[pull] master from php:master#1036
Merged
Merged
Conversation
Replace `zend_hash_exists()` + `zend_hash_find_ptr()` with a single `zend_hash_find_ptr()` call and a `NULL` check, avoiding an unnecessary HashTable lookup.
number_format($number, 9876543210); is now silently equals to number_format($number, 2147483647); and generates 2147483647 decimal places and eat up 2 GB memory (and exhaust almost half of them which cause a fatal error). I only reject very large positive numbers here (as every input larger than 2147483647 is silently turned into 2147483647). Because negative ones is always returning 0 anyways and only very large positive numbers can cause to such problems. Fixes #17384
ZipArchive wraps a libzip handle that cannot survive serialization: serialize() produced a string that unserialized into an empty object with numFiles 0, and that unserialize path was the bug72434 use-after-free vector. Add __serialize() and __unserialize() that throw, so the base class rejects (un)serialization and the UAF is closed by construction, while a subclass can still override both to round-trip through closeString()/openString(). Move the bug72434 test to ext/zip/tests since it now requires the zip extension. Fixes GH-21682
The four password-hashing functions reported out-of-range arguments (a non-positive or below-minimum opslimit or memlimit, an oversized hash length or password, a wrong-length salt) as a SodiumException. These are argument-value errors, so throw ValueError via zend_argument_value_error() instead, matching the rest of the engine. SodiumException is still used for internal libsodium failures. SodiumException's create_object empties the whole backtrace, which also protects caller frames holding the password; a plain ValueError does not, so each converted site keeps an explicit sodium_remove_param_values_from_backtrace(EG(exception)), mirroring the ZPP-failure paths.
…ty_set_raw_value_without_lazy_initialization Closes GH-21763
A crafted, deliberately truncated unserialize() payload can leave Exception::$trace holding a non-array value, since the typed-property check is skipped on the parse failure path. getTraceAsString() then reinterpreted the object as a HashTable, causing an out-of-bounds read. Guard against a non-array trace and return an empty string instead. Fix #22257 close GH-22263
Add several const qualifiers.
Uses PATH_OR_NULL for strings to avoid surprise null terminators.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )