From 85cb6e421a0bdb68e47b174255f98e1d192b8785 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+ndossche@users.noreply.github.com>
Date: Sat, 13 Dec 2025 15:08:45 +0100
Subject: [PATCH 1/4] Fix GH-20695: Assertion failure in normalize_value() when
 parsing malformed INI input via parse_ini_string()

I think there's simply a reasoning error about when which scanner state
can cause which parser component to invoke later on.

Closes GH-20702.
---
 NEWS                            |  2 ++
 Zend/zend_ini_scanner.l         |  2 +-
 ext/standard/tests/gh20695.phpt | 14 ++++++++++++++
 3 files changed, 17 insertions(+), 1 deletion(-)
 create mode 100644 ext/standard/tests/gh20695.phpt

diff --git a/NEWS b/NEWS
index 5103b4a96791..5cbee8cb2c53 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,8 @@ PHP                                                                        NEWS
 - Core:
   . Fix OSS-Fuzz #465488618 (Wrong assumptions when dumping function signature
     with dynamic class const lookup default argument). (ilutov)
+  . Fixed bug GH-20695 (Assertion failure in normalize_value() when parsing
+    malformed INI input via parse_ini_string()). (ndossche)
 
 - Bz2:
   . Fixed bug GH-20620 (bzcompress overflow on large source size).
diff --git a/Zend/zend_ini_scanner.l b/Zend/zend_ini_scanner.l
index b87f4e33cc8f..b4013e8334f6 100644
--- a/Zend/zend_ini_scanner.l
+++ b/Zend/zend_ini_scanner.l
@@ -145,10 +145,10 @@ ZEND_API zend_ini_scanner_globals ini_scanner_globals;
 	if (SCNG(scanner_mode) == ZEND_INI_SCANNER_TYPED &&            \
 		(YYSTATE == STATE(ST_VALUE) || YYSTATE == STATE(ST_RAW))) {\
 		zend_ini_copy_typed_value(ini_lval, type, str, len);       \
-		Z_EXTRA_P(ini_lval) = 0;                                   \
 	} else {                                                       \
 		zend_ini_copy_value(ini_lval, str, len);                   \
 	}                                                              \
+	Z_EXTRA_P(ini_lval) = 0;                                       \
 	return type;                                                   \
 }
 
diff --git a/ext/standard/tests/gh20695.phpt b/ext/standard/tests/gh20695.phpt
new file mode 100644
index 000000000000..64c81ab9fdb5
--- /dev/null
+++ b/ext/standard/tests/gh20695.phpt
@@ -0,0 +1,14 @@
+--TEST--
+GH-20695 (Assertion failure in normalize_value() when parsing malformed INI input via parse_ini_string())
+--FILE--
+<?php
+var_dump(parse_ini_string('8 [[] = !!$]', true, INI_SCANNER_TYPED));
+?>
+--EXPECT--
+array(1) {
+  [8]=>
+  array(1) {
+    ["["]=>
+    int(0)
+  }
+}

From 0d7e53535b9b0d23f7233c9d5e6562376b29926e Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+ndossche@users.noreply.github.com>
Date: Sun, 14 Dec 2025 00:31:19 +0100
Subject: [PATCH 2/4] Fix NUL byte truncation in sqlite3 TEXT column handling

As a bonus, this should probably also be a tad faster.

Closes GH-20704.
---
 NEWS                                         |  3 ++
 ext/sqlite3/sqlite3.c                        |  2 +-
 ext/sqlite3/tests/text_column_NUL_bytes.phpt | 38 ++++++++++++++++++++
 3 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 ext/sqlite3/tests/text_column_NUL_bytes.phpt

diff --git a/NEWS b/NEWS
index e3c32a4e1648..9fa63137d885 100644
--- a/NEWS
+++ b/NEWS
@@ -60,6 +60,9 @@ PHP                                                                        NEWS
   . DirectoryIterator key can now work better with filesystem supporting larger
     directory indexing. (David Carlier)
 
+- Sqlite3:
+  . Fix NUL byte truncation in sqlite3 TEXT column handling. (ndossche)
+
 - Standard:
   . Fixed bug GH-19926 (reset internal pointer earlier while splicing array
     while COW violation flag is still set). (alexandre-daubois)
diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c
index 0ef207d76fd6..da24b037861a 100644
--- a/ext/sqlite3/sqlite3.c
+++ b/ext/sqlite3/sqlite3.c
@@ -648,7 +648,7 @@ static void sqlite_value_to_zval(sqlite3_stmt *stmt, int column, zval *data) /*
 			break;
 
 		case SQLITE3_TEXT:
-			ZVAL_STRING(data, (char*)sqlite3_column_text(stmt, column));
+			ZVAL_STRINGL(data, (const char *) sqlite3_column_text(stmt, column), sqlite3_column_bytes(stmt, column));
 			break;
 
 		case SQLITE_BLOB:
diff --git a/ext/sqlite3/tests/text_column_NUL_bytes.phpt b/ext/sqlite3/tests/text_column_NUL_bytes.phpt
new file mode 100644
index 000000000000..cf9403d91302
--- /dev/null
+++ b/ext/sqlite3/tests/text_column_NUL_bytes.phpt
@@ -0,0 +1,38 @@
+--TEST--
+Text column with NUL bytes
+--EXTENSIONS--
+sqlite3
+--FILE--
+<?php
+$db = new SQLite3(':memory:');
+
+$db->exec(
+    'CREATE TABLE messages (
+        content TEXT
+    )'
+);
+
+$insert = $db->prepare(
+    'INSERT INTO messages (content) VALUES (:content)'
+);
+
+$insert->bindValue(':content', "with\0null", SQLITE3_TEXT);
+$insert->execute();
+$insert->bindValue(':content', "\0", SQLITE3_TEXT);
+$insert->execute();
+
+$result = $db->query('SELECT * FROM messages');
+while ($row = $result->fetchArray(SQLITE3_ASSOC)) {
+    var_dump($row);
+}
+
+?>
+--EXPECTF--
+array(1) {
+  ["content"]=>
+  string(9) "with%0null"
+}
+array(1) {
+  ["content"]=>
+  string(1) "%0"
+}

From 4a5a328f26594759ba5a02aaf13b607812ef85da Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@bastelstu.be>
Date: Mon, 15 Dec 2025 23:06:17 +0100
Subject: [PATCH 3/4] uri: Update to uriparser-1.0.0 (#20715)

We're now cleanly back on a released version. No functional changes since the
last import of the library.

Version 0.9.10 never existed, the minimum version in config.m4 was already
increased in anticipation of a new release that contained necessary bugfixes to
prevent building against a uriparser without these fixes. It therefore also is
adjusted to 1.0.0 for correctness without having an impact.
---
 ext/uri/config.m4                             | 2 +-
 ext/uri/uriparser/include/uriparser/Uri.h     | 2 +-
 ext/uri/uriparser/include/uriparser/UriBase.h | 8 ++++----
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/ext/uri/config.m4 b/ext/uri/config.m4
index 99e0d6b47677..390d8eb223cb 100644
--- a/ext/uri/config.m4
+++ b/ext/uri/config.m4
@@ -33,7 +33,7 @@ if test "$PHP_EXTERNAL_URIPARSER" = "no"; then
   $URIPARSER_DIR/src/UriSetScheme.c $URIPARSER_DIR/src/UriSetUserInfo.c $URIPARSER_DIR/src/UriShorten.c $URIPARSER_DIR/src/UriVersion.c"
   URI_CFLAGS="-DURI_STATIC_BUILD"
 else
-  PKG_CHECK_MODULES([LIBURIPARSER], [liburiparser >= 0.9.10])
+  PKG_CHECK_MODULES([LIBURIPARSER], [liburiparser >= 1.0.0])
   PHP_EVAL_LIBLINE([$LIBURIPARSER_LIBS], [URI_SHARED_LIBADD])
   PHP_EVAL_INCLINE([$LIBURIPARSER_CFLAGS])
 fi
diff --git a/ext/uri/uriparser/include/uriparser/Uri.h b/ext/uri/uriparser/include/uriparser/Uri.h
index ea52097d6de5..88976a484627 100644
--- a/ext/uri/uriparser/include/uriparser/Uri.h
+++ b/ext/uri/uriparser/include/uriparser/Uri.h
@@ -1,4 +1,4 @@
-/* 207ee4485d5a4690064bec14d369884451a49ae32e907b5bc6502c2bfa338ca1 (0.9.9+)
+/* 5abed1007be99942f49ffe603a894d277066b79b9cb824547af0f3b9481cb9ca (1.0.0+)
  *
  * uriparser - RFC 3986 URI parsing library
  *
diff --git a/ext/uri/uriparser/include/uriparser/UriBase.h b/ext/uri/uriparser/include/uriparser/UriBase.h
index f8256951fe34..3a9a868e3bb1 100644
--- a/ext/uri/uriparser/include/uriparser/UriBase.h
+++ b/ext/uri/uriparser/include/uriparser/UriBase.h
@@ -50,9 +50,9 @@
 #  define URI_ANSI_TO_UNICODE(x) URI_ANSI_TO_UNICODE_HELPER(x)
 
 /* Version */
-#  define URI_VER_MAJOR 0
-#  define URI_VER_MINOR 9
-#  define URI_VER_RELEASE 9
+#  define URI_VER_MAJOR 1
+#  define URI_VER_MINOR 0
+#  define URI_VER_RELEASE 0
 #  define URI_VER_SUFFIX_ANSI ""
 #  define URI_VER_SUFFIX_UNICODE URI_ANSI_TO_UNICODE(URI_VER_SUFFIX_ANSI)
 
@@ -394,7 +394,7 @@ URI_PUBLIC int uriTestMemoryManager(UriMemoryManager * memory);
  * @see uriEmulateReallocarray
  * @see UriMemoryManager
  * @see uriTestMemoryManager
- * @since 0.9.10
+ * @since 1.0.0
  */
 URI_PUBLIC int uriTestMemoryManagerEx(UriMemoryManager * memory,
                                       UriBool challengeAlignment);

From 06b8b75d2e24a78bc190ba2b8a2c016e552054d0 Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Fri, 14 Feb 2025 11:57:20 +0100
Subject: [PATCH 4/4] Fix curl protocols test expectation

Closes GH-17803

(cherry picked from commit 5b87faaaa79c68be6ccf68974ee0454878806f79)
---
 ext/curl/tests/check_win_config.phpt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/curl/tests/check_win_config.phpt b/ext/curl/tests/check_win_config.phpt
index b3beb044a7cf..fc29e3728197 100644
--- a/ext/curl/tests/check_win_config.phpt
+++ b/ext/curl/tests/check_win_config.phpt
@@ -54,7 +54,7 @@ UNICODE => No
 ZSTD => No
 HSTS => Yes
 GSASL => No
-Protocols => dict, file, ftp, ftps, gopher, %r(gophers, )?%rhttp, https, imap, imaps, ldap, ldaps, %r(mqtt, )?%rpop3, pop3s, rtsp, scp, sftp, smb, smbs, smtp, smtps, telnet, tftp
+Protocols => dict, file, ftp, ftps, gopher, %r(gophers, )?%rhttp, https, imap, imaps, ldap, ldaps, %r(mqtt, )?%rpop3, pop3s, rtsp, scp, sftp, smb, smbs, smtp, smtps, telnet, tftp%r(, ws)?(, wss)?%r
 Host => %s-pc-win32
 SSL Version => OpenSSL/%s
 ZLib Version => %s