Merge branch 'master' into closure-in-cost-expr

Author: TimWolla

Zend/tests/gh16799.phpt

@@ -0,0 +1,21 @@
+--TEST--
+GH-16799 (Assertion failure at Zend/zend_vm_execute.h)
+--FILE--
+<?php
+set_error_handler(function($_, $m) { throw new Exception($m); });
+class Test {
+    static function test() {
+        call_user_func("static::ok");
+    }
+    static function ok() {
+    }
+}
+Test::test();
+?>
+--EXPECTF--
+Fatal error: Uncaught Exception: Use of "static" in callables is deprecated in %s:%d
+Stack trace:
+#0 %s(%d): {closure:%s:%d}(8192, 'Use of "static"...', %s, %d)
+#1 %s(%d): Test::test()
+#2 {main}
+  thrown in %s on line %d

Zend/zend_vm_def.h

@@ -3918,6 +3918,16 @@ ZEND_VM_HANDLER(118, ZEND_INIT_USER_CALL, CONST, CONST|TMPVAR|CV, NUM)
 	function_name = GET_OP2_ZVAL_PTR(BP_VAR_R);
 	if (zend_is_callable_ex(function_name, NULL, 0, NULL, &fcc, &error)) {
 		ZEND_ASSERT(!error);
+
+		/* Deprecation can be emitted from zend_is_callable_ex(), which can
+		 * invoke a user error handler and throw an exception.
+		 * For the CONST and CV case we reuse the same exception block below
+		 * to make sure we don't increase VM size too much. */
+		if (!(OP2_TYPE & (IS_TMP_VAR|IS_VAR)) && UNEXPECTED(EG(exception))) {
+			FREE_OP2();
+			HANDLE_EXCEPTION();
+		}
+
 		func = fcc.function_handler;
 		object_or_called_scope = fcc.called_scope;
 		if (func->common.fn_flags & ZEND_ACC_CLOSURE) {

Zend/zend_vm_execute.h

@@ -162,6 +162,11 @@ void SdnToGregorian(
 
 	/* Calculate the year and day of year (1 <= dayOfYear <= 366). */
 	temp = ((temp % DAYS_PER_400_YEARS) / 4) * 4 + 3;
+
+	if (century > ((INT_MAX / 100) - (temp / DAYS_PER_4_YEARS))) {
+		goto fail;
+	}
+
 	year = (century * 100) + (temp / DAYS_PER_4_YEARS);
 	dayOfYear = (temp % DAYS_PER_4_YEARS) / 4 + 1;
 

ext/calendar/gregor.c

@@ -0,0 +1,31 @@
+--TEST--
+GH-16834 (cal_from_jd from julian_day argument)
+--EXTENSIONS--
+calendar
+--SKIPIF--
+<?php if (PHP_INT_SIZE != 8) die("skip for 64bit platforms only"); ?>
+--FILE--
+<?php
+var_dump(cal_from_jd(076545676543223, CAL_GREGORIAN));
+?>
+--EXPECTF--
+array(9) {
+  ["date"]=>
+  string(5) "0/0/0"
+  ["month"]=>
+  int(0)
+  ["day"]=>
+  int(0)
+  ["year"]=>
+  int(0)
+  ["dow"]=>
+  int(%d)
+  ["abbrevdayname"]=>
+  string(3) "%s"
+  ["dayname"]=>
+  string(9) "%s"
+  ["abbrevmonth"]=>
+  string(0) ""
+  ["monthname"]=>
+  string(0) ""
+}

ext/calendar/tests/gh16834.phpt

@@ -3,24 +3,13 @@
 ARG_WITH("curl", "cURL support", "no");
 
 if (PHP_CURL != "no") {
-	var ver_num = NaN;
-	var f = PHP_PHP_BUILD + "/include/curl/curlver.h";
-	if (FSO.FileExists(f)) {
-		var reg = /LIBCURL_VERSION_NUM\s+(0x[a-z0-9]+)/gi;
-		var m = reg.exec(file_get_contents(PHP_PHP_BUILD + "/include/curl/curlver.h"));
-		if (!!m && m.length >= 2) {
-			ver_num = parseInt(m[1]);
-		}
-	}
-
 	if (CHECK_LIB("libcurl_a.lib;libcurl.lib", "curl", PHP_CURL) &&
 		CHECK_HEADER_ADD_INCLUDE("curl/easy.h", "CFLAGS_CURL") &&
 		SETUP_OPENSSL("curl", PHP_CURL) >= 2 &&
 		CHECK_LIB("winmm.lib", "curl", PHP_CURL) &&
 		CHECK_LIB("wldap32.lib", "curl", PHP_CURL) &&
 		(((PHP_ZLIB=="no") && (CHECK_LIB("zlib_a.lib;zlib.lib", "curl", PHP_CURL))) ||
 			(PHP_ZLIB_SHARED && CHECK_LIB("zlib.lib", "curl", PHP_CURL)) || (PHP_ZLIB == "yes" && (!PHP_ZLIB_SHARED))) &&
-		!isNaN(ver_num) &&
 		(CHECK_LIB("normaliz.lib", "curl", PHP_CURL) &&
 		 CHECK_LIB("libssh2.lib", "curl", PHP_CURL) &&
 		 CHECK_LIB("nghttp2.lib", "curl", PHP_CURL))

ext/curl/config.w32

@@ -1936,7 +1936,10 @@ static zend_result _php_curl_setopt(php_curl *ch, zend_long option, zval *zvalue
 			zend_string *str = zval_get_tmp_string(zvalue, &tmp_str);
 #if LIBCURL_VERSION_NUM >= 0x075500 /* Available since 7.85.0 */
 			if ((option == CURLOPT_PROTOCOLS_STR || option == CURLOPT_REDIR_PROTOCOLS_STR) &&
-				(PG(open_basedir) && *PG(open_basedir)) && php_memnistr(ZSTR_VAL(str), "file", sizeof("file") - 1, ZSTR_VAL(str) + ZSTR_LEN(str)) != NULL) {
+				(PG(open_basedir) && *PG(open_basedir))
+					&& (php_memnistr(ZSTR_VAL(str), "file", sizeof("file") - 1, ZSTR_VAL(str) + ZSTR_LEN(str)) != NULL
+					 || php_memnistr(ZSTR_VAL(str), "all", sizeof("all") - 1, ZSTR_VAL(str) + ZSTR_LEN(str)) != NULL)) {
+					zend_tmp_string_release(tmp_str);
 					php_error_docref(NULL, E_WARNING, "The FILE protocol cannot be activated when an open_basedir is set");
 					return FAILURE;
 			}

ext/curl/interface.c

@@ -0,0 +1,31 @@
+--TEST--
+GH-16802 (open_basedir bypass using curl extension)
+--EXTENSIONS--
+curl
+--SKIPIF--
+<?php
+$curl_version = curl_version();
+if ($curl_version['version_number'] < 0x075500) {
+    die("skip: blob options not supported for curl < 7.85.0");
+}
+?>
+--INI--
+open_basedir=/nowhere
+--FILE--
+<?php
+$ch = curl_init("file:///etc/passwd");
+curl_setopt($ch, CURLOPT_PROTOCOLS_STR, "all");
+curl_setopt($ch, CURLOPT_PROTOCOLS_STR, "ftp,all");
+curl_setopt($ch, CURLOPT_PROTOCOLS_STR, "all,ftp");
+curl_setopt($ch, CURLOPT_PROTOCOLS_STR, "all,file,ftp");
+var_dump(curl_exec($ch));
+?>
+--EXPECTF--
+Warning: curl_setopt(): The FILE protocol cannot be activated when an open_basedir is set in %s on line %d
+
+Warning: curl_setopt(): The FILE protocol cannot be activated when an open_basedir is set in %s on line %d
+
+Warning: curl_setopt(): The FILE protocol cannot be activated when an open_basedir is set in %s on line %d
+
+Warning: curl_setopt(): The FILE protocol cannot be activated when an open_basedir is set in %s on line %d
+bool(false)

ext/curl/tests/gh16802.phpt

@@ -906,6 +906,7 @@ static void dom_node_insert_before_legacy(zval *return_value, zval *ref, dom_obj
 	}
 
 	if (child->doc == NULL && parentp->doc != NULL) {
+		xmlSetTreeDoc(child, parentp->doc);
 		dom_set_document_ref_pointers(child, intern->document);
 	}
 
@@ -1212,6 +1213,7 @@ static void dom_node_replace_child(INTERNAL_FUNCTION_PARAMETERS, bool modern)
 	}
 
 	if (newchild->doc == NULL && nodep->doc != NULL) {
+		xmlSetTreeDoc(newchild, nodep->doc);
 		dom_set_document_ref_pointers(newchild, intern->document);
 	}
 
@@ -1320,6 +1322,7 @@ static void dom_node_append_child_legacy(zval *return_value, dom_object *intern,
 	}
 
 	if (child->doc == NULL && nodep->doc != NULL) {
+		xmlSetTreeDoc(child, nodep->doc);
 		dom_set_document_ref_pointers(child, intern->document);
 	}
 
@@ -2412,7 +2415,7 @@ PHP_METHOD(DOMNode, getRootNode)
 }
 /* }}} */
 
-/* {{{ URL: https://dom.spec.whatwg.org/#dom-node-comparedocumentposition (last check date 2023-07-24)
+/* {{{ URL: https://dom.spec.whatwg.org/#dom-node-comparedocumentposition (last check date 2024-11-17)
 Since:
 */
 

ext/dom/node.c

@@ -0,0 +1,24 @@
+--TEST--
+GH-16777 (Calling the constructor again on a DOM object after it is in a document causes UAF)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+$text = new DOMText('my value');
+$doc = new DOMDocument();
+$doc->appendChild($text);
+$text->__construct('my new value');
+$doc->appendChild($text);
+echo $doc->saveXML();
+$dom2 = new DOMDocument();
+try {
+    $dom2->appendChild($text);
+} catch (DOMException $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+<?xml version="1.0"?>
+my value
+my new value
+Wrong Document Error