CM4all
diff --git a/‎NEWS‎
Lines changed: 59 additions & 0 deletions b/‎NEWS‎
Lines changed: 59 additions & 0 deletions
diff --git a/‎Zend/tests/oss_fuzz_54325.phpt‎
Lines changed: 19 additions & 0 deletions b/‎Zend/tests/oss_fuzz_54325.phpt‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎Zend/tests/oss_fuzz_64209.phpt‎
Lines changed: 13 additions & 0 deletions b/‎Zend/tests/oss_fuzz_64209.phpt‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎Zend/zend.h‎
Lines changed: 1 addition & 1 deletion b/‎Zend/zend.h‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎Zend/zend_vm_def.h‎
Lines changed: 10 additions & 1 deletion b/‎Zend/zend_vm_def.h‎
Lines changed: 10 additions & 1 deletion
diff --git a/‎Zend/zend_vm_execute.h‎
Lines changed: 25 additions & 1 deletion b/‎Zend/zend_vm_execute.h‎
Lines changed: 25 additions & 1 deletion
diff --git a/‎configure.ac‎
Lines changed: 18 additions & 1 deletion b/‎configure.ac‎
Lines changed: 18 additions & 1 deletion
diff --git a/‎ext/dom/document.c‎
Lines changed: 1 addition & 0 deletions b/‎ext/dom/document.c‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎ext/dom/element.c‎
Lines changed: 78 additions & 8 deletions b/‎ext/dom/element.c‎
Lines changed: 78 additions & 8 deletions
@@ -1,5 +1,64 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+21 Dec 2023, PHP 8.1.27
+
+- Core:
+  . Fixed oss-fuzz #54325 (Use-after-free of name in var-var with malicious
+    error handler). (ilutov)
+  . Fixed oss-fuzz #64209 (In-place modification of filename in
+    php_message_handler_for_zend). (ilutov)
+  . Fixed bug GH-12758 / GH-12768 (Invalid opline in OOM handlers within
+    ZEND_FUNC_GET_ARGS and ZEND_BIND_STATIC). (Florian Engelhardt)
+
+- DOM:
+  . Fixed bug GH-12616 (DOM: Removing XMLNS namespace node results in invalid
+    default: prefix). (nielsdos)
+
+- FPM:
+  . Fixed bug GH-12705 (Segmentation fault in fpm_status_export_to_zval).
+    (Patrick Prasse)
+   
+- Intl:
+  . Fixed bug GH-12635 (Test bug69398.phpt fails with ICU 74.1). (nielsdos)
+
+- LibXML:
+  . Fixed bug GH-12702 (libxml2 2.12.0 issue building from src). (nono303)
+
+- MySQLnd:
+  . Avoid using uninitialised struct. (mikhainin)
+
+- OpenSSL:
+  . Fixed bug #50713 (openssl_pkcs7_verify() may ignore untrusted CAs).
+    (Jakub Zelenka)
+
+- PCRE:
+  . Fixed bug GH-12628 (The gh11374 test fails on Alpinelinux). (nielsdos)
+
+- PGSQL:
+  . Fixed bug GH-12763 wrong argument type for pg_untrace. (degtyarov)
+
+- PHPDBG:
+  . Fixed bug GH-12675 (MEMORY_LEAK in phpdbg_prompt.c). (nielsdos)
+
+- SQLite3:
+  . Fixed bug GH-12633 (sqlite3_defensive.phpt fails with sqlite 3.44.0).
+    (SakiTakamachi)
+
+- Standard:
+  . Fix memory leak in syslog device handling. (danog)
+  . Fixed bug GH-12621 (browscap segmentation fault when configured in the
+    vhost). (nielsdos)
+  . Fixed bug GH-12655 (proc_open() does not take into account references
+    in the descriptor array). (nielsdos)
+
+- Streams:
+  . Fixed bug #79945 (Stream wrappers in imagecreatefrompng causes segfault).
+    (Jakub Zelenka)
+
+- Zip:
+  . Fixed bug GH-12661 (Inconsistency in ZipArchive::addGlob remove_path Option
+    Behavior). (Remi)
+
 23 Nov 2023, PHP 8.1.26
 
 - Core:
 
@@ -0,0 +1,19 @@
+--TEST--
+oss-fuzz #54325: Fix use-after-free of name in var-var with malicious error handler
+--FILE--
+<?php
+set_error_handler(function ($errno, $errstr) {
+    var_dump($errstr);
+    global $x;
+    $x = new stdClass;
+});
+
+// Needs to be non-interned string
+$x = strrev('foo');
+$$x++;
+var_dump($x);
+?>
+--EXPECT--
+string(23) "Undefined variable $oof"
+object(stdClass)#2 (0) {
+}
@@ -0,0 +1,13 @@
+--TEST--
+oss-fuzz #64209: Fix in-place modification of filename in php_message_handler_for_zend
+--FILE--
+<?php
+require '://@';
+?>
+--EXPECTF--
+Warning: require(://@): Failed to open stream: No such file or directory in %s on line %d
+
+Fatal error: Uncaught Error: Failed opening required '://@' (include_path='%s') in %s:%d
+Stack trace:
+#0 {main}
+  thrown in %s on line %d
@@ -20,7 +20,7 @@
 #ifndef ZEND_H
 #define ZEND_H
 
-#define ZEND_VERSION "4.1.26"
+#define ZEND_VERSION "4.1.27"
 
 #define ZEND_ENGINE_3
 
 
@@ -1748,13 +1748,20 @@ ZEND_VM_C_LABEL(fetch_this):
 		} else if (type == BP_VAR_IS || type == BP_VAR_UNSET) {
 			retval = &EG(uninitialized_zval);
 		} else {
+			if (OP1_TYPE == IS_CV) {
+				/* Keep name alive in case an error handler tries to free it. */
+				zend_string_addref(name);
+			}
 			zend_error(E_WARNING, "Undefined %svariable $%s",
 				(opline->extended_value & ZEND_FETCH_GLOBAL ? "global " : ""), ZSTR_VAL(name));
 			if (type == BP_VAR_RW && !EG(exception)) {
 				retval = zend_hash_update(target_symbol_table, name, &EG(uninitialized_zval));
 			} else {
 				retval = &EG(uninitialized_zval);
 			}
+			if (OP1_TYPE == IS_CV) {
+				zend_string_release(name);
+			}
 		}
 	/* GLOBAL or $$name variable may be an INDIRECT pointer to CV */
 	} else if (Z_TYPE_P(retval) == IS_INDIRECT) {
@@ -8781,6 +8788,8 @@ ZEND_VM_HANDLER(183, ZEND_BIND_STATIC, CV, UNUSED, REF)
 
 	variable_ptr = GET_OP1_ZVAL_PTR_PTR_UNDEF(BP_VAR_W);
 
+	SAVE_OPLINE();
+
 	ht = ZEND_MAP_PTR_GET(EX(func)->op_array.static_variables_ptr);
 	if (!ht) {
 		ht = zend_array_dup(EX(func)->op_array.static_variables);
@@ -8790,7 +8799,6 @@ ZEND_VM_HANDLER(183, ZEND_BIND_STATIC, CV, UNUSED, REF)
 
 	value = (zval*)((char*)ht->arData + (opline->extended_value & ~(ZEND_BIND_REF|ZEND_BIND_IMPLICIT|ZEND_BIND_EXPLICIT)));
 
-	SAVE_OPLINE();
 	if (opline->extended_value & ZEND_BIND_REF) {
 		if (Z_TYPE_P(value) == IS_CONSTANT_AST) {
 			if (UNEXPECTED(zval_update_constant_ex(value, EX(func)->op_array.scope) != SUCCESS)) {
@@ -9243,6 +9251,7 @@ ZEND_VM_HANDLER(172, ZEND_FUNC_GET_ARGS, UNUSED|CONST, UNUSED)
 	}
 
 	if (result_size) {
+		SAVE_OPLINE();
 		uint32_t first_extra_arg = EX(func)->op_array.num_args;
 
 		ht = zend_new_array(result_size);
 
@@ -9755,13 +9755,20 @@ static zend_never_inline ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_fetch_var_ad
 		} else if (type == BP_VAR_IS || type == BP_VAR_UNSET) {
 			retval = &EG(uninitialized_zval);
 		} else {
+			if (IS_CONST == IS_CV) {
+				/* Keep name alive in case an error handler tries to free it. */
+				zend_string_addref(name);
+			}
 			zend_error(E_WARNING, "Undefined %svariable $%s",
 				(opline->extended_value & ZEND_FETCH_GLOBAL ? "global " : ""), ZSTR_VAL(name));
 			if (type == BP_VAR_RW && !EG(exception)) {
 				retval = zend_hash_update(target_symbol_table, name, &EG(uninitialized_zval));
 			} else {
 				retval = &EG(uninitialized_zval);
 			}
+			if (IS_CONST == IS_CV) {
+				zend_string_release(name);
+			}
 		}
 	/* GLOBAL or $$name variable may be an INDIRECT pointer to CV */
 	} else if (Z_TYPE_P(retval) == IS_INDIRECT) {
@@ -10693,6 +10700,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_FUNC_GET_ARGS_SPEC_CONST_UNUSE
 	}
 
 	if (result_size) {
+		SAVE_OPLINE();
 		uint32_t first_extra_arg = EX(func)->op_array.num_args;
 
 		ht = zend_new_array(result_size);
@@ -17560,13 +17568,20 @@ static zend_never_inline ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_fetch_var_ad
 		} else if (type == BP_VAR_IS || type == BP_VAR_UNSET) {
 			retval = &EG(uninitialized_zval);
 		} else {
+			if ((IS_TMP_VAR|IS_VAR) == IS_CV) {
+				/* Keep name alive in case an error handler tries to free it. */
+				zend_string_addref(name);
+			}
 			zend_error(E_WARNING, "Undefined %svariable $%s",
 				(opline->extended_value & ZEND_FETCH_GLOBAL ? "global " : ""), ZSTR_VAL(name));
 			if (type == BP_VAR_RW && !EG(exception)) {
 				retval = zend_hash_update(target_symbol_table, name, &EG(uninitialized_zval));
 			} else {
 				retval = &EG(uninitialized_zval);
 			}
+			if ((IS_TMP_VAR|IS_VAR) == IS_CV) {
+				zend_string_release(name);
+			}
 		}
 	/* GLOBAL or $$name variable may be an INDIRECT pointer to CV */
 	} else if (Z_TYPE_P(retval) == IS_INDIRECT) {
@@ -36050,6 +36065,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_FUNC_GET_ARGS_SPEC_UNUSED_UNUS
 	}
 
 	if (result_size) {
+		SAVE_OPLINE();
 		uint32_t first_extra_arg = EX(func)->op_array.num_args;
 
 		ht = zend_new_array(result_size);
@@ -47008,13 +47024,20 @@ static zend_never_inline ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_fetch_var_ad
 		} else if (type == BP_VAR_IS || type == BP_VAR_UNSET) {
 			retval = &EG(uninitialized_zval);
 		} else {
+			if (IS_CV == IS_CV) {
+				/* Keep name alive in case an error handler tries to free it. */
+				zend_string_addref(name);
+			}
 			zend_error(E_WARNING, "Undefined %svariable $%s",
 				(opline->extended_value & ZEND_FETCH_GLOBAL ? "global " : ""), ZSTR_VAL(name));
 			if (type == BP_VAR_RW && !EG(exception)) {
 				retval = zend_hash_update(target_symbol_table, name, &EG(uninitialized_zval));
 			} else {
 				retval = &EG(uninitialized_zval);
 			}
+			if (IS_CV == IS_CV) {
+				zend_string_release(name);
+			}
 		}
 	/* GLOBAL or $$name variable may be an INDIRECT pointer to CV */
 	} else if (Z_TYPE_P(retval) == IS_INDIRECT) {
@@ -48450,6 +48473,8 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_BIND_STATIC_SPEC_CV_UNUSED_HAN
 
 	variable_ptr = EX_VAR(opline->op1.var);
 
+	SAVE_OPLINE();
+
 	ht = ZEND_MAP_PTR_GET(EX(func)->op_array.static_variables_ptr);
 	if (!ht) {
 		ht = zend_array_dup(EX(func)->op_array.static_variables);
@@ -48459,7 +48484,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_BIND_STATIC_SPEC_CV_UNUSED_HAN
 
 	value = (zval*)((char*)ht->arData + (opline->extended_value & ~(ZEND_BIND_REF|ZEND_BIND_IMPLICIT|ZEND_BIND_EXPLICIT)));
 
-	SAVE_OPLINE();
 	if (opline->extended_value & ZEND_BIND_REF) {
 		if (Z_TYPE_P(value) == IS_CONSTANT_AST) {
 			if (UNEXPECTED(zval_update_constant_ex(value, EX(func)->op_array.scope) != SUCCESS)) {
 
@@ -17,7 +17,7 @@ dnl Basic autoconf initialization, generation of config.nice.
 dnl ----------------------------------------------------------------------------
 
 AC_PREREQ([2.68])
-AC_INIT([PHP],[8.1.26],[https://github.com/php/php-src/issues],[php],[https://www.php.net])
+AC_INIT([PHP],[8.1.27],[https://github.com/php/php-src/issues],[php],[https://www.php.net])
 AC_CONFIG_SRCDIR([main/php_version.h])
 AC_CONFIG_AUX_DIR([build])
 AC_PRESERVE_HELP_ORDER
@@ -1536,6 +1536,23 @@ if test "$PHP_UNDEFINED_SANITIZER" = "yes"; then
   AX_CHECK_COMPILE_FLAG([-fsanitize=undefined], [
     CFLAGS="$CFLAGS -fsanitize=undefined"
     CXXFLAGS="$CXXFLAGS -fsanitize=undefined"
+
+    dnl Clang 17 adds stricter function pointer compatibility checks where pointer args cannot be
+    dnl cast to void*. In that case, set -fno-sanitize=function.
+    OLD_CFLAGS="$CFLAGS"
+    CFLAGS="$CFLAGS -fno-sanitize-recover=undefined"
+    AC_RUN_IFELSE([AC_LANG_SOURCE([[
+void foo(char *string) {}
+int main(void) {
+  void (*f)(void *) = (void (*)(void *))foo;
+  f("foo");
+}
+    ]])],,[ubsan_needs_no_function=yes],)
+    CFLAGS="$OLD_CFLAGS"
+    if test "$ubsan_needs_no_function" = yes; then
+      CFLAGS="$CFLAGS -fno-sanitize=function"
+      CXXFLAGS="$CFLAGS -fno-sanitize=function"
+    fi
   ], [AC_MSG_ERROR([UndefinedBehaviorSanitizer is not available])])
 fi
 
 
@@ -23,6 +23,7 @@
 #if defined(HAVE_LIBXML) && defined(HAVE_DOM)
 #include "php_dom.h"
 #include <libxml/SAX.h>
+#include <libxml/xmlsave.h>
 #ifdef LIBXML_SCHEMAS_ENABLED
 #include <libxml/relaxng.h>
 #include <libxml/xmlschemas.h>
 
@@ -724,6 +724,83 @@ PHP_METHOD(DOMElement, setAttributeNS)
 }
 /* }}} end dom_element_set_attribute_ns */
 
+static void dom_remove_eliminated_ns_single_element(xmlNodePtr node, xmlNsPtr eliminatedNs)
+{
+	ZEND_ASSERT(node->type == XML_ELEMENT_NODE);
+	if (node->ns == eliminatedNs) {
+		node->ns = NULL;
+	}
+
+	for (xmlAttrPtr attr = node->properties; attr != NULL; attr = attr->next) {
+		if (attr->ns == eliminatedNs) {
+			attr->ns = NULL;
+		}
+	}
+}
+
+static void dom_remove_eliminated_ns(xmlNodePtr node, xmlNsPtr eliminatedNs)
+{
+	dom_remove_eliminated_ns_single_element(node, eliminatedNs);
+
+	xmlNodePtr base = node;
+	node = node->children;
+	while (node != NULL) {
+		ZEND_ASSERT(node != base);
+
+		if (node->type == XML_ELEMENT_NODE) {
+			dom_remove_eliminated_ns_single_element(node, eliminatedNs);
+
+			if (node->children) {
+				node = node->children;
+				continue;
+			}
+		}
+
+		if (node->next) {
+			node = node->next;
+		} else {
+			/* Go upwards, until we find a parent node with a next sibling, or until we hit the base. */
+			do {
+				node = node->parent;
+				if (node == base) {
+					return;
+				}
+			} while (node->next == NULL);
+			node = node->next;
+		}
+	}
+}
+
+static void dom_eliminate_ns(xmlNodePtr nodep, xmlNsPtr nsptr)
+{
+	if (nsptr->href != NULL) {
+		xmlFree((char *) nsptr->href);
+		nsptr->href = NULL;
+	}
+	if (nsptr->prefix != NULL) {
+		xmlFree((char *) nsptr->prefix);
+		nsptr->prefix = NULL;
+	}
+
+	/* Remove it from the list and move it to the old ns list */
+	xmlNsPtr current_ns = nodep->nsDef;
+	if (current_ns == nsptr) {
+		nodep->nsDef = nsptr->next;
+	} else {
+		do {
+			if (current_ns->next == nsptr) {
+				current_ns->next = nsptr->next;
+				break;
+			}
+			current_ns = current_ns->next;
+		} while (current_ns != NULL);
+	}
+	nsptr->next = NULL;
+	dom_set_old_ns(nodep->doc, nsptr);
+
+	dom_remove_eliminated_ns(nodep, nsptr);
+}
+
 /* {{{ URL: http://www.w3.org/TR/2003/WD-DOM-Level-3-Core-20030226/DOM3-Core.html#core-ID-ElRemAtNS
 Since: DOM Level 2
 */
@@ -754,14 +831,7 @@ PHP_METHOD(DOMElement, removeAttributeNS)
 	nsptr = dom_get_nsdecl(nodep, (xmlChar *)name);
 	if (nsptr != NULL) {
 		if (xmlStrEqual((xmlChar *)uri, nsptr->href)) {
-			if (nsptr->href != NULL) {
-				xmlFree((char *) nsptr->href);
-				nsptr->href = NULL;
-			}
-			if (nsptr->prefix != NULL) {
-				xmlFree((char *) nsptr->prefix);
-				nsptr->prefix = NULL;
-			}
+			dom_eliminate_ns(nodep, nsptr);
 		} else {
 			RETURN_NULL();
 		}