shivammathur
diff --git a/‎config/patches/7.3/0117-Fix-GH-20584-Information-Leak-of-Memory.patch‎
Lines changed: 103 additions & 0 deletions b/‎config/patches/7.3/0117-Fix-GH-20584-Information-Leak-of-Memory.patch‎
Lines changed: 103 additions & 0 deletions
diff --git a/‎config/patches/7.3/0118-Only-test-from-code-is-not-affected.patch‎
Lines changed: 45 additions & 0 deletions b/‎config/patches/7.3/0118-Only-test-from-code-is-not-affected.patch‎
Lines changed: 45 additions & 0 deletions
diff --git a/‎config/patches/7.3/0119-Fix-GHSA-h96m-rvf9-jgm2.patch‎
Lines changed: 59 additions & 0 deletions b/‎config/patches/7.3/0119-Fix-GHSA-h96m-rvf9-jgm2.patch‎
Lines changed: 59 additions & 0 deletions
@@ -0,0 +1,103 @@
+From: Niels Dossche <7771979+ndossche@users.noreply.github.com>
+Date: Tue, 25 Nov 2025 23:11:38 +0100
+Subject: Fix GH-20584: Information Leak of Memory
+
+The string added had uninitialized memory due to
+php_read_stream_all_chunks() not moving the buffer position, resulting
+in the same data always being overwritten instead of new data being
+added to the end of the buffer.
+
+This is backport as there is a security impact as described in
+GHSA-3237-qqm7-mfv7 .
+
+(cherry picked from commit c5f28c7cf0a052f48e47877c7aa5c5bcc54f1cfc)
+(cherry picked from commit ed665eb1903737d2b52b27368b155f6208604ed9)
+---
+ ext/standard/image.c                  | 20 +++++++++++++++---
+ ext/standard/tests/image/gh20584.phpt | 39 +++++++++++++++++++++++++++++++++++
+ 2 files changed, 56 insertions(+), 3 deletions(-)
+ create mode 100644 ext/standard/tests/image/gh20584.phpt
+
+diff --git a/ext/standard/image.c b/ext/standard/image.c
+index fc4d6bd..06f0a00 100644
+--- a/ext/standard/image.c
++++ b/ext/standard/image.c
+@@ -434,8 +434,22 @@ static int php_skip_variable(php_stream * stream)
+ }
+ /* }}} */
+ 
+-/* {{{ php_read_APP
+- */
++static size_t php_read_stream_all_chunks(php_stream *stream, char *buffer, size_t length)
++{
++	size_t read_total = 0;
++	do {
++		ssize_t read_now = php_stream_read(stream, buffer, length - read_total);
++		read_total += read_now;
++		if (read_now < stream->chunk_size && read_total != length) {
++			return 0;
++		}
++		buffer += read_now;
++	} while (read_total < length);
++
++	return read_total;
++}
++
++/* {{{ php_read_APP */
+ static int php_read_APP(php_stream * stream, unsigned int marker, zval *info)
+ {
+ 	unsigned short length;
+@@ -451,7 +465,7 @@ static int php_read_APP(php_stream * stream, unsigned int marker, zval *info)
+ 
+ 	buffer = emalloc(length);
+ 
+-	if (php_stream_read(stream, buffer, (zend_long) length) != length) {
++	if (php_read_stream_all_chunks(stream, buffer, length) != length) {
+ 		efree(buffer);
+ 		return 0;
+ 	}
+diff --git a/ext/standard/tests/image/gh20584.phpt b/ext/standard/tests/image/gh20584.phpt
+new file mode 100644
+index 0000000..d117f21
+--- /dev/null
++++ b/ext/standard/tests/image/gh20584.phpt
+@@ -0,0 +1,39 @@
++--TEST--
++GH-20584 (Information Leak of Memory)
++--CREDITS--
++Nikita Sveshnikov (Positive Technologies)
++--FILE--
++<?php
++// Minimal PoC: corruption/uninitialized memory leak when reading APP1 via php://filter
++$file = __DIR__ . '/gh20584.jpg';
++
++// Make APP1 large enough so it is read in multiple chunks
++$chunk = 8192;
++$tail = 123;
++$payload = str_repeat('A', $chunk) . str_repeat('B', $chunk) . str_repeat('Z',
++$tail);
++$app1Len = 2 + strlen($payload);
++
++// Minimal JPEG: SOI + APP1 + SOF0(1x1) + EOI
++$sof = "\xFF\xC0" . pack('n', 11) . "\x08" . pack('n',1) . pack('n',1) .
++"\x01\x11\x00";
++$jpeg = "\xFF\xD8" . "\xFF\xE1" . pack('n', $app1Len) . $payload . $sof .
++"\xFF\xD9";
++file_put_contents($file, $jpeg);
++
++// Read through a filter to enforce multiple reads
++$src = 'php://filter/read=string.rot13|string.rot13/resource=' . $file;
++$info = null;
++@getimagesize($src, $info);
++$exp = $payload;
++$ret = $info['APP1'];
++
++var_dump($ret === $exp);
++
++?>
++--CLEAN--
++<?php
++@unlink(__DIR__ . '/gh20584.jpg');
++?>
++--EXPECT--
++bool(true)
@@ -0,0 +1,45 @@
+From: Jakub Zelenka <bukka@php.net>
+Date: Sat, 11 Oct 2025 19:37:26 +0200
+Subject: Only test from (code is not affected)
+
+Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref
+
+(cherry picked from commit 727a4ddc39ca9b78131e06b5537fe8b6c3dd6fe7)
+(cherry picked from commit 652cb22d27172e8068bc286774fb2b7078427093)
+---
+ ext/pdo_pgsql/tests/ghsa-8xr5-qppj-gvwj.phpt | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+ create mode 100644 ext/pdo_pgsql/tests/ghsa-8xr5-qppj-gvwj.phpt
+
+diff --git a/ext/pdo_pgsql/tests/ghsa-8xr5-qppj-gvwj.phpt b/ext/pdo_pgsql/tests/ghsa-8xr5-qppj-gvwj.phpt
+new file mode 100644
+index 0000000..019a02c
+--- /dev/null
++++ b/ext/pdo_pgsql/tests/ghsa-8xr5-qppj-gvwj.phpt
+@@ -0,0 +1,26 @@
++--TEST--
++#GHSA-8xr5-qppj-gvwj: NULL Pointer Derefernce for failed user input quoting
++--SKIPIF--
++<?php
++if (!extension_loaded('pdo') || !extension_loaded('pdo_pgsql')) die('skip not loaded');
++require_once dirname(__FILE__) . '/../../../ext/pdo/tests/pdo_test.inc';
++require_once dirname(__FILE__) . '/config.inc';
++PDOTest::skip();
++?>
++--FILE--
++<?php
++require_once dirname(__FILE__) . '/../../../ext/pdo/tests/pdo_test.inc';
++require_once dirname(__FILE__) . '/config.inc';
++$db = PDOTest::test_factory(dirname(__FILE__) . '/common.phpt');
++$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
++$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, true);
++
++$sql = "SELECT * FROM users where username = :username";
++$stmt = $db->prepare($sql);
++
++$p1 = "alice\x99";
++var_dump($stmt->execute(['username' => $p1]));
++
++?>
++--EXPECT--
++bool(false)
@@ -0,0 +1,59 @@
+From: Niels Dossche <7771979+ndossche@users.noreply.github.com>
+Date: Sun, 9 Nov 2025 13:23:11 +0100
+Subject: Fix GHSA-h96m-rvf9-jgm2
+
+(cherry picked from commit 8b801151bd54b36aae4593ed6cfc096e8122b415)
+(cherry picked from commit e4516e52979e8b67d9d35dfdbcc5dc7368263fa2)
+---
+ ext/standard/array.c                              |  7 ++++++-
+ ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt | 16 ++++++++++++++++
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+ create mode 100644 ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt
+
+diff --git a/ext/standard/array.c b/ext/standard/array.c
+index 09c3a9f..fd92ef0 100644
+--- a/ext/standard/array.c
++++ b/ext/standard/array.c
+@@ -3778,7 +3778,7 @@ static inline void php_array_merge_or_replace_wrapper(INTERNAL_FUNCTION_PARAMETE
+ 	} else {
+ 		zval *src_entry;
+ 		HashTable *src, *dest;
+-		uint32_t count = 0;
++		uint64_t count = 0;
+ 
+ 		for (i = 0; i < argc; i++) {
+ 			zval *arg = args + i;
+@@ -3790,6 +3790,11 @@ static inline void php_array_merge_or_replace_wrapper(INTERNAL_FUNCTION_PARAMETE
+ 			count += zend_hash_num_elements(Z_ARRVAL_P(arg));
+ 		}
+ 
++		if (UNEXPECTED(count >= HT_MAX_SIZE)) {
++			zend_throw_error(NULL, "The total number of elements must be lower than %u", HT_MAX_SIZE);
++			return;
++		}
++
+ 		arg = args;
+ 		src  = Z_ARRVAL_P(arg);
+ 		/* copy first array */
+diff --git a/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt
+new file mode 100644
+index 0000000..2e3e853
+--- /dev/null
++++ b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt
+@@ -0,0 +1,16 @@
++--TEST--
++GHSA-h96m-rvf9-jgm2
++--FILE--
++<?php
++
++$power = 20; // Chosen to be well within a memory_limit
++$arr = range(0, 2**$power);
++try {
++    array_merge(...array_fill(0, 2**(32-$power), $arr));
++} catch (Error $e) {
++    echo $e->getMessage(), "\n";
++}
++
++?>
++--EXPECTF--
++The total number of elements must be lower than %d