From 3b4f2b079859fc0133dbcd3759f6f085bc8a823e Mon Sep 17 00:00:00 2001 From: David Carlier Date: Wed, 25 Jun 2025 22:33:21 +0100 Subject: [PATCH 1/8] ext/posix: posix_kill() process_id range check. pid_t is, for the most part, represented by a signed int, by overflowing it, we end up being in the -1 case which affect all accessible processes. close GH-18944 --- NEWS | 4 ++++ UPGRADING | 4 ++++ ext/posix/posix.c | 18 ++++++++++++++++ ext/posix/tests/posix_kill_pidoverflow.phpt | 24 +++++++++++++++++++++ ext/posix/tests/posix_setpgid_error.phpt | 22 +++++++++++++++++++ 5 files changed, 72 insertions(+) create mode 100644 ext/posix/tests/posix_kill_pidoverflow.phpt create mode 100644 ext/posix/tests/posix_setpgid_error.phpt diff --git a/NEWS b/NEWS index 20e64c5911967..a5dd9a40d4d23 100644 --- a/NEWS +++ b/NEWS @@ -28,6 +28,10 @@ PHP NEWS . Add $digest_algo parameter to openssl_public_encrypt() and openssl_private_decrypt() functions. (Jakub Zelenka) +- POSIX: + . posix_kill and posix_setpgid throws a ValueError on invalid process_id. + (David Carlier) + - Reflection: . Fixed bug GH-19187 (ReflectionNamedType::getName() prints nullable type when retrieved from ReflectionProperty::getSettableType()). (ilutov) diff --git a/UPGRADING b/UPGRADING index 2646da15b0a6f..f18575e854a9e 100644 --- a/UPGRADING +++ b/UPGRADING @@ -381,6 +381,10 @@ PHP 8.5 UPGRADE NOTES an invalid file descriptor. . posix_fpathconf checks invalid file descriptors and sets last_error to EBADF and raises an E_WARNING message. + . posix_kill throws a ValueError when the process_id argument is lower + or greater than what supports the platform (signed integer or long + range), posix_setpgid throws a ValueError when the process_id is + lower than zero or greater than what supports the platform. - Reflection: . The output of ReflectionClass::toString() for enums has changed to diff --git a/ext/posix/posix.c b/ext/posix/posix.c index 512776d3ced20..a418a65338616 100644 --- a/ext/posix/posix.c +++ b/ext/posix/posix.c @@ -45,6 +45,14 @@ # include #endif +#if (defined(__sun) && !defined(_LP64)) || defined(_AIX) +#define POSIX_PID_MIN LONG_MIN +#define POSIX_PID_MAX LONG_MAX +#else +#define POSIX_PID_MIN INT_MIN +#define POSIX_PID_MAX INT_MAX +#endif + #include "posix_arginfo.h" ZEND_DECLARE_MODULE_GLOBALS(posix) @@ -118,6 +126,12 @@ ZEND_GET_MODULE(posix) } \ RETURN_TRUE; +#define PHP_POSIX_CHECK_PID(pid, lower, upper) \ + if (pid < lower || pid > upper) { \ + zend_argument_value_error(1, "must be between " ZEND_LONG_FMT " and " ZEND_LONG_FMT, lower, upper); \ + RETURN_THROWS(); \ + } + /* {{{ Send a signal to a process (POSIX.1, 3.3.2) */ PHP_FUNCTION(posix_kill) @@ -129,6 +143,8 @@ PHP_FUNCTION(posix_kill) Z_PARAM_LONG(sig) ZEND_PARSE_PARAMETERS_END(); + PHP_POSIX_CHECK_PID(pid, POSIX_PID_MIN, POSIX_PID_MAX) + if (kill(pid, sig) < 0) { POSIX_G(last_error) = errno; RETURN_FALSE; @@ -291,6 +307,8 @@ PHP_FUNCTION(posix_setpgid) Z_PARAM_LONG(pgid) ZEND_PARSE_PARAMETERS_END(); + PHP_POSIX_CHECK_PID(pid, 0, POSIX_PID_MAX) + if (setpgid(pid, pgid) < 0) { POSIX_G(last_error) = errno; RETURN_FALSE; diff --git a/ext/posix/tests/posix_kill_pidoverflow.phpt b/ext/posix/tests/posix_kill_pidoverflow.phpt new file mode 100644 index 0000000000000..d86b8c4da3bb2 --- /dev/null +++ b/ext/posix/tests/posix_kill_pidoverflow.phpt @@ -0,0 +1,24 @@ +--TEST-- +posix_kill() with large pid +--EXTENSIONS-- +posix +--SKIPIF-- + +--FILE-- +getMessage(), PHP_EOL; +} + +try { + posix_kill(PHP_INT_MIN, SIGTERM); +} catch (\ValueError $e) { + echo $e->getMessage(), PHP_EOL; +} +?> +--EXPECTF-- +posix_kill(): Argument #1 ($process_id) must be between %i and %d +posix_kill(): Argument #1 ($process_id) must be between %i and %d diff --git a/ext/posix/tests/posix_setpgid_error.phpt b/ext/posix/tests/posix_setpgid_error.phpt new file mode 100644 index 0000000000000..89cc45306e12e --- /dev/null +++ b/ext/posix/tests/posix_setpgid_error.phpt @@ -0,0 +1,22 @@ +--TEST-- +posix_setpgid() with wrong pid values +--EXTENSIONS-- +posix +--SKIPIF-- + +--FILE-- +getMessage(), PHP_EOL; +} +try { + posix_setpgid(-2, 1); +} catch (\ValueError $e) { + echo $e->getMessage(), PHP_EOL; +} +?> +--EXPECTF-- +posix_setpgid(): Argument #1 ($process_id) must be between 0 and %d +posix_setpgid(): Argument #1 ($process_id) must be between 0 and %d From e897621be9f10c017adc866ef22d6efec9070627 Mon Sep 17 00:00:00 2001 From: Gina Peter Banyard Date: Fri, 18 Jul 2025 18:04:57 +0100 Subject: [PATCH 2/8] ext/sysvshm: shm_detach() always returns true --- ext/sysvshm/sysvshm.stub.php | 2 +- ext/sysvshm/sysvshm_arginfo.h | 8 +++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/ext/sysvshm/sysvshm.stub.php b/ext/sysvshm/sysvshm.stub.php index 4b6770063a31e..c89f67bc068ac 100644 --- a/ext/sysvshm/sysvshm.stub.php +++ b/ext/sysvshm/sysvshm.stub.php @@ -12,7 +12,7 @@ final class SysvSharedMemory function shm_attach(int $key, ?int $size = null, int $permissions = 0666): SysvSharedMemory|false {} -function shm_detach(SysvSharedMemory $shm): bool {} +function shm_detach(SysvSharedMemory $shm): true {} function shm_has_var(SysvSharedMemory $shm, int $key): bool {} diff --git a/ext/sysvshm/sysvshm_arginfo.h b/ext/sysvshm/sysvshm_arginfo.h index bca40b0e0944d..c3b803c37aea6 100644 --- a/ext/sysvshm/sysvshm_arginfo.h +++ b/ext/sysvshm/sysvshm_arginfo.h @@ -1,5 +1,5 @@ /* This is a generated file, edit the .stub.php file instead. - * Stub hash: 93677b78d9aaa4d6dbb5d1dcf3e79a8418add5c0 */ + * Stub hash: 792c695a705678a3779d62cef8a5136069f98dee */ ZEND_BEGIN_ARG_WITH_RETURN_OBJ_TYPE_MASK_EX(arginfo_shm_attach, 0, 1, SysvSharedMemory, MAY_BE_FALSE) ZEND_ARG_TYPE_INFO(0, key, IS_LONG, 0) @@ -7,7 +7,7 @@ ZEND_BEGIN_ARG_WITH_RETURN_OBJ_TYPE_MASK_EX(arginfo_shm_attach, 0, 1, SysvShared ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, permissions, IS_LONG, 0, "0666") ZEND_END_ARG_INFO() -ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_shm_detach, 0, 1, _IS_BOOL, 0) +ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_shm_detach, 0, 1, IS_TRUE, 0) ZEND_ARG_OBJ_INFO(0, shm, SysvSharedMemory, 0) ZEND_END_ARG_INFO() @@ -16,7 +16,9 @@ ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_shm_has_var, 0, 2, _IS_BOOL, 0) ZEND_ARG_TYPE_INFO(0, key, IS_LONG, 0) ZEND_END_ARG_INFO() -#define arginfo_shm_remove arginfo_shm_detach +ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_shm_remove, 0, 1, _IS_BOOL, 0) + ZEND_ARG_OBJ_INFO(0, shm, SysvSharedMemory, 0) +ZEND_END_ARG_INFO() ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_shm_put_var, 0, 3, _IS_BOOL, 0) ZEND_ARG_OBJ_INFO(0, shm, SysvSharedMemory, 0) From 4844c7a92fc2826c121a1c4c634b93858269788d Mon Sep 17 00:00:00 2001 From: Gina Peter Banyard Date: Fri, 18 Jul 2025 18:05:38 +0100 Subject: [PATCH 3/8] ext/sysvshm: voidify php_remove_shm_data() --- ext/sysvshm/sysvshm.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/ext/sysvshm/sysvshm.c b/ext/sysvshm/sysvshm.c index 332a8b47af1b6..f610317849393 100644 --- a/ext/sysvshm/sysvshm.c +++ b/ext/sysvshm/sysvshm.c @@ -92,7 +92,7 @@ sysvshm_module php_sysvshm; static int php_put_shm_data(sysvshm_chunk_head *ptr, zend_long key, const char *data, zend_long len); static zend_long php_check_shm_data(sysvshm_chunk_head *ptr, zend_long key); -static int php_remove_shm_data(sysvshm_chunk_head *ptr, zend_long shm_varpos); +static void php_remove_shm_data(sysvshm_chunk_head *ptr, zend_long shm_varpos); /* {{{ PHP_MINIT_FUNCTION */ PHP_MINIT_FUNCTION(sysvshm) @@ -423,8 +423,7 @@ static zend_long php_check_shm_data(sysvshm_chunk_head *ptr, zend_long key) } /* }}} */ -/* {{{ php_remove_shm_data */ -static int php_remove_shm_data(sysvshm_chunk_head *ptr, zend_long shm_varpos) +static void php_remove_shm_data(sysvshm_chunk_head *ptr, zend_long shm_varpos) { sysvshm_chunk *chunk_ptr, *next_chunk_ptr; zend_long memcpy_len; @@ -440,8 +439,6 @@ static int php_remove_shm_data(sysvshm_chunk_head *ptr, zend_long shm_varpos) if (memcpy_len > 0) { memmove(chunk_ptr, next_chunk_ptr, memcpy_len); } - return 0; } -/* }}} */ #endif /* HAVE_SYSVSHM */ From 6154fac64da2ae3321ca8279cd5168404c1966a5 Mon Sep 17 00:00:00 2001 From: Gina Peter Banyard Date: Fri, 18 Jul 2025 18:09:53 +0100 Subject: [PATCH 4/8] ext/sysvshm: refactor php_put_shm_data() --- ext/sysvshm/sysvshm.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/ext/sysvshm/sysvshm.c b/ext/sysvshm/sysvshm.c index f610317849393..afd02e411bdaa 100644 --- a/ext/sysvshm/sysvshm.c +++ b/ext/sysvshm/sysvshm.c @@ -90,7 +90,7 @@ ZEND_GET_MODULE(sysvshm) /* TODO: Make this thread-safe. */ sysvshm_module php_sysvshm; -static int php_put_shm_data(sysvshm_chunk_head *ptr, zend_long key, const char *data, zend_long len); +static bool php_put_shm_data(sysvshm_chunk_head *ptr, zend_long key, const zend_string *data); static zend_long php_check_shm_data(sysvshm_chunk_head *ptr, zend_long key); static void php_remove_shm_data(sysvshm_chunk_head *ptr, zend_long shm_varpos); @@ -235,7 +235,6 @@ PHP_FUNCTION(shm_remove) PHP_FUNCTION(shm_put_var) { zval *shm_id, *arg_var; - int ret; zend_long shm_key; sysvshm_shm *shm_list_ptr; smart_str shm_var = {0}; @@ -262,13 +261,15 @@ PHP_FUNCTION(shm_put_var) RETURN_THROWS(); } + ZEND_ASSERT(shm_var.s != NULL); + /* insert serialized variable into shared memory */ - ret = php_put_shm_data(shm_list_ptr->ptr, shm_key, shm_var.s? ZSTR_VAL(shm_var.s) : NULL, shm_var.s? ZSTR_LEN(shm_var.s) : 0); + bool ret = php_put_shm_data(shm_list_ptr->ptr, shm_key, shm_var.s); /* free string */ smart_str_free(&shm_var); - if (ret == -1) { + if (!ret) { php_error_docref(NULL, E_WARNING, "Not enough shared memory left"); RETURN_FALSE; } @@ -366,32 +367,31 @@ PHP_FUNCTION(shm_remove_var) } /* }}} */ -/* {{{ php_put_shm_data +/* {{{ * inserts an ascii-string into shared memory */ -static int php_put_shm_data(sysvshm_chunk_head *ptr, zend_long key, const char *data, zend_long len) +static bool php_put_shm_data(sysvshm_chunk_head *ptr, zend_long key, const zend_string *data) { sysvshm_chunk *shm_var; - zend_long total_size; zend_long shm_varpos; - total_size = ((zend_long) (len + sizeof(sysvshm_chunk) - 1) / sizeof(zend_long)) * sizeof(zend_long) + sizeof(zend_long); /* zend_long alligment */ + size_t total_size = ((zend_long) (ZSTR_LEN(data) + sizeof(sysvshm_chunk) - 1) / sizeof(zend_long)) * sizeof(zend_long) + sizeof(zend_long); /* zend_long alligment */ if ((shm_varpos = php_check_shm_data(ptr, key)) > 0) { php_remove_shm_data(ptr, shm_varpos); } if (ptr->free < total_size) { - return -1; /* not enough memory */ + return false; /* not enough memory */ } shm_var = (sysvshm_chunk *) ((char *) ptr + ptr->end); shm_var->key = key; - shm_var->length = len; + shm_var->length = ZSTR_LEN(data); shm_var->next = total_size; - memcpy(&(shm_var->mem), data, len); + memcpy(&(shm_var->mem), ZSTR_VAL(data), ZSTR_LEN(data)); ptr->end += total_size; ptr->free -= total_size; - return 0; + return true; } /* }}} */ From bac158c80dab2a924e743b807a6c5260e8182430 Mon Sep 17 00:00:00 2001 From: Gina Peter Banyard Date: Fri, 18 Jul 2025 18:21:41 +0100 Subject: [PATCH 5/8] ext/sysvshm: use size_t and ssize_t instead of zend_long --- ext/sysvshm/php_sysvshm.h | 12 ++++++------ ext/sysvshm/sysvshm.c | 29 ++++++++++++----------------- 2 files changed, 18 insertions(+), 23 deletions(-) diff --git a/ext/sysvshm/php_sysvshm.h b/ext/sysvshm/php_sysvshm.h index e11caa6c61b3b..9576349e06d8e 100644 --- a/ext/sysvshm/php_sysvshm.h +++ b/ext/sysvshm/php_sysvshm.h @@ -41,17 +41,17 @@ typedef struct { typedef struct { zend_long key; - zend_long length; - zend_long next; + size_t length; + size_t next; char mem; } sysvshm_chunk; typedef struct { char magic[8]; - zend_long start; - zend_long end; - zend_long free; - zend_long total; + size_t start; + size_t end; + size_t free; + size_t total; } sysvshm_chunk_head; typedef struct { diff --git a/ext/sysvshm/sysvshm.c b/ext/sysvshm/sysvshm.c index afd02e411bdaa..ff80d30012dae 100644 --- a/ext/sysvshm/sysvshm.c +++ b/ext/sysvshm/sysvshm.c @@ -91,8 +91,8 @@ ZEND_GET_MODULE(sysvshm) sysvshm_module php_sysvshm; static bool php_put_shm_data(sysvshm_chunk_head *ptr, zend_long key, const zend_string *data); -static zend_long php_check_shm_data(sysvshm_chunk_head *ptr, zend_long key); -static void php_remove_shm_data(sysvshm_chunk_head *ptr, zend_long shm_varpos); +static ssize_t php_check_shm_data(sysvshm_chunk_head *ptr, zend_long key); +static void php_remove_shm_data(sysvshm_chunk_head *ptr, size_t shm_varpos); /* {{{ PHP_MINIT_FUNCTION */ PHP_MINIT_FUNCTION(sysvshm) @@ -284,7 +284,6 @@ PHP_FUNCTION(shm_get_var) zend_long shm_key; sysvshm_shm *shm_list_ptr; char *shm_data; - zend_long shm_varpos; sysvshm_chunk *shm_var; php_unserialize_data_t var_hash; @@ -300,9 +299,9 @@ PHP_FUNCTION(shm_get_var) /* setup string-variable and serialize */ /* get serialized variable from shared memory */ - shm_varpos = php_check_shm_data(shm_list_ptr->ptr, shm_key); + ssize_t shm_varpos = php_check_shm_data(shm_list_ptr->ptr, shm_key); - if (shm_varpos < 0) { + if (shm_varpos == -1) { php_error_docref(NULL, E_WARNING, "Variable key " ZEND_LONG_FMT " doesn't exist", shm_key); RETURN_FALSE; } @@ -343,7 +342,7 @@ PHP_FUNCTION(shm_has_var) PHP_FUNCTION(shm_remove_var) { zval *shm_id; - zend_long shm_key, shm_varpos; + zend_long shm_key; sysvshm_shm *shm_list_ptr; if (SUCCESS != zend_parse_parameters(ZEND_NUM_ARGS(), "Ol", &shm_id, sysvshm_ce, &shm_key)) { @@ -356,9 +355,9 @@ PHP_FUNCTION(shm_remove_var) RETURN_THROWS(); } - shm_varpos = php_check_shm_data(shm_list_ptr->ptr, shm_key); + ssize_t shm_varpos = php_check_shm_data(shm_list_ptr->ptr, shm_key); - if (shm_varpos < 0) { + if (shm_varpos == -1) { php_error_docref(NULL, E_WARNING, "Variable key " ZEND_LONG_FMT " doesn't exist", shm_key); RETURN_FALSE; } @@ -372,7 +371,7 @@ PHP_FUNCTION(shm_remove_var) static bool php_put_shm_data(sysvshm_chunk_head *ptr, zend_long key, const zend_string *data) { sysvshm_chunk *shm_var; - zend_long shm_varpos; + ssize_t shm_varpos; size_t total_size = ((zend_long) (ZSTR_LEN(data) + sizeof(sysvshm_chunk) - 1) / sizeof(zend_long)) * sizeof(zend_long) + sizeof(zend_long); /* zend_long alligment */ @@ -395,15 +394,13 @@ static bool php_put_shm_data(sysvshm_chunk_head *ptr, zend_long key, const zend_ } /* }}} */ -/* {{{ php_check_shm_data */ -static zend_long php_check_shm_data(sysvshm_chunk_head *ptr, zend_long key) +static ssize_t php_check_shm_data(sysvshm_chunk_head *ptr, zend_long key) { - zend_long pos; sysvshm_chunk *shm_var; ZEND_ASSERT(ptr); - pos = ptr->start; + size_t pos = ptr->start; for (;;) { if (pos >= ptr->end) { @@ -421,19 +418,17 @@ static zend_long php_check_shm_data(sysvshm_chunk_head *ptr, zend_long key) } return -1; } -/* }}} */ -static void php_remove_shm_data(sysvshm_chunk_head *ptr, zend_long shm_varpos) +static void php_remove_shm_data(sysvshm_chunk_head *ptr, size_t shm_varpos) { sysvshm_chunk *chunk_ptr, *next_chunk_ptr; - zend_long memcpy_len; ZEND_ASSERT(ptr); chunk_ptr = (sysvshm_chunk *) ((char *) ptr + shm_varpos); next_chunk_ptr = (sysvshm_chunk *) ((char *) ptr + shm_varpos + chunk_ptr->next); - memcpy_len = ptr->end-shm_varpos - chunk_ptr->next; + size_t memcpy_len = ptr->end-shm_varpos - chunk_ptr->next; ptr->free += chunk_ptr->next; ptr->end -= chunk_ptr->next; if (memcpy_len > 0) { From 87d83d162db3fd6b3dd0fbc8ff6d31d902fb107b Mon Sep 17 00:00:00 2001 From: Gina Peter Banyard Date: Fri, 18 Jul 2025 18:25:24 +0100 Subject: [PATCH 6/8] ext/sysvsem: use bool type instead of int --- ext/sysvsem/sysvsem.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ext/sysvsem/sysvsem.c b/ext/sysvsem/sysvsem.c index 481d8ce28cc36..99ebda92273ef 100644 --- a/ext/sysvsem/sysvsem.c +++ b/ext/sysvsem/sysvsem.c @@ -266,7 +266,7 @@ PHP_FUNCTION(sem_get) /* }}} */ /* {{{ php_sysvsem_semop */ -static void php_sysvsem_semop(INTERNAL_FUNCTION_PARAMETERS, int acquire) +static void php_sysvsem_semop(INTERNAL_FUNCTION_PARAMETERS, bool acquire) { zval *arg_id; bool nowait = 0; @@ -311,14 +311,14 @@ static void php_sysvsem_semop(INTERNAL_FUNCTION_PARAMETERS, int acquire) /* {{{ Acquires the semaphore with the given id, blocking if necessary */ PHP_FUNCTION(sem_acquire) { - php_sysvsem_semop(INTERNAL_FUNCTION_PARAM_PASSTHRU, 1); + php_sysvsem_semop(INTERNAL_FUNCTION_PARAM_PASSTHRU, true); } /* }}} */ /* {{{ Releases the semaphore with the given id */ PHP_FUNCTION(sem_release) { - php_sysvsem_semop(INTERNAL_FUNCTION_PARAM_PASSTHRU, 0); + php_sysvsem_semop(INTERNAL_FUNCTION_PARAM_PASSTHRU, false); } /* }}} */ From f63a35d944b65b9ef62db137685daa7a35cd259b Mon Sep 17 00:00:00 2001 From: Gina Peter Banyard Date: Fri, 18 Jul 2025 18:34:48 +0100 Subject: [PATCH 7/8] ext/sysvmsg: various minor refactorings --- ext/sysvmsg/sysvmsg.c | 65 ++++++++++++++++++------------------------- 1 file changed, 27 insertions(+), 38 deletions(-) diff --git a/ext/sysvmsg/sysvmsg.c b/ext/sysvmsg/sysvmsg.c index 1f4cafd2bce0f..d906aa2315e4d 100644 --- a/ext/sysvmsg/sysvmsg.c +++ b/ext/sysvmsg/sysvmsg.c @@ -127,32 +127,32 @@ PHP_MINFO_FUNCTION(sysvmsg) /* {{{ Set information for a message queue */ PHP_FUNCTION(msg_set_queue) { - zval *queue, *data; + zval *queue; + HashTable *data; sysvmsg_queue_t *mq = NULL; struct msqid_ds stat; - RETVAL_FALSE; - - if (zend_parse_parameters(ZEND_NUM_ARGS(), "Oa", &queue, sysvmsg_queue_ce, &data) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS(), "Oh", &queue, sysvmsg_queue_ce, &data) == FAILURE) { RETURN_THROWS(); } mq = Z_SYSVMSG_QUEUE_P(queue); + RETVAL_FALSE; if (msgctl(mq->id, IPC_STAT, &stat) == 0) { zval *item; /* now pull out members of data and set them in the stat buffer */ - if ((item = zend_hash_str_find(Z_ARRVAL_P(data), "msg_perm.uid", sizeof("msg_perm.uid") - 1)) != NULL) { + if ((item = zend_hash_str_find(data, ZEND_STRL("msg_perm.uid"))) != NULL) { stat.msg_perm.uid = zval_get_long(item); } - if ((item = zend_hash_str_find(Z_ARRVAL_P(data), "msg_perm.gid", sizeof("msg_perm.gid") - 1)) != NULL) { + if ((item = zend_hash_str_find(data, ZEND_STRL("msg_perm.gid"))) != NULL) { stat.msg_perm.gid = zval_get_long(item); } - if ((item = zend_hash_str_find(Z_ARRVAL_P(data), "msg_perm.mode", sizeof("msg_perm.mode") - 1)) != NULL) { + if ((item = zend_hash_str_find(data, ZEND_STRL("msg_perm.mode"))) != NULL) { stat.msg_perm.mode = zval_get_long(item); } - if ((item = zend_hash_str_find(Z_ARRVAL_P(data), "msg_qbytes", sizeof("msg_qbytes") - 1)) != NULL) { + if ((item = zend_hash_str_find(data, ZEND_STRL("msg_qbytes"))) != NULL) { stat.msg_qbytes = zval_get_long(item); } if (msgctl(mq->id, IPC_SET, &stat) == 0) { @@ -169,28 +169,27 @@ PHP_FUNCTION(msg_stat_queue) sysvmsg_queue_t *mq = NULL; struct msqid_ds stat; - RETVAL_FALSE; - if (zend_parse_parameters(ZEND_NUM_ARGS(), "O", &queue, sysvmsg_queue_ce) == FAILURE) { RETURN_THROWS(); } mq = Z_SYSVMSG_QUEUE_P(queue); - if (msgctl(mq->id, IPC_STAT, &stat) == 0) { - array_init(return_value); - - add_assoc_long(return_value, "msg_perm.uid", stat.msg_perm.uid); - add_assoc_long(return_value, "msg_perm.gid", stat.msg_perm.gid); - add_assoc_long(return_value, "msg_perm.mode", stat.msg_perm.mode); - add_assoc_long(return_value, "msg_stime", stat.msg_stime); - add_assoc_long(return_value, "msg_rtime", stat.msg_rtime); - add_assoc_long(return_value, "msg_ctime", stat.msg_ctime); - add_assoc_long(return_value, "msg_qnum", stat.msg_qnum); - add_assoc_long(return_value, "msg_qbytes", stat.msg_qbytes); - add_assoc_long(return_value, "msg_lspid", stat.msg_lspid); - add_assoc_long(return_value, "msg_lrpid", stat.msg_lrpid); + if (msgctl(mq->id, IPC_STAT, &stat) != 0) { + RETURN_FALSE; } + + array_init_size(return_value, 10); + add_assoc_long(return_value, "msg_perm.uid", stat.msg_perm.uid); + add_assoc_long(return_value, "msg_perm.gid", stat.msg_perm.gid); + add_assoc_long(return_value, "msg_perm.mode", stat.msg_perm.mode); + add_assoc_long(return_value, "msg_stime", stat.msg_stime); + add_assoc_long(return_value, "msg_rtime", stat.msg_rtime); + add_assoc_long(return_value, "msg_ctime", stat.msg_ctime); + add_assoc_long(return_value, "msg_qnum", stat.msg_qnum); + add_assoc_long(return_value, "msg_qbytes", stat.msg_qbytes); + add_assoc_long(return_value, "msg_lspid", stat.msg_lspid); + add_assoc_long(return_value, "msg_lrpid", stat.msg_lrpid); } /* }}} */ @@ -203,11 +202,7 @@ PHP_FUNCTION(msg_queue_exists) RETURN_THROWS(); } - if (msgget(key, 0) < 0) { - RETURN_FALSE; - } - - RETURN_TRUE; + RETURN_BOOL(msgget(key, 0) >= 0); } /* }}} */ @@ -251,11 +246,7 @@ PHP_FUNCTION(msg_remove_queue) mq = Z_SYSVMSG_QUEUE_P(queue); - if (msgctl(mq->id, IPC_RMID, NULL) == 0) { - RETVAL_TRUE; - } else { - RETVAL_FALSE; - } + RETURN_BOOL(msgctl(mq->id, IPC_RMID, NULL) == 0); } /* }}} */ @@ -270,8 +261,6 @@ PHP_FUNCTION(msg_receive) struct php_msgbuf *messagebuffer = NULL; /* buffer to transmit */ int result; - RETVAL_FALSE; - if (zend_parse_parameters(ZEND_NUM_ARGS(), "Olzlz|blz", &queue, sysvmsg_queue_ce, &desiredmsgtype, &out_msgtype, &maxsize, &out_message, &do_unserialize, &flags, &zerrcode) == FAILURE) { @@ -337,6 +326,7 @@ PHP_FUNCTION(msg_receive) if (zerrcode) { ZEND_TRY_ASSIGN_REF_LONG(zerrcode, errno); } + RETVAL_FALSE; } efree(messagebuffer); } @@ -353,8 +343,6 @@ PHP_FUNCTION(msg_send) int result; size_t message_len = 0; - RETVAL_FALSE; - if (zend_parse_parameters(ZEND_NUM_ARGS(), "Olz|bbz", &queue, sysvmsg_queue_ce, &msgtype, &message, &do_serialize, &blocking, &zerror) == FAILURE) { RETURN_THROWS(); @@ -429,8 +417,9 @@ PHP_FUNCTION(msg_send) if (zerror) { ZEND_TRY_ASSIGN_REF_LONG(zerror, errno); } + RETURN_FALSE; } else { - RETVAL_TRUE; + RETURN_TRUE; } } /* }}} */ From 6b0a80903bece4c383708b16cabc4659a0b6774a Mon Sep 17 00:00:00 2001 From: Gina Peter Banyard Date: Mon, 28 Jul 2025 14:07:05 +0100 Subject: [PATCH 8/8] ext/intl: Fix return value on failure for resourcebundle count handler Closes GH-19277 --- NEWS | 1 + ext/intl/resourcebundle/resourcebundle_class.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 704398f5b6c32..a850699051ce2 100644 --- a/NEWS +++ b/NEWS @@ -20,6 +20,7 @@ PHP NEWS - Intl: . Fixed GH-19261: msgfmt_parse_message leaks on message creation failure. (David Carlier) + . Fix return value on failure for resourcebundle count handler. (Girgias) - LDAP: . Fixed bug GH-18529 (additional inheriting of TLS int options). diff --git a/ext/intl/resourcebundle/resourcebundle_class.c b/ext/intl/resourcebundle/resourcebundle_class.c index 9e86b41e761a2..8a2ff19d60efc 100644 --- a/ext/intl/resourcebundle/resourcebundle_class.c +++ b/ext/intl/resourcebundle/resourcebundle_class.c @@ -257,7 +257,7 @@ static zend_result resourcebundle_array_count(zend_object *object, zend_long *co if (rb->me == NULL) { intl_errors_set(&rb->error, U_ILLEGAL_ARGUMENT_ERROR, "Found unconstructed ResourceBundle", 0); - return 0; + return FAILURE; } *count = ures_getSize( rb->me );