From eafbc6b3e6b59786601420dfb27c3682d0cfd86c Mon Sep 17 00:00:00 2001 From: Ilija Tovilo Date: Fri, 24 Oct 2025 17:40:18 +0200 Subject: [PATCH 1/3] [skip ci] Fix opcache dump test for VARIATION job --- ext/opcache/tests/named_parameter_new.phpt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ext/opcache/tests/named_parameter_new.phpt b/ext/opcache/tests/named_parameter_new.phpt index 78bce98897702..1f6f64333c988 100644 --- a/ext/opcache/tests/named_parameter_new.phpt +++ b/ext/opcache/tests/named_parameter_new.phpt @@ -33,7 +33,7 @@ MyClass::new(bar: 1); ?> --EXPECTF-- $_main: - ; (lines=4, args=0, vars=0, tmps=0) + ; (lines=4, args=0, vars=0, tmps=%d) ; (after optimizer) ; %s 0000 INIT_STATIC_METHOD_CALL 1 string("MyClass") string("new") @@ -42,7 +42,7 @@ $_main: 0003 RETURN int(1) MyClass::__construct: - ; (lines=7, args=2, vars=2, tmps=0) + ; (lines=7, args=2, vars=2, tmps=%d) ; (after optimizer) ; %s 0000 CV0($foo) = RECV 1 @@ -54,7 +54,7 @@ MyClass::__construct: 0006 RETURN null MyClass::new: - ; (lines=10, args=1, vars=2, tmps=1) + ; (lines=10, args=1, vars=2, tmps=%d) ; (after optimizer) ; %s 0000 CV0($bar) = RECV 1 From 58df9fcf98350af60d6eea3425e563946d5c897b Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Fri, 24 Oct 2025 10:21:26 +0200 Subject: [PATCH 2/3] Fix UAF in tidy when tidySetErrorBuffer() fails We should not free `intern` as its stored in the object store as well, so the object store will already free it, leading to a UAF when the object store tries to read the object's fields. Closes GH-20276. --- NEWS | 2 +- ext/tidy/tidy.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index 0ecf44b4c4cfd..01b077a7b8378 100644 --- a/NEWS +++ b/NEWS @@ -74,10 +74,10 @@ PHP NEWS . Fixed bug GH-19798: XP_SOCKET XP_SSL (Socket stream modules): Incorrect condition for Win32/Win64. (Jakub Zelenka) - - Tidy: . Fixed GH-19021 (improved tidyOptGetCategory detection). (arjendekorte, David Carlier, Peter Kokot) + . Fix UAF in tidy when tidySetErrorBuffer() fails. (nielsdos) - XMLReader: . Fix arginfo/zpp violations when LIBXML_SCHEMAS_ENABLED is not available. diff --git a/ext/tidy/tidy.c b/ext/tidy/tidy.c index a42e2bc203770..434d5a8493bbe 100644 --- a/ext/tidy/tidy.c +++ b/ext/tidy/tidy.c @@ -434,7 +434,7 @@ static zend_object *tidy_object_new(zend_class_entry *class_type, zend_object_ha efree(intern->ptdoc->errbuf); tidyRelease(intern->ptdoc->doc); efree(intern->ptdoc); - efree(intern); + /* TODO: convert to exception */ php_error_docref(NULL, E_ERROR, "Could not set Tidy error buffer"); } From aebe5c92a9fc72786df0da91b792cdd79db5ffd1 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Fri, 24 Oct 2025 21:20:25 +0200 Subject: [PATCH 3/3] Fix macro check that I forgot to commit --- ext/pdo_mysql/mysql_statement.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/pdo_mysql/mysql_statement.c b/ext/pdo_mysql/mysql_statement.c index 722d0824711a0..0ce7c7224dc6c 100644 --- a/ext/pdo_mysql/mysql_statement.c +++ b/ext/pdo_mysql/mysql_statement.c @@ -750,7 +750,7 @@ static char *type_to_name_native(int type) /* {{{ */ PDO_MYSQL_NATIVE_TYPE_NAME(NEWDATE) #endif /* The following 2 don't have BC FIELD_TYPE_* aliases. */ -#if MYSQL_VERSION_ID >= 90000 && !defined(MARIADB_BASE_VERSION) /* TODO: mysqlnd support (added in 8.4 via a1ab846231aeff49c0441a30ebd44463fc7825b1) */ +#if (MYSQL_VERSION_ID >= 90000 && !defined(MARIADB_BASE_VERSION)) || defined(PDO_USE_MYSQLND) PDO_MYSQL_NATIVE_TYPE_NAME(VECTOR) #endif #if MYSQL_VERSION_ID >= 50708 || defined(PDO_USE_MYSQLND)