From 11ce662101fedc9b4617672963ce5e31a7ec0309 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= Date: Mon, 29 Sep 2025 22:36:15 +0200 Subject: [PATCH 1/5] lexbor: Cherry pick "Core: Reset length in lexbor_str_destroy()" see lexbor/lexbor@1bc9944a19e837a38f5e47462d3e5abf2caa9387 Fixes php/php-src#19979 --- NEWS | 5 ++++- ext/lexbor/lexbor/core/str.c | 1 + ext/uri/tests/gh19979.phpt | 28 ++++++++++++++++++++++++++++ 3 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 ext/uri/tests/gh19979.phpt diff --git a/NEWS b/NEWS index a6749b8ed4040..51c3a3df7ef86 100644 --- a/NEWS +++ b/NEWS @@ -6,7 +6,10 @@ PHP NEWS . Fixed segfault in function JIT due to NAN to bool warning. (Girgias) - URI: - . Fixed Uri\WhatWg\Url::withPort() when an invalid value is passed. (timwolla) + . Fixed Uri\WhatWg\Url::withPort() when an invalid value is passed. + (timwolla) + . Fixed Uri\WhatWg\Url::parse() when resolving a relative URL + against a base URL with query or fragment. (timwolla) - SOAP: . Fixed bug GH-19773 (SIGSEGV due to uninitialized soap_globals->lang_en). diff --git a/ext/lexbor/lexbor/core/str.c b/ext/lexbor/lexbor/core/str.c index d11a08614dd42..bf8fc547d88d0 100644 --- a/ext/lexbor/lexbor/core/str.c +++ b/ext/lexbor/lexbor/core/str.c @@ -80,6 +80,7 @@ lexbor_str_destroy(lexbor_str_t *str, lexbor_mraw_t *mraw, bool destroy_obj) } if (str->data != NULL) { + lexbor_str_clean(str); str->data = lexbor_mraw_free(mraw, str->data); } diff --git a/ext/uri/tests/gh19979.phpt b/ext/uri/tests/gh19979.phpt new file mode 100644 index 0000000000000..982dfb9359434 --- /dev/null +++ b/ext/uri/tests/gh19979.phpt @@ -0,0 +1,28 @@ +--TEST-- +GH-19979: Zend/zend_string.h:191:24: runtime error: null pointer passed as argument 2, which is declared to never be null +--FILE-- + +--EXPECTF-- +object(Uri\WhatWg\Url)#%d (8) { + ["scheme"]=> + string(5) "https" + ["username"]=> + NULL + ["password"]=> + NULL + ["host"]=> + string(11) "example.com" + ["port"]=> + NULL + ["path"]=> + string(9) "/relative" + ["query"]=> + NULL + ["fragment"]=> + NULL +} From c997212dbfa53947650304f2a86233325c6c66bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= Date: Mon, 29 Sep 2025 22:44:39 +0200 Subject: [PATCH 2/5] NEWS: Fix section order --- NEWS | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index 51c3a3df7ef86..c21d7801b3ffb 100644 --- a/NEWS +++ b/NEWS @@ -5,16 +5,16 @@ PHP NEWS - Opcache . Fixed segfault in function JIT due to NAN to bool warning. (Girgias) +- SOAP: + . Fixed bug GH-19773 (SIGSEGV due to uninitialized soap_globals->lang_en). + (nielsdos, KaseyJenkins) + - URI: . Fixed Uri\WhatWg\Url::withPort() when an invalid value is passed. (timwolla) . Fixed Uri\WhatWg\Url::parse() when resolving a relative URL against a base URL with query or fragment. (timwolla) -- SOAP: - . Fixed bug GH-19773 (SIGSEGV due to uninitialized soap_globals->lang_en). - (nielsdos, KaseyJenkins) - 25 Sep 2025, PHP 8.5.0RC1 - Core: From 3ee56f68edb2d1c2a3dc3713d499af42f37b00ad Mon Sep 17 00:00:00 2001 From: David Carlier Date: Tue, 23 Sep 2025 19:02:14 +0100 Subject: [PATCH 3/5] Fix GH-19932: Zip::setEncryptionName()/setEncryptionIndex() memory leak. On successive usage, the password is copied as much but the older address is never freed. Thus, we are hinting a password reset to address it. close GH-19936 --- NEWS | 2 ++ ext/zip/php_zip.c | 10 ++++++++++ ext/zip/tests/gh19932.phpt | 25 +++++++++++++++++++++++++ 3 files changed, 37 insertions(+) create mode 100644 ext/zip/tests/gh19932.phpt diff --git a/NEWS b/NEWS index 3955fab9ed22d..26860c58ee94e 100644 --- a/NEWS +++ b/NEWS @@ -43,6 +43,8 @@ PHP NEWS - Zip: . Fixed bug GH-19688 (Remove pattern overflow in zip addGlob()). (nielsdos) + . Fixed bug GH-19932 (Memory leak in zip setEncryptionName()/setEncryptionIndex()). + (David Carlier) 25 Sep 2025, PHP 8.3.26 diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c index 3613fb0f7ca7a..552d3a7571de5 100644 --- a/ext/zip/php_zip.c +++ b/ext/zip/php_zip.c @@ -2380,6 +2380,11 @@ PHP_METHOD(ZipArchive, setEncryptionName) RETURN_FALSE; } + if (UNEXPECTED(zip_file_set_encryption(intern, idx, ZIP_EM_NONE, NULL) < 0)) { + php_error_docref(NULL, E_WARNING, "password reset failed"); + RETURN_FALSE; + } + if (zip_file_set_encryption(intern, idx, (zip_uint16_t)method, password)) { RETURN_FALSE; } @@ -2403,6 +2408,11 @@ PHP_METHOD(ZipArchive, setEncryptionIndex) ZIP_FROM_OBJECT(intern, self); + if (UNEXPECTED(zip_file_set_encryption(intern, index, ZIP_EM_NONE, NULL) < 0)) { + php_error_docref(NULL, E_WARNING, "password reset failed"); + RETURN_FALSE; + } + if (zip_file_set_encryption(intern, index, (zip_uint16_t)method, password)) { RETURN_FALSE; } diff --git a/ext/zip/tests/gh19932.phpt b/ext/zip/tests/gh19932.phpt new file mode 100644 index 0000000000000..760fa1c9e766d --- /dev/null +++ b/ext/zip/tests/gh19932.phpt @@ -0,0 +1,25 @@ +--TEST-- +GH-19932 (ZipArchive::setEncryptionName()/setEncryptionIndex() memory leak) +--EXTENSIONS-- +zip +--SKIPIF-- + +--FILE-- +open(__DIR__ . "/gh19932.zip", ZipArchive::CREATE); +$zip->addFromString("test.txt", "test"); +$zip->setEncryptionName("test.txt", ZipArchive::EM_AES_256, "password"); +$zip->setEncryptionName("test.txt", ZipArchive::EM_AES_256, "password"); +$zip->setEncryptionIndex("0", ZipArchive::EM_AES_256, "password"); +$zip->setEncryptionIndex("0", ZipArchive::EM_AES_256, "password"); +$zip->close(); +echo "OK"; +?> +--CLEAN-- + +--EXPECT-- +OK + From 93bac8cb1a7230ac9d34a7cb8f392aeaa621723d Mon Sep 17 00:00:00 2001 From: David Carlier Date: Mon, 22 Sep 2025 19:02:46 +0100 Subject: [PATCH 4/5] Fix GH-19922: gzopen() double free close GH-19924 --- NEWS | 3 +++ ext/zlib/tests/gh19922.phpt | 12 ++++++++++++ main/streams/streams.c | 9 +-------- 3 files changed, 16 insertions(+), 8 deletions(-) create mode 100644 ext/zlib/tests/gh19922.phpt diff --git a/NEWS b/NEWS index 26860c58ee94e..a7f5149c5e215 100644 --- a/NEWS +++ b/NEWS @@ -46,6 +46,9 @@ PHP NEWS . Fixed bug GH-19932 (Memory leak in zip setEncryptionName()/setEncryptionIndex()). (David Carlier) +- Zlib: + . Fixed bug GH-19922 (Double free on gzopen). (David Carlier) + 25 Sep 2025, PHP 8.3.26 - Core: diff --git a/ext/zlib/tests/gh19922.phpt b/ext/zlib/tests/gh19922.phpt new file mode 100644 index 0000000000000..71644512e6656 --- /dev/null +++ b/ext/zlib/tests/gh19922.phpt @@ -0,0 +1,12 @@ +--TEST-- +GH-19922 (gzopen double free on debug build and unseekable stream) +--EXTENSIONS-- +zlib +--FILE-- + +--EXPECTF-- + +Warning: gzopen(php://output): could not make seekable - php://output in %s on line %d +bool(false) diff --git a/main/streams/streams.c b/main/streams/streams.c index 7a1b521108257..6dc073cd0baa3 100644 --- a/main/streams/streams.c +++ b/main/streams/streams.c @@ -2219,7 +2219,6 @@ PHPAPI php_stream *_php_stream_open_wrapper_ex(const char *path, const char *mod int persistent = options & STREAM_OPEN_PERSISTENT; zend_string *path_str = NULL; zend_string *resolved_path = NULL; - char *copy_of_path = NULL; if (opened_path) { if (options & STREAM_OPEN_FOR_ZEND_STREAM) { @@ -2296,8 +2295,7 @@ PHPAPI php_stream *_php_stream_open_wrapper_ex(const char *path, const char *mod if (stream->orig_path) { pefree(stream->orig_path, persistent); } - copy_of_path = pestrdup(path, persistent); - stream->orig_path = copy_of_path; + stream->orig_path = pestrdup(path, persistent); #if ZEND_DEBUG stream->open_filename = __zend_orig_filename ? __zend_orig_filename : __zend_filename; stream->open_lineno = __zend_orig_lineno ? __zend_orig_lineno : __zend_lineno; @@ -2356,11 +2354,6 @@ PHPAPI php_stream *_php_stream_open_wrapper_ex(const char *path, const char *mod } } php_stream_tidy_wrapper_error_log(wrapper); -#if ZEND_DEBUG - if (stream == NULL && copy_of_path != NULL) { - pefree(copy_of_path, persistent); - } -#endif if (resolved_path) { zend_string_release_ex(resolved_path, 0); } From e029f8f45b6d3f1a468d5e8d476e99c01fffdada Mon Sep 17 00:00:00 2001 From: David Carlier Date: Thu, 25 Sep 2025 19:49:38 +0100 Subject: [PATCH 5/5] Fix GH-19955: imagefttext() memory leak close GH-19968 --- NEWS | 3 +++ ext/gd/libgd/gdkanji.c | 2 ++ ext/gd/tests/gh19955.phpt | 15 +++++++++++++++ 3 files changed, 20 insertions(+) create mode 100644 ext/gd/tests/gh19955.phpt diff --git a/NEWS b/NEWS index a7f5149c5e215..58d9ebc69ad07 100644 --- a/NEWS +++ b/NEWS @@ -27,6 +27,9 @@ PHP NEWS - DBA: . Fixed GH-19885 (dba_fetch() overflow on skip argument). (David Carlier) +- GD: + . FIxed GH-19955 (imagefttext() memory leak). (David Carlier) + - SimpleXML: . Fixed bug GH-19988 (zend_string_init with NULL pointer in simplexml (UB)). (nielsdos) diff --git a/ext/gd/libgd/gdkanji.c b/ext/gd/libgd/gdkanji.c index 21bc2280982a8..ef769f89badda 100644 --- a/ext/gd/libgd/gdkanji.c +++ b/ext/gd/libgd/gdkanji.c @@ -368,6 +368,8 @@ do_convert (unsigned char *to, unsigned char *from, const char *code) else error ("something happen"); strcpy ((char *) to, (const char *) from); + if (iconv_close (cd) != 0) + error ("iconv_close() error"); return; } diff --git a/ext/gd/tests/gh19955.phpt b/ext/gd/tests/gh19955.phpt new file mode 100644 index 0000000000000..a4b58e403cf40 --- /dev/null +++ b/ext/gd/tests/gh19955.phpt @@ -0,0 +1,15 @@ +--TEST-- +GH-19955: (imagefttext() memory leak) +--EXTENSIONS-- +gd +--CREDITS-- +YuanchengJiang +--FILE-- + +--EXPECT-- +OK