Merge tag 'php-8.2.22' into was-8.2.x

Tag for php-8.2.22

Author: MaxKellermann

.github/workflows/nightly.yml

@@ -359,7 +359,7 @@ jobs:
           # Test causes a heap-buffer-overflow but I cannot reproduce it locally...
           php -r '$c = file_get_contents("src/Symfony/Component/HtmlSanitizer/Tests/HtmlSanitizerCustomTest.php"); $c = str_replace("public function testSanitizeDeepNestedString()", "/** @group skip */\n    public function testSanitizeDeepNestedString()", $c); file_put_contents("src/Symfony/Component/HtmlSanitizer/Tests/HtmlSanitizerCustomTest.php", $c);'
           # Buggy FFI test in Symfony, see https://github.com/symfony/symfony/issues/47668
-          php -r '$c = file_get_contents("src/Symfony/Component/VarDumper/Tests/Caster/FFICasterTest.php"); $c = str_replace("*/\n    public function testCastNonTrailingCharPointer()", "* @group skip\n     */\n    public function testCastNonTrailingCharPointer()", $c); file_put_contents("src/Symfony/Component/VarDumper/Tests/Caster/FFICasterTest.php", $c);'
+          php -r '$c = file_get_contents("src/Symfony/Component/VarDumper/Tests/Caster/FFICasterTest.php"); $c = str_replace("public function testCastNonTrailingCharPointer()", "/** @group skip */\n    public function testCastNonTrailingCharPointer()", $c); file_put_contents("src/Symfony/Component/VarDumper/Tests/Caster/FFICasterTest.php", $c);'
           export ASAN_OPTIONS=exitcode=139
           export SYMFONY_DEPRECATIONS_HELPER=max[total]=999
           X=0

NEWS

@@ -1,5 +1,75 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+01 Aug 2024, PHP 8.2.22
+
+- Core:
+  . Fixed bug GH-13922 (Fixed support for systems with
+    sysconf(_SC_GETPW_R_SIZE_MAX) == -1). (Arnaud)
+  . Fixed bug GH-14626 (Fix is_zend_ptr() for huge blocks). (Arnaud)
+  . Fixed bug GH-14590 (Memory leak in FPM test gh13563-conf-bool-env.phpt.
+    (nielsdos)
+  . Fixed OSS-Fuzz #69765. (nielsdos)
+  . Fixed bug GH-14741 (Segmentation fault in Zend/zend_types.h). (nielsdos)
+  . Fixed bug GH-14969 (Use-after-free in property coercion with __toString()).
+    (ilutov)
+
+- Dom:
+  . Fixed bug GH-14702 (DOMDocument::xinclude() crash). (nielsdos)
+
+- Gd:
+  . ext/gd/tests/gh10614.phpt: skip if no PNG support. (orlitzky)
+  . restored warning instead of fata error. (dryabov)
+
+- LibXML:
+  . Fixed bug GH-14563 (Build failure with libxml2 v2.13.0). (nielsdos)
+
+- Opcache:
+  . Fixed bug GH-14550 (No warning message when Zend DTrace is enabled that
+    opcache.jit is implictly disabled). (nielsdos)
+
+- Output:
+  . Fixed bug GH-14808 (Unexpected null pointer in Zend/zend_string.h with
+    empty output buffer). (nielsdos)
+
+- PDO:
+  . Fixed bug GH-14712 (Crash with PDORow access to null property).
+    (David Carlier)
+
+- Phar:
+  . Fixed bug GH-14603 (null string from zip entry).
+    (David Carlier)
+
+- PHPDBG:
+  . Fixed bug GH-14596 (crashes with ASAN and ZEND_RC_DEBUG=1).
+    (David Carlier)
+  . Fixed bug GH-14553 (echo output trimmed at NULL byte). (nielsdos)
+
+- Shmop:
+   . Fixed bug GH-14537 (shmop Windows 11 crashes the process). (nielsdos)
+
+- SimpleXML:
+   . Fixed bug GH-14638 (null dereference after XML parsing failure).
+     (David Carlier)
+
+- SPL:
+  . Fixed bug GH-14639 (Member access within null pointer in
+    ext/spl/spl_observer.c). (nielsdos)
+
+- Standard:
+  . Fix 32-bit wordwrap test failures. (orlitzky)
+  . Fixed bug GH-14774 (time_sleep_until overflow). (David Carlier)
+
+- Tidy:
+  . Fix memory leak in tidy_repair_file(). (nielsdos)
+
+- Treewide:
+  . Fix compatibility with libxml2 2.13.2. (nielsdos)
+
+- XML:
+  . Move away from to-be-deprecated libxml fields. (nielsdos)
+  . Fixed bug GH-14834 (Error installing PHP when --with-pear is used).
+    (nielsdos)
+
 04 Jul 2024, PHP 8.2.21
 
 - Core:
@@ -13,7 +83,7 @@ PHP                                                                        NEWS
   . Fixed bug GH-14549 (Incompatible function pointer type for fclose).
     (Ryan Carsten Schmidt)
 
-- BCMatch:
+- BCMath:
   . Fixed bug (bcpowmod() with mod = -1 returns 1 when it must be 0). (Girgias)
 
 - Curl:

TSRM/tsrm_win32.c

@@ -709,6 +709,7 @@ TSRM_API int shmget(key_t key, size_t size, int flags)
 			CloseHandle(shm->segment);
 		}
 		UnmapViewOfFile(shm->descriptor);
+		shm->descriptor = NULL;
 		return -1;
 	}
 
@@ -744,8 +745,8 @@ TSRM_API int shmdt(const void *shmaddr)
 	shm->descriptor->shm_lpid  = getpid();
 	shm->descriptor->shm_nattch--;
 
-	ret = 1;
-	if (!ret  && shm->descriptor->shm_nattch <= 0) {
+	ret = 0;
+	if (shm->descriptor->shm_nattch <= 0) {
 		ret = UnmapViewOfFile(shm->descriptor) ? 0 : -1;
 		shm->descriptor = NULL;
 	}

Zend/tests/gh14626.phpt

@@ -0,0 +1,18 @@
+--TEST--
+GH-14626: is_zend_ptr() may crash for non-zend ptrs when huge blocks exist
+--EXTENSIONS--
+zend_test
+--FILE--
+<?php
+
+// Ensure there is at least one huge_block
+$str = str_repeat('a', 2*1024*1024);
+
+// Check that is_zend_ptr() does not crash
+zend_test_is_zend_ptr(0);
+zend_test_is_zend_ptr(1<<30);
+
+?>
+==DONE==
+--EXPECT--
+==DONE==

Zend/tests/gh14969.phpt

@@ -0,0 +1,47 @@
+--TEST--
+GH-14969: Crash on coercion with throwing __toString()
+--FILE--
+<?php
+
+class C {
+    public function __toString() {
+        global $c;
+        $c = [];
+        throw new Exception(__METHOD__);
+    }
+}
+
+class D {
+    public string $prop;
+}
+
+$c = new C();
+$d = new D();
+try {
+    $d->prop = $c;
+} catch (Throwable $e) {
+    echo $e->getMessage(), "\n";
+}
+var_dump($d);
+
+$c = new C();
+$d->prop = 'foo';
+try {
+    $d->prop = $c;
+} catch (Throwable $e) {
+    echo $e->getMessage(), "\n";
+}
+var_dump($d);
+
+?>
+--EXPECTF--
+C::__toString
+object(D)#%d (0) {
+  ["prop"]=>
+  uninitialized(string)
+}
+C::__toString
+object(D)#2 (1) {
+  ["prop"]=>
+  string(3) "foo"
+}

Zend/tests/oss-fuzz-69765.phpt

@@ -0,0 +1,10 @@
+--TEST--
+OSS-Fuzz #69765: yield reference to nullsafe chain
+--FILE--
+<?php
+function &test($object) {
+    yield $object->y?->y;
+}
+?>
+--EXPECTF--
+Fatal error: Cannot take reference of a nullsafe chain in %s on line %d

Zend/zend.h

@@ -20,7 +20,7 @@
 #ifndef ZEND_H
 #define ZEND_H
 
-#define ZEND_VERSION "4.2.21"
+#define ZEND_VERSION "4.2.22"
 
 #define ZEND_ENGINE_3
 

Zend/zend_alloc.c

@@ -2470,17 +2470,15 @@ ZEND_API bool is_zend_ptr(const void *ptr)
 		} while (chunk != AG(mm_heap)->main_chunk);
 	}
 
-	if (AG(mm_heap)->huge_list) {
-		zend_mm_huge_list *block = AG(mm_heap)->huge_list;
-
-		do {
-			if (ptr >= (void*)block
-			 && ptr < (void*)((char*)block + block->size)) {
-				return 1;
-			}
-			block = block->next;
-		} while (block != AG(mm_heap)->huge_list);
+	zend_mm_huge_list *block = AG(mm_heap)->huge_list;
+	while (block) {
+		if (ptr >= (void*)block
+				&& ptr < (void*)((char*)block + block->size)) {
+			return 1;
+		}
+		block = block->next;
 	}
+
 	return 0;
 }
 

Zend/zend_compile.c

@@ -2313,6 +2313,13 @@ static bool zend_ast_is_short_circuited(const zend_ast *ast)
 	}
 }
 
+static void zend_assert_not_short_circuited(const zend_ast *ast)
+{
+	if (zend_ast_is_short_circuited(ast)) {
+		zend_error_noreturn(E_COMPILE_ERROR, "Cannot take reference of a nullsafe chain");
+	}
+}
+
 /* Mark nodes that are an inner part of a short-circuiting chain.
  * We should not perform a "commit" on them, as it will be performed by the outer-most node.
  * We do this to avoid passing down an argument in various compile functions. */
@@ -3301,9 +3308,8 @@ static void zend_compile_assign(znode *result, zend_ast *ast) /* {{{ */
 				if (!zend_is_variable_or_call(expr_ast)) {
 					zend_error_noreturn(E_COMPILE_ERROR,
 						"Cannot assign reference to non referenceable value");
-				} else if (zend_ast_is_short_circuited(expr_ast)) {
-					zend_error_noreturn(E_COMPILE_ERROR,
-						"Cannot take reference of a nullsafe chain");
+				} else {
+					zend_assert_not_short_circuited(expr_ast);
 				}
 
 				zend_compile_var(&expr_node, expr_ast, BP_VAR_W, 1);
@@ -3345,9 +3351,7 @@ static void zend_compile_assign_ref(znode *result, zend_ast *ast) /* {{{ */
 		zend_error_noreturn(E_COMPILE_ERROR, "Cannot re-assign $this");
 	}
 	zend_ensure_writable_variable(target_ast);
-	if (zend_ast_is_short_circuited(source_ast)) {
-		zend_error_noreturn(E_COMPILE_ERROR, "Cannot take reference of a nullsafe chain");
-	}
+	zend_assert_not_short_circuited(source_ast);
 	if (is_globals_fetch(source_ast)) {
 		zend_error_noreturn(E_COMPILE_ERROR, "Cannot acquire reference to $GLOBALS");
 	}
@@ -5023,10 +5027,7 @@ static void zend_compile_return(zend_ast *ast) /* {{{ */
 		expr_node.op_type = IS_CONST;
 		ZVAL_NULL(&expr_node.u.constant);
 	} else if (by_ref && zend_is_variable(expr_ast)) {
-		if (zend_ast_is_short_circuited(expr_ast)) {
-			zend_error_noreturn(E_COMPILE_ERROR, "Cannot take reference of a nullsafe chain");
-		}
-
+		zend_assert_not_short_circuited(expr_ast);
 		zend_compile_var(&expr_node, expr_ast, BP_VAR_W, 1);
 	} else {
 		zend_compile_expr(&expr_node, expr_ast);
@@ -9326,6 +9327,7 @@ static void zend_compile_yield(znode *result, zend_ast *ast) /* {{{ */
 
 	if (value_ast) {
 		if (returns_by_ref && zend_is_variable(value_ast)) {
+			zend_assert_not_short_circuited(value_ast);
 			zend_compile_var(&value_node, value_ast, BP_VAR_W, 1);
 		} else {
 			zend_compile_expr(&value_node, value_ast);

Zend/zend_execute.c

@@ -3122,6 +3122,9 @@ static zend_always_inline void zend_fetch_property_address(zval *result, zval *c
 		}
 	}
 
+	/* Pointer on property callback is required */
+	ZEND_ASSERT(zobj->handlers->get_property_ptr_ptr != NULL);
+
 	if (prop_op_type == IS_CONST) {
 		name = Z_STR_P(prop_ptr);
 	} else {