier.phpt | 15 +++++++++++++++
 Zend/zend_language_parser.y              |  5 +++--
 Zend/zend_language_scanner.h             |  2 +-
 Zend/zend_language_scanner.l             | 11 +++++++++--
 4 files changed, 28 insertions(+), 5 deletions(-)
 create mode 100644 Zend/tests/short_echo_as_identifier.phpt

diff --git a/Zend/tests/short_echo_as_identifier.phpt b/Zend/tests/short_echo_as_identifier.phpt
new file mode 100644
index 0000000000000..7fc1684861889
--- /dev/null
+++ b/Zend/tests/short_echo_as_identifier.phpt
@@ -0,0 +1,15 @@
+--TEST--
+<?= cannot be used as an identifier
+--FILE--
+<?php
+trait T {
+    public function x() {}
+}
+class C {
+    use T {
+        x as y?><?= as my_echo;
+    }
+}
+?>
+--EXPECTF--
+Parse error: Cannot use "<?=" as an identifier in %s on line %d
diff --git a/Zend/zend_language_parser.y b/Zend/zend_language_parser.y
index f930cf0e5d897..8ec740a05c47d 100644
--- a/Zend/zend_language_parser.y
+++ b/Zend/zend_language_parser.y
@@ -296,7 +296,7 @@ identifier:
 		T_STRING { $$ = $1; }
 	| 	semi_reserved  {
 			zval zv;
-			zend_lex_tstring(&zv, $1);
+			if (zend_lex_tstring(&zv, $1) == FAILURE) { YYABORT; }
 			$$ = zend_ast_create_zval(&zv);
 		}
 ;
@@ -852,7 +852,8 @@ trait_alias:
 		trait_method_reference T_AS T_STRING
 			{ $$ = zend_ast_create(ZEND_AST_TRAIT_ALIAS, $1, $3); }
 	|	trait_method_reference T_AS reserved_non_modifiers
-			{ zval zv; zend_lex_tstring(&zv, $3);
+			{ zval zv;
+			  if (zend_lex_tstring(&zv, $3) == FAILURE) { YYABORT; }
 			  $$ = zend_ast_create(ZEND_AST_TRAIT_ALIAS, $1, zend_ast_create_zval(&zv)); }
 	|	trait_method_reference T_AS member_modifier identifier
 			{ $$ = zend_ast_create_ex(ZEND_AST_TRAIT_ALIAS, $3, $1, $4); }
diff --git a/Zend/zend_language_scanner.h b/Zend/zend_language_scanner.h
index 35d4d0269e55d..c15f11af2e51b 100644
--- a/Zend/zend_language_scanner.h
+++ b/Zend/zend_language_scanner.h
@@ -78,7 +78,7 @@ ZEND_API void zend_restore_lexical_state(zend_lex_state *lex_state);
 ZEND_API int zend_prepare_string_for_scanning(zval *str, const char *filename);
 ZEND_API void zend_multibyte_yyinput_again(zend_encoding_filter old_input_filter, const zend_encoding *old_encoding);
 ZEND_API int zend_multibyte_set_filter(const zend_encoding *onetime_encoding);
-ZEND_API void zend_lex_tstring(zval *zv, zend_lexer_ident_ref ident_ref);
+ZEND_API int zend_lex_tstring(zval *zv, zend_lexer_ident_ref ident_ref);
 
 END_EXTERN_C()
 
diff --git a/Zend/zend_language_scanner.l b/Zend/zend_language_scanner.l
index 7b5a8ab1c8737..ffb515893888e 100644
--- a/Zend/zend_language_scanner.l
+++ b/Zend/zend_language_scanner.l
@@ -306,15 +306,21 @@ ZEND_API void zend_destroy_file_handle(zend_file_handle *file_handle)
 	}
 }
 
-ZEND_API void zend_lex_tstring(zval *zv, zend_lexer_ident_ref ident_ref)
+ZEND_API int zend_lex_tstring(zval *zv, zend_lexer_ident_ref ident_ref)
 {
 	char *ident = (char *) SCNG(yy_start) + ident_ref.offset;
 	size_t length = ident_ref.len;
+	if (length == sizeof("<?=")-1 && memcmp(ident, "<?=", sizeof("<?=")-1) == 0) {
+		zend_throw_exception(zend_ce_parse_error, "Cannot use \"<?=\" as an identifier", 0);
+		return FAILURE;
+	}
+
 	if (SCNG(on_event)) {
 		SCNG(on_event)(ON_FEEDBACK, T_STRING, 0, ident, length, SCNG(on_event_context));
 	}
 
 	ZVAL_STRINGL(zv, ident, length);
+	return SUCCESS;
 }
 
 #define BOM_UTF32_BE	"\x00\x00\xfe\xff"
@@ -2149,7 +2155,8 @@ string:
 <INITIAL>"<?=" {
 	BEGIN(ST_IN_SCRIPTING);
 	if (PARSER_MODE()) {
-		RETURN_TOKEN(T_ECHO);
+		/* We'll reject this as an identifier in zend_lex_tstring. */
+		RETURN_TOKEN_WITH_IDENT(T_ECHO);
 	}
 	RETURN_TOKEN(T_OPEN_TAG_WITH_ECHO);
 }

From 21a2da23498509fa671a69ae42d4c2cd841ee94d Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Fri, 19 Jun 2020 09:43:56 +0200
Subject: [PATCH 2/4] Generate temporary config file when generating
 certificates

The putenv trick doesn't work on ZTS Windows, so generate a new
openssl config every time.
---
 ext/openssl/tests/CertificateGenerator.inc | 71 ++++++++++++++--------
 ext/openssl/tests/san.cnf                  | 13 ----
 2 files changed, 47 insertions(+), 37 deletions(-)
 delete mode 100644 ext/openssl/tests/san.cnf

diff --git a/ext/openssl/tests/CertificateGenerator.inc b/ext/openssl/tests/CertificateGenerator.inc
index 4cd8540cefad7..b409376058efe 100644
--- a/ext/openssl/tests/CertificateGenerator.inc
+++ b/ext/openssl/tests/CertificateGenerator.inc
@@ -3,7 +3,6 @@
 class CertificateGenerator
 {
     const CONFIG = __DIR__. DIRECTORY_SEPARATOR . 'openssl.cnf';
-    const SAN_CONFIG = __DIR__ . DIRECTORY_SEPARATOR . 'san.cnf';
 
     /** @var resource */
     private $ca;
@@ -96,32 +95,56 @@ class CertificateGenerator
             $dn['commonName'] = $commonNameForCert;
         }
 
-        $config = [
-            'digest_alg' => 'sha256',
-            'req_extensions' => 'v3_req',
-            'x509_extensions' => 'usr_cert',
-        ];
-        if ($subjectAltName !== null) {
-            putenv("PHP_SUBJECTALTNAME=$subjectAltName");
-            $config['config'] = self::SAN_CONFIG;
-        }
-
-        $this->lastKey = self::generateKey($keyLength);
-        $this->lastCert = openssl_csr_sign(
-            openssl_csr_new($dn, $this->lastKey, $config),
-            $this->ca,
-            $this->caKey,
-            /* days */ 2,
-            $config,
-        );
+        $subjectAltNameConfig =
+            $subjectAltName ? "subjectAltName = $subjectAltName" : "";
+        $configCode = <<<CONFIG
+[ req ]
+distinguished_name = req_distinguished_name
+default_md = sha256
+
+[ req_distinguished_name ]
+
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+$subjectAltNameConfig
+
+[ usr_cert ]
+basicConstraints = CA:FALSE
+$subjectAltNameConfig
+CONFIG;
+        $configFile = $file . '.cnf';
+        file_put_contents($configFile, $configCode);
+
+        try {
+            $config = [
+                'config' => $configFile,
+                'req_extensions' => 'v3_req',
+                'x509_extensions' => 'usr_cert',
+            ];
+
+            $this->lastKey = self::generateKey($keyLength);
+            $this->lastCert = openssl_csr_sign(
+                openssl_csr_new($dn, $this->lastKey, $config),
+                $this->ca,
+                $this->caKey,
+                /* days */ 2,
+                $config,
+            );
+            if (!$this->lastCert) {
+                throw new Exception('Failed to create certificate');
+            }
 
-        $certText = '';
-        openssl_x509_export($this->lastCert, $certText);
+            $certText = '';
+            openssl_x509_export($this->lastCert, $certText);
 
-        $keyText = '';
-        openssl_pkey_export($this->lastKey, $keyText);
+            $keyText = '';
+            openssl_pkey_export($this->lastKey, $keyText);
 
-        file_put_contents($file, $certText . PHP_EOL . $keyText);
+            file_put_contents($file, $certText . PHP_EOL . $keyText);
+        } finally {
+            unlink($configFile);
+        }
     }
 
     public function getCertDigest($algo)
diff --git a/ext/openssl/tests/san.cnf b/ext/openssl/tests/san.cnf
deleted file mode 100644
index fd347331a908c..0000000000000
--- a/ext/openssl/tests/san.cnf
+++ /dev/null
@@ -1,13 +0,0 @@
-[ req ]
-distinguished_name = req_distinguished_name
-
-[ req_distinguished_name ]
-
-[ v3_req ]
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-subjectAltName = ${ENV::PHP_SUBJECTALTNAME}
-
-[ usr_cert ]
-basicConstraints = CA:FALSE
-subjectAltName = ${ENV::PHP_SUBJECTALTNAME}

From 5d7ff25311f1c640a78ca9ac1b83a0366d4882d2 Mon Sep 17 00:00:00 2001
From: Paul Dragoonis <dragoonis@gmail.com>
Date: Thu, 18 Jun 2020 10:40:40 +0100
Subject: [PATCH 3/4] Removing HTML Functionality from run-tests.php

As discussed on GH-5632, the HTML functionality does not appear
to be in active use. For HTML rendering of test results, it is
suggested to instead use the JUnit integration, in combination
with your favorite JUnit viewer.

Closes GH-5705.
---
 run-tests.php | 131 +++++---------------------------------------------
 1 file changed, 12 insertions(+), 119 deletions(-)

diff --git a/run-tests.php b/run-tests.php
index 656ba645a1b07..26bd7363166eb 100755
--- a/run-tests.php
+++ b/run-tests.php
@@ -87,15 +87,11 @@ function show_usage()
     --help
     -h          This Help.
 
-    --html <file> Generate HTML output.
-
     --temp-source <sdir>  --temp-target <tdir> [--temp-urlbase <url>]
                 Write temporary files to <tdir> by replacing <sdir> from the
-                filenames to generate with <tdir>. If --html is being used and
-                <url> given then the generated links are relative and prefixed
-                with the given url. In general you want to make <sdir> the path
-                to your source files and <tdir> some patch in your web page
-                hierarchy with <url> pointing to <tdir>.
+                filenames to generate with <tdir>. In general you want to make
+                <sdir> the path to your source files and <tdir> some patch in
+                your web page hierarchy with <url> pointing to <tdir>.
 
     --keep-[all|php|skip|clean]
                 Do not delete 'all' files, 'php' test file, 'skip' or 'clean'
@@ -137,7 +133,7 @@ function main()
     global $DETAILED, $PHP_FAILED_TESTS, $SHOW_ONLY_GROUPS, $argc, $argv, $cfg,
            $cfgfiles, $cfgtypes, $conf_passed, $end_time, $environment,
            $exts_skipped, $exts_tested, $exts_to_test, $failed_tests_file,
-           $html_file, $html_output, $ignored_by_ext, $ini_overwrites, $is_switch,
+           $ignored_by_ext, $ini_overwrites, $is_switch,
            $just_save_results, $log_format, $matches, $no_clean, $no_file_cache,
            $optionals, $output_file, $pass_option_n, $pass_options,
            $pattern_match, $php, $php_cgi, $phpdbg, $preload, $redir_tests,
@@ -378,8 +374,6 @@ function main()
 
     $just_save_results = false;
     $valgrind = null;
-    $html_output = false;
-    $html_file = null;
     $temp_source = null;
     $temp_target = null;
     $temp_urlbase = null;
@@ -606,10 +600,6 @@ function main()
                         $repeat = true;
                     }
                     break;
-                case '--html':
-                    $html_file = fopen($argv[++$i], 'wt');
-                    $html_output = is_resource($html_file);
-                    break;
                 case '--version':
                     echo '$Id$' . "\n";
                     exit(1);
@@ -691,20 +681,12 @@ function main()
         usort($test_files, "test_sort");
         $start_time = time();
 
-        if (!$html_output) {
-            echo "Running selected tests.\n";
-        } else {
-            show_start($start_time);
-        }
+        echo "Running selected tests.\n";
 
         $test_idx = 0;
         run_all_tests($test_files, $environment);
         $end_time = time();
 
-        if ($html_output) {
-            show_end($end_time);
-        }
-
         if ($failed_tests_file) {
             fclose($failed_tests_file);
         }
@@ -719,15 +701,8 @@ function main()
         }
 
         compute_summary();
-        if ($html_output) {
-            fwrite($html_file, "<hr/>\n" . get_summary(false, true));
-        }
         echo "=====================================================================";
-        echo get_summary(false, false);
-
-        if ($html_output) {
-            fclose($html_file);
-        }
+        echo get_summary(false);
 
         if ($output_file != '' && $just_save_results) {
             save_or_mail_results();
@@ -792,10 +767,6 @@ function main()
         show_end($end_time);
         show_summary();
 
-        if ($html_output) {
-            fclose($html_file);
-        }
-
         save_or_mail_results();
     }
 
@@ -962,7 +933,7 @@ function save_or_mail_results()
             $failed_tests_data = '';
             $sep = "\n" . str_repeat('=', 80) . "\n";
             $failed_tests_data .= $failed_test_summary . "\n";
-            $failed_tests_data .= get_summary(true, false) . "\n";
+            $failed_tests_data .= get_summary(true) . "\n";
 
             if ($sum_results['FAILED']) {
                 foreach ($PHP_FAILED_TESTS['FAILED'] as $test_info) {
@@ -3015,7 +2986,7 @@ function compute_summary()
     }
 }
 
-function get_summary($show_ext_summary, $show_html)
+function get_summary($show_ext_summary)
 {
     global $exts_skipped, $exts_tested, $n_total, $sum_results, $percent_results, $end_time, $start_time, $failed_test_summary, $PHP_FAILED_TESTS, $valgrind;
 
@@ -3034,10 +3005,6 @@ function get_summary($show_ext_summary, $show_html)
 
     $summary = '';
 
-    if ($show_html) {
-        $summary .= "<pre>\n";
-    }
-
     if ($show_ext_summary) {
         $summary .= '
 =====================================================================
@@ -3179,55 +3146,27 @@ function get_summary($show_ext_summary, $show_html)
         $summary .= $failed_test_summary;
     }
 
-    if ($show_html) {
-        $summary .= "</pre>";
-    }
-
     return $summary;
 }
 
 function show_start($start_time)
 {
-    global $html_output, $html_file;
-
-    if ($html_output) {
-        fwrite($html_file, "<h2>Time Start: " . date('Y-m-d H:i:s', $start_time) . "</h2>\n");
-        fwrite($html_file, "<table>\n");
-    }
-
     echo "TIME START " . date('Y-m-d H:i:s', $start_time) . "\n=====================================================================\n";
 }
 
 function show_end($end_time)
 {
-    global $html_output, $html_file;
-
-    if ($html_output) {
-        fwrite($html_file, "</table>\n");
-        fwrite($html_file, "<h2>Time End: " . date('Y-m-d H:i:s', $end_time) . "</h2>\n");
-    }
-
     echo "=====================================================================\nTIME END " . date('Y-m-d H:i:s', $end_time) . "\n";
 }
 
 function show_summary()
 {
-    global $html_output, $html_file;
-
-    if ($html_output) {
-        fwrite($html_file, "<hr/>\n" . get_summary(true, true));
-    }
-
-    echo get_summary(true, false);
+    echo get_summary(true);
 }
 
 function show_redirect_start($tests, $tested, $tested_file)
 {
-    global $html_output, $html_file, $line_length, $SHOW_ONLY_GROUPS;
-
-    if ($html_output) {
-        fwrite($html_file, "<tr><td colspan='3'>---&gt; $tests ($tested [$tested_file]) begin</td></tr>\n");
-    }
+    global $SHOW_ONLY_GROUPS;
 
     if (!$SHOW_ONLY_GROUPS || in_array('REDIRECT', $SHOW_ONLY_GROUPS)) {
         echo "REDIRECT $tests ($tested [$tested_file]) begin\n";
@@ -3238,11 +3177,7 @@ function show_redirect_start($tests, $tested, $tested_file)
 
 function show_redirect_ends($tests, $tested, $tested_file)
 {
-    global $html_output, $html_file, $line_length, $SHOW_ONLY_GROUPS;
-
-    if ($html_output) {
-        fwrite($html_file, "<tr><td colspan='3'>---&gt; $tests ($tested [$tested_file]) done</td></tr>\n");
-    }
+    global $SHOW_ONLY_GROUPS;
 
     if (!$SHOW_ONLY_GROUPS || in_array('REDIRECT', $SHOW_ONLY_GROUPS)) {
         echo "REDIRECT $tests ($tested [$tested_file]) done\n";
@@ -3283,7 +3218,7 @@ function parse_conflicts(string $text): array
 
 function show_result($result, $tested, $tested_file, $extra = '', $temp_filenames = null)
 {
-    global $html_output, $html_file, $temp_target, $temp_urlbase, $line_length, $SHOW_ONLY_GROUPS;
+    global $temp_target, $temp_urlbase, $line_length, $SHOW_ONLY_GROUPS;
 
     if (!$SHOW_ONLY_GROUPS || in_array($result, $SHOW_ONLY_GROUPS)) {
         echo "$result $tested [$tested_file] $extra\n";
@@ -3291,48 +3226,6 @@ function show_result($result, $tested, $tested_file, $extra = '', $temp_filename
         clear_show_test();
     }
 
-    if ($html_output) {
-        if (isset($temp_filenames['file']) && file_exists($temp_filenames['file'])) {
-            $url = str_replace($temp_target, $temp_urlbase, $temp_filenames['file']);
-            $tested = "<a href='$url'>$tested</a>";
-        }
-
-        if (isset($temp_filenames['skip']) && file_exists($temp_filenames['skip'])) {
-            if (empty($extra)) {
-                $extra = "skipif";
-            }
-
-            $url = str_replace($temp_target, $temp_urlbase, $temp_filenames['skip']);
-            $extra = "<a href='$url'>$extra</a>";
-        } elseif (empty($extra)) {
-            $extra = "&nbsp;";
-        }
-
-        if (isset($temp_filenames['diff']) && file_exists($temp_filenames['diff'])) {
-            $url = str_replace($temp_target, $temp_urlbase, $temp_filenames['diff']);
-            $diff = "<a href='$url'>diff</a>";
-        } else {
-            $diff = "&nbsp;";
-        }
-
-        if (isset($temp_filenames['mem']) && file_exists($temp_filenames['mem'])) {
-            $url = str_replace($temp_target, $temp_urlbase, $temp_filenames['mem']);
-            $mem = "<a href='$url'>leaks</a>";
-        } else {
-            $mem = "&nbsp;";
-        }
-
-        fwrite(
-            $html_file,
-            "<tr>" .
-                "<td>$result</td>" .
-                "<td>$tested</td>" .
-                "<td>$extra</td>" .
-                "<td>$diff</td>" .
-                "<td>$mem</td>" .
-                "</tr>\n"
-        );
-    }
 }
 
 function junit_init()

From 32f377b0b94482a5b126408942646b9bd101c042 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Fri, 19 Jun 2020 10:46:02 +0200
Subject: [PATCH 4/4] Fixed bug #79710

Make sure we don't use zresource after the stream has been destroyed.
---
 NEWS                        |  4 ++++
 ext/spl/spl_directory.c     |  9 +++++++--
 ext/spl/tests/bug79710.phpt | 40 +++++++++++++++++++++++++++++++++++++
 3 files changed, 51 insertions(+), 2 deletions(-)
 create mode 100644 ext/spl/tests/bug79710.phpt

diff --git a/NEWS b/NEWS
index c7478ce2de06a..33fbff3a54f27 100644
--- a/NEWS
+++ b/NEWS
@@ -26,6 +26,10 @@ PHP                                                                        NEWS
   . Fixed bug #79664 (PDOStatement::getColumnMeta fails on empty result set).
     (cmb)
 
+- SPL:
+  . Fixed bug #79710 (Reproducible segfault in error_handler during GC
+    involved an SplFileObject). (Nikita)
+
 - Standard:
   . Fixed bug #74267 (segfault with streams and invalid data). (cmb)
 
diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c
index b9e6bf91e8b43..6e79bc407fef2 100644
--- a/ext/spl/spl_directory.c
+++ b/ext/spl/spl_directory.c
@@ -96,6 +96,7 @@ static void spl_filesystem_object_destroy_object(zend_object *object) /* {{{ */
 				php_stream_pclose(intern->u.file.stream);
 			}
 			intern->u.file.stream = NULL;
+			ZVAL_UNDEF(&intern->u.file.zresource);
 		}
 		break;
 	default:
@@ -2062,12 +2063,16 @@ static int spl_filesystem_file_call(spl_filesystem_object *intern, zend_function
 {
 	zend_fcall_info fci;
 	zend_fcall_info_cache fcic;
-	zval *zresource_ptr = &intern->u.file.zresource, retval;
+	zval *zresource_ptr = &intern->u.file.zresource, *params, retval;
 	int result;
 	int num_args = pass_num_args + (arg2 ? 2 : 1);
 
-	zval *params = (zval*)safe_emalloc(num_args, sizeof(zval), 0);
+	if (Z_ISUNDEF_P(zresource_ptr)) {
+		zend_throw_exception_ex(spl_ce_RuntimeException, 0, "Object not initialized");
+		return FAILURE;
+	}
 
+	params = (zval*)safe_emalloc(num_args, sizeof(zval), 0);
 	params[0] = *zresource_ptr;
 
 	if (arg2) {
diff --git a/ext/spl/tests/bug79710.phpt b/ext/spl/tests/bug79710.phpt
new file mode 100644
index 0000000000000..a5c065fd67ba6
--- /dev/null
+++ b/ext/spl/tests/bug79710.phpt
@@ -0,0 +1,40 @@
+--TEST--
+Bug #79710: Reproducible segfault in error_handler during GC involved an SplFileObject
+--FILE--
+<?php
+
+class Target
+{
+    public $sfo;
+    public function __construct($sfo) {
+        $this->sfo = $sfo;
+    }
+    public function __destruct() {
+        // If the SplFileObject is destructed first,
+        // underlying FD is no longer valid and will cause error upon calling flock
+        $this->sfo->flock(2);
+    }
+}
+
+class Run
+{
+    static $sfo;
+    static $foo;
+    public static function main() {
+        // Creation ordering is important for repro
+        // $sfo needed to be destructed before $foo.
+        Run::$sfo = new SplTempFileObject();
+        Run::$foo = new Target(Run::$sfo);
+    }
+}
+
+Run::main();
+
+?>
+--EXPECTF--
+Fatal error: Uncaught RuntimeException: Object not initialized in %s:%d
+Stack trace:
+#0 %s(%d): SplFileObject->flock(2)
+#1 [internal function]: Target->__destruct()
+#2 {main}
+  thrown in %s on line %d