Skip to content

Commit 3ba725a

Browse files
committed
Merge branch 'PHP-8.4'
* PHP-8.4: Fix GH-18309: ipv6 filter integer overflow Fix GH-18304: Changing the properties of a DateInterval through dynamic properties triggers a SegFault
2 parents 8c685fa + a019fbd commit 3ba725a

File tree

15 files changed

+130
-11
lines changed

15 files changed

+130
-11
lines changed

ext/date/php_date.c

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4567,7 +4567,9 @@ static zval *date_interval_get_property_ptr_ptr(zend_object *object, zend_string
45674567
zend_string_equals_literal(name, "days") ||
45684568
zend_string_equals_literal(name, "invert") ) {
45694569
/* Fallback to read_property. */
4570-
cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
4570+
if (cache_slot) {
4571+
cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
4572+
}
45714573
ret = NULL;
45724574
} else {
45734575
ret = zend_std_get_property_ptr_ptr(object, name, type, cache_slot);

ext/date/tests/gh18304.phpt

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
--TEST--
2+
GH-18304 (Changing the properties of a DateInterval through dynamic properties triggers a SegFault)
3+
--CREDITS--
4+
orose-assetgo
5+
--FILE--
6+
<?php
7+
$di = new \DateInterval('P0Y');
8+
$field = 'd';
9+
$i = 1;
10+
$di->$field += $i;
11+
var_dump($di);
12+
?>
13+
--EXPECT--
14+
object(DateInterval)#1 (10) {
15+
["y"]=>
16+
int(0)
17+
["m"]=>
18+
int(0)
19+
["d"]=>
20+
int(1)
21+
["h"]=>
22+
int(0)
23+
["i"]=>
24+
int(0)
25+
["s"]=>
26+
int(0)
27+
["f"]=>
28+
float(0)
29+
["invert"]=>
30+
int(0)
31+
["days"]=>
32+
bool(false)
33+
["from_string"]=>
34+
bool(false)
35+
}

ext/dom/php_dom.c

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -357,7 +357,9 @@ static zval *dom_get_property_ptr_ptr(zend_object *object, zend_string *name, in
357357
return zend_std_get_property_ptr_ptr(object, name, type, cache_slot);
358358
}
359359

360-
cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
360+
if (cache_slot) {
361+
cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
362+
}
361363
return NULL;
362364
}
363365

ext/dom/tests/gh18304.phpt

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
--TEST--
2+
GH-18304 (Changing the properties of a DateInterval through dynamic properties triggers a SegFault)
3+
--CREDITS--
4+
orose-assetgo
5+
--EXTENSIONS--
6+
dom
7+
--FILE--
8+
<?php
9+
$text = new \DOMText();
10+
$field = 'textContent';
11+
$text->$field .= 'hello';
12+
var_dump($text->$field);
13+
?>
14+
--EXPECT--
15+
string(5) "hello"

ext/filter/logical_filters.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -758,7 +758,8 @@ static bool _php_filter_validate_ipv6(const char *str, size_t str_len, int ip[8]
758758
{
759759
int compressed_pos = -1;
760760
int blocks = 0;
761-
int num, n, i;
761+
unsigned int num, n;
762+
int i;
762763
const char *ipv4;
763764
const char *end;
764765
int ip4elm[4];

ext/filter/tests/gh18309.phpt

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
--TEST--
2+
GH-18309 (ipv6 filter integer overflow)
3+
--EXTENSIONS--
4+
filter
5+
--FILE--
6+
<?php
7+
var_dump(filter_var('fffffffffffffffffffffffffffffffffffff::', FILTER_VALIDATE_IP, FILTER_FLAG_IPV6));
8+
?>
9+
--EXPECT--
10+
bool(false)

ext/pdo/pdo_stmt.c

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2387,9 +2387,10 @@ static zval *pdo_row_get_property_ptr_ptr(zend_object *object, zend_string *name
23872387
ZEND_IGNORE_VALUE(object);
23882388
ZEND_IGNORE_VALUE(name);
23892389
ZEND_IGNORE_VALUE(type);
2390-
ZEND_IGNORE_VALUE(cache_slot);
23912390

2392-
cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
2391+
if (cache_slot) {
2392+
cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
2393+
}
23932394
return NULL;
23942395
}
23952396

ext/simplexml/simplexml.c

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -631,7 +631,9 @@ static zval *sxe_property_get_adr(zend_object *object, zend_string *zname, int f
631631
SXE_ITER type;
632632
zval member;
633633

634-
cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
634+
if (cache_slot) {
635+
cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
636+
}
635637

636638
sxe = php_sxe_fetch_object(object);
637639
GET_NODE(sxe, node);

ext/simplexml/tests/gh18304.phpt

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
--TEST--
2+
GH-18304 (Changing the properties of a DateInterval through dynamic properties triggers a SegFault)
3+
--CREDITS--
4+
orose-assetgo
5+
--EXTENSIONS--
6+
simplexml
7+
--FILE--
8+
<?php
9+
$sxe = simplexml_load_string('<root><abc/></root>');
10+
$field = 'abc';
11+
$sxe->$field .= 'hello';
12+
var_dump($sxe->$field);
13+
?>
14+
--EXPECT--
15+
object(SimpleXMLElement)#3 (1) {
16+
[0]=>
17+
string(5) "hello"
18+
}

ext/snmp/snmp.c

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1921,7 +1921,9 @@ static zval *php_snmp_get_property_ptr_ptr(zend_object *object, zend_string *nam
19211921
return zend_std_get_property_ptr_ptr(object, name, type, cache_slot);
19221922
}
19231923

1924-
cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
1924+
if (cache_slot) {
1925+
cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
1926+
}
19251927
return NULL;
19261928
}
19271929

0 commit comments

Comments
 (0)