Merge branch 'PHP-8.4'

nielsdos · nielsdos · commit 3ba725a55663 · 2025-04-11T23:36:42.000+02:00
* PHP-8.4: Fix GH-18309: ipv6 filter integer overflow Fix GH-18304: Changing the properties of a DateInterval through dynamic properties triggers a SegFault
diff --git a/ext/date/php_date.c b/ext/date/php_date.c
@@ -4567,7 +4567,9 @@ static zval *date_interval_get_property_ptr_ptr(zend_object *object, zend_string
 		zend_string_equals_literal(name, "days") ||
 		zend_string_equals_literal(name, "invert") ) {
 		/* Fallback to read_property. */
-		cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
+		if (cache_slot) {
+			cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
+		}
 		ret = NULL;
 	} else {
 		ret = zend_std_get_property_ptr_ptr(object, name, type, cache_slot);
diff --git a/ext/date/tests/gh18304.phpt b/ext/date/tests/gh18304.phpt
@@ -0,0 +1,35 @@
+--TEST--
+GH-18304 (Changing the properties of a DateInterval through dynamic properties triggers a SegFault)
+--CREDITS--
+orose-assetgo
+--FILE--
+<?php
+$di = new \DateInterval('P0Y');
+$field = 'd';
+$i = 1;
+$di->$field += $i;
+var_dump($di);
+?>
+--EXPECT--
+object(DateInterval)#1 (10) {
+  ["y"]=>
+  int(0)
+  ["m"]=>
+  int(0)
+  ["d"]=>
+  int(1)
+  ["h"]=>
+  int(0)
+  ["i"]=>
+  int(0)
+  ["s"]=>
+  int(0)
+  ["f"]=>
+  float(0)
+  ["invert"]=>
+  int(0)
+  ["days"]=>
+  bool(false)
+  ["from_string"]=>
+  bool(false)
+}
diff --git a/ext/dom/php_dom.c b/ext/dom/php_dom.c
@@ -357,7 +357,9 @@ static zval *dom_get_property_ptr_ptr(zend_object *object, zend_string *name, in
 		return zend_std_get_property_ptr_ptr(object, name, type, cache_slot);
 	}
 
-	cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
+	if (cache_slot) {
+		cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
+	}
 	return NULL;
 }
 
diff --git a/ext/dom/tests/gh18304.phpt b/ext/dom/tests/gh18304.phpt
@@ -0,0 +1,15 @@
+--TEST--
+GH-18304 (Changing the properties of a DateInterval through dynamic properties triggers a SegFault)
+--CREDITS--
+orose-assetgo
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+$text = new \DOMText();
+$field = 'textContent';
+$text->$field .= 'hello';
+var_dump($text->$field);
+?>
+--EXPECT--
+string(5) "hello"
diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c
@@ -758,7 +758,8 @@ static bool _php_filter_validate_ipv6(const char *str, size_t str_len, int ip[8]
 {
 	int compressed_pos = -1;
 	int blocks = 0;
-	int num, n, i;
+	unsigned int num, n;
+	int i;
 	const char *ipv4;
 	const char *end;
 	int ip4elm[4];
diff --git a/ext/filter/tests/gh18309.phpt b/ext/filter/tests/gh18309.phpt
@@ -0,0 +1,10 @@
+--TEST--
+GH-18309 (ipv6 filter integer overflow)
+--EXTENSIONS--
+filter
+--FILE--
+<?php
+var_dump(filter_var('fffffffffffffffffffffffffffffffffffff::', FILTER_VALIDATE_IP, FILTER_FLAG_IPV6));
+?>
+--EXPECT--
+bool(false)
diff --git a/ext/pdo/pdo_stmt.c b/ext/pdo/pdo_stmt.c
@@ -2387,9 +2387,10 @@ static zval *pdo_row_get_property_ptr_ptr(zend_object *object, zend_string *name
 	ZEND_IGNORE_VALUE(object);
 	ZEND_IGNORE_VALUE(name);
 	ZEND_IGNORE_VALUE(type);
-	ZEND_IGNORE_VALUE(cache_slot);
 
-	cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
+	if (cache_slot) {
+		cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
+	}
 	return NULL;
 }
 
diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c
@@ -631,7 +631,9 @@ static zval *sxe_property_get_adr(zend_object *object, zend_string *zname, int f
 	SXE_ITER        type;
 	zval            member;
 
-	cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
+	if (cache_slot) {
+		cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
+	}
 
 	sxe = php_sxe_fetch_object(object);
 	GET_NODE(sxe, node);
diff --git a/ext/simplexml/tests/gh18304.phpt b/ext/simplexml/tests/gh18304.phpt
@@ -0,0 +1,18 @@
+--TEST--
+GH-18304 (Changing the properties of a DateInterval through dynamic properties triggers a SegFault)
+--CREDITS--
+orose-assetgo
+--EXTENSIONS--
+simplexml
+--FILE--
+<?php
+$sxe = simplexml_load_string('<root><abc/></root>');
+$field = 'abc';
+$sxe->$field .= 'hello';
+var_dump($sxe->$field);
+?>
+--EXPECT--
+object(SimpleXMLElement)#3 (1) {
+  [0]=>
+  string(5) "hello"
+}
diff --git a/ext/snmp/snmp.c b/ext/snmp/snmp.c
@@ -1921,7 +1921,9 @@ static zval *php_snmp_get_property_ptr_ptr(zend_object *object, zend_string *nam
 		return zend_std_get_property_ptr_ptr(object, name, type, cache_slot);
 	}
 
-	cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
+	if (cache_slot) {
+		cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
+	}
 	return NULL;
 }
 
diff --git a/ext/snmp/tests/gh18304.phpt b/ext/snmp/tests/gh18304.phpt
@@ -0,0 +1,15 @@
+--TEST--
+GH-18304 (Changing the properties of a DateInterval through dynamic properties triggers a SegFault)
+--CREDITS--
+orose-assetgo
+--EXTENSIONS--
+snmp
+--FILE--
+<?php
+$snmp = new SNMP(1, '127.0.0.1', 'community');
+$field = 'max_oids';
+$snmp->$field++;
+var_dump($snmp->$field);
+?>
+--EXPECT--
+int(1)
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
@@ -863,7 +863,9 @@ static zval *spl_array_get_property_ptr_ptr(zend_object *object, zend_string *na
 
 	if ((intern->ar_flags & SPL_ARRAY_ARRAY_AS_PROPS) != 0
 		&& !zend_std_has_property(object, name, ZEND_PROPERTY_EXISTS, NULL)) {
-		cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
+		if (cache_slot) {
+			cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
+		}
 
 		/* If object has offsetGet() overridden, then fallback to read_property,
 		 * which will call offsetGet(). */
diff --git a/ext/spl/tests/gh18304.phpt b/ext/spl/tests/gh18304.phpt
@@ -0,0 +1,14 @@
+--TEST--
+GH-18304 (Changing the properties of a DateInterval through dynamic properties triggers a SegFault)
+--CREDITS--
+orose-assetgo
+--FILE--
+<?php
+$ao = new ArrayObject(['abc' => 1]);
+$ao->setFlags(ArrayObject::ARRAY_AS_PROPS);
+$field = 'abc';
+$ao->$field++;
+var_dump($ao->$field);
+?>
+--EXPECT--
+int(2)
diff --git a/ext/xmlreader/php_xmlreader.c b/ext/xmlreader/php_xmlreader.c
@@ -117,7 +117,7 @@ static zval *xmlreader_get_property_ptr_ptr(zend_object *object, zend_string *na
 	xmlreader_prop_handler *hnd = zend_hash_find_ptr(&xmlreader_prop_handlers, name);
 	if (hnd == NULL) {
 		retval = zend_std_get_property_ptr_ptr(object, name, type, cache_slot);
-	} else {
+	} else if (cache_slot) {
 		cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
 	}
 
diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c
@@ -889,8 +889,6 @@ static zval *php_zip_get_property_ptr_ptr(zend_object *object, zend_string *name
 	zval *retval = NULL;
 	zip_prop_handler *hnd = NULL;
 
-	cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
-
 	obj = php_zip_fetch_object(object);
 
 	if (obj->prop_handler != NULL) {
@@ -899,6 +897,8 @@ static zval *php_zip_get_property_ptr_ptr(zend_object *object, zend_string *name
 
 	if (hnd == NULL) {
 		retval = zend_std_get_property_ptr_ptr(object, name, type, cache_slot);
+	} else if (cache_slot) {
+		cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
 	}
 
 	return retval;

Original file line number	Diff line number	Diff line change
`@@ -357,7 +357,9 @@ static zval dom_get_property_ptr_ptr(zend_object object, zend_string *name, in`
`357`	`357`	`return zend_std_get_property_ptr_ptr(object, name, type, cache_slot);`
`358`	`358`	`}`
`359`	`359`
`360`		`- cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;`
	`360`	`+ if (cache_slot) {`
	`361`	`+ cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;`
	`362`	`+ }`
`361`	`363`	`return NULL;`
`362`	`364`	`}`
`363`	`365`
Original file line number	Diff line number	Diff line change
`@@ -1921,7 +1921,9 @@ static zval php_snmp_get_property_ptr_ptr(zend_object object, zend_string *nam`
`1921`	`1921`	`return zend_std_get_property_ptr_ptr(object, name, type, cache_slot);`
`1922`	`1922`	`}`
`1923`	`1923`
`1924`		`- cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;`
	`1924`	`+ if (cache_slot) {`
	`1925`	`+ cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;`
	`1926`	`+ }`
`1925`	`1927`	`return NULL;`
`1926`	`1928`	`}`
`1927`	`1929`