[pull] master from php:master#841
Merged
Merged
Conversation
imageloadfont() read the font header with `(char*)&font[b]`, which scales the byte counter b by sizeof(gdFont) rather than advancing one byte, so a short php_stream_read() (deliverable by a user stream wrapper) makes the loop write hdr_size-b bytes past the emalloc(sizeof(gdFont)) buffer. Index the destination by bytes, matching the body read a few lines below. Closes GH-22380
* PHP-8.4: ext/gd: fix out-of-bounds write reading font header on short reads
* PHP-8.5: ext/gd: fix out-of-bounds write reading font header on short reads
The cleanup block guarded on `unk` but released `obj`. On a successful GetActiveObject() this released the IDispatch proxy twice and leaked the IUnknown; on a QueryInterface failure `obj` is still NULL while `unk` is live, so the same line released NULL through a NULL vtable and crashed instead of throwing. Release `unk` so each interface pointer is released exactly once and the failure path no longer crashes. Closes GH-22378
* PHP-8.4: ext/com_dotnet: release the held IUnknown in com_get_active_object()
* PHP-8.5: ext/com_dotnet: release the held IUnknown in com_get_active_object()
The four sodium pwhash functions queued a zend_argument_error for an opslimit or memlimit below the documented minimum but fell through to the KDF instead of returning. When libsodium rejects the value the precise argument error is clobbered by a generic "internal error"; when it accepts the value the full KDF runs before the queued error surfaces, defeating the minimum-cost gate. Add the missing RETURN_THROWS() so each lower-bound check returns like its sibling upper-bound branches. Closes GH-22383
* PHP-8.4: Throw on below-minimum opslimit/memlimit in sodium pwhash
* PHP-8.5: Throw on below-minimum opslimit/memlimit in sodium pwhash
* PHP-8.4: Fix GH-22360: convert.base64-encode corruption on incremental flush.
* PHP-8.5: Fix GH-22360: convert.base64-encode corruption on incremental flush.
…n stored in property (#22376) * zend_ast: Surround function by parens when exporting calls to function stored in property The extra parentheses are needed to disambiguate method calls from calls to a function stored in a property. Fixes #22373. * zend_ast: Avoid needless indirection through `zend_ast_export_ns_name()`
The bug80901 fix (09696ee) terminates an over-long response with *data = 0, but when the line fills the whole FTP_BUFSIZE inbuf without a CR/LF, data points at inbuf[FTP_BUFSIZE] and the terminator is written one byte past the buffer, into the adjacent ftpbuf_t::extra field. Reserve the final byte for the terminator so it always lands inside inbuf. A buffer-filling response loses its last character (bug80901's SYST reply is now 4095 visible chars, with the terminator taking the 4096th slot). Closes GH-22377
* PHP-8.4: ext/ftp: fix off-by-one terminator write in ftp_readline()
* PHP-8.5: ext/ftp: fix off-by-one terminator write in ftp_readline()
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )