[pull] master from php:master#834
Merged
pull[bot] merged 18 commits intoturkdevops:masterfrom Apr 3, 2026
Merged
Conversation
The ZPP macros materialize into optimized code with many error branches that aren't useful to test for every function. Ignore these lines completely by using the gcovr --exclude-lines-by-pattern flag. For codecov to pick up on this change, we generate the xml file manually and point to it in the codecov action. Also move the ignore paths from codecov.yml to Makefile.gcov.
…reset
The code tries to read the context on NULL when
`php_stream_xport_crypto_setup` fails because by then `stream` is reset
to NULL.
This is also UB, so can cause miscompiles.
```
==1217==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000090 (pc 0x55d829ed3acf bp 0x7fff045f5770 sp 0x7fff045f4df0 T0)
==1217==The signal is caused by a READ memory access.
==1217==Hint: address points to the zero page.
#0 0x55d829ed3acf in php_stream_url_wrap_http_ex /work/php-src/ext/standard/http_fopen_wrapper.c:580
#1 0x55d829ed857e in php_stream_url_wrap_http /work/php-src/ext/standard/http_fopen_wrapper.c:1204
#2 0x55d82a15073d in _php_stream_open_wrapper_ex /work/php-src/main/streams/streams.c:2270
#3 0x55d829e78fa6 in zif_file_get_contents /work/php-src/ext/standard/file.c:409
#4 0x55d829bbfe39 in zif_phar_file_get_contents /work/php-src/ext/phar/func_interceptors.c:226
#5 0x55d82a0b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
#6 0x55d82a3e024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
#7 0x55d82a540995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
#8 0x55d82a5558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
#9 0x55d82a6ba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
#10 0x55d82a0ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
#11 0x55d82a0ecccb in php_execute_script /work/php-src/main/main.c:2685
#12 0x55d82a6bfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
#13 0x55d82a6c21e3 in main /work/php-src/sapi/cli/php_cli.c:1362
#14 0x7f9e770491c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#15 0x7f9e7704928a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#16 0x55d829209b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c)
```
Closes GH-21468.
Closes GH-21031.
* PHP-8.4: Fix NULL deref when enabling TLS fails and the peer name needs to be reset
* PHP-8.5: Fix NULL deref when enabling TLS fails and the peer name needs to be reset
When trying to build on LibreSSL, I encounter the following build
warning (this was observed on master, but applies to 8.4 too):
```
/work/php-src/ext/openssl/openssl.c: In function 'zif_openssl_x509_parse':
/work/php-src/ext/openssl/openssl.c:1101:22: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
1101 | purp = X509_PURPOSE_get0(i);
| ^
/work/php-src/ext/openssl/openssl.c:1110:23: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
1110 | pname = useshortnames ? X509_PURPOSE_get0_sname(purp) : X509_PURPOSE_get0_name(purp);
```
* PHP-8.4: Fix build warning on LibreSSL (#21050)
* PHP-8.5: Fix build warning on LibreSSL (#21050)
Only one of the two arrays (subitem) is destroyed, and critext is not.
This leads to a memory leak if the loop bails out:
```
Direct leak of 56 byte(s) in 1 object(s) allocated from:
#0 0x7f309fe699c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x563b9709ca05 in tracked_malloc /work/php-src/Zend/zend_alloc.c:3018
#2 0x563b9709b969 in _emalloc /work/php-src/Zend/zend_alloc.c:2780
#3 0x563b9737dc7b in _zend_new_array /work/php-src/Zend/zend_hash.c:290
#4 0x563b960f40fc in zif_openssl_x509_parse /work/php-src/ext/openssl/openssl.c:1120
#5 0x563b96eb7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
#6 0x563b971e024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
#7 0x563b97340995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
#8 0x563b973558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
#9 0x563b974ba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
#10 0x563b96eec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
#11 0x563b96eecccb in php_execute_script /work/php-src/main/main.c:2685
#12 0x563b974bfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
#13 0x563b974c21e3 in main /work/php-src/sapi/cli/php_cli.c:1362
#14 0x7f309f1641c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#15 0x7f309f16428a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#16 0x563b96009b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c)
```
We're fetching the digest using the new method, but if an alias is used, the method is fetched via EVP_MD_fetch() which requires lifetime management. This is observable when using "sha-256" instead of "sha256" as an algorithm name. This is a regression in comparison to PHP 8.4. Closes GH-21039.
* PHP-8.5: Fix memory leak regression in openssl_pbkdf2()
- reuse BIO object in certificate chain loops. Avoid repeated BIO_new/BIO_free per iteration in PKCS12, PKCS7, and CMS read functions. Allocate once before the loop, BIO_reset between iterations, free after. - Avoid double zval_get_long() call in threads option parsing. - Reuse already computed string length instead of calling strlen() again.
Most functions in OpenSSL can handle NULL arguments, but apparently
i2d_PKCS12_bio not. Prevent crashes by adding a NULL check.
ASAN trace:
```
AddressSanitizer:DEADLYSIGNAL
=================================================================
==132158==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x7fc646e33b69 bp 0x7fff7fe53d30 sp 0x7fff7fe53d18 T0)
==132158==The signal is caused by a WRITE memory access.
==132158==Hint: address points to the zero page.
#0 0x7fc646e33b69 in BIO_up_ref (/lib/x86_64-linux-gnu/libcrypto.so.3+0xedb69) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
#1 0x7fc646e3eac2 (/lib/x86_64-linux-gnu/libcrypto.so.3+0xf8ac2) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
#2 0x7fc646f126f0 (/lib/x86_64-linux-gnu/libcrypto.so.3+0x1cc6f0) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
#3 0x7fc646f12aa6 in OSSL_ENCODER_to_bio (/lib/x86_64-linux-gnu/libcrypto.so.3+0x1ccaa6) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
#4 0x7fc647038adf in PEM_write_bio_PrivateKey_ex (/lib/x86_64-linux-gnu/libcrypto.so.3+0x2f2adf) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
#5 0x7fc647038bc7 in PEM_write_bio_PrivateKey (/lib/x86_64-linux-gnu/libcrypto.so.3+0x2f2bc7) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
#6 0x55ed204f881e in zif_openssl_pkcs12_read /work/php-src/ext/openssl/openssl.c:1520
#7 0x55ed215aa81b in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /work/php-src/Zend/zend_vm_execute.h:1355
#8 0x55ed217101a9 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116469
#9 0x55ed217253d0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
#10 0x55ed21889bcb in zend_execute_script /work/php-src/Zend/zend.c:1980
#11 0x55ed212bc3db in php_execute_script_ex /work/php-src/main/main.c:2645
#12 0x55ed212bc7eb in php_execute_script /work/php-src/main/main.c:2685
#13 0x55ed2188f736 in do_cli /work/php-src/sapi/cli/php_cli.c:951
#14 0x55ed21891d03 in main /work/php-src/sapi/cli/php_cli.c:1362
#15 0x7fc6469c61c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#16 0x7fc6469c628a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#17 0x55ed20409b54 in _start (/work/php-src/sapi/cli/php+0x609b54) (BuildId: 7ce2ce63d1ea0b60b6ee6599e1c6b5160f97af1e)
```
Closes GH-20995.
ASAN report:
```
Direct leak of 272 byte(s) in 1 object(s) allocated from:
#0 0x7f4ce970d9c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7f4ce8fa97c4 in CRYPTO_zalloc (/lib/x86_64-linux-gnu/libcrypto.so.3+0x2237c4) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
#2 0x7f4ce910adbd in X509_STORE_CTX_new_ex (/lib/x86_64-linux-gnu/libcrypto.so.3+0x384dbd) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
#3 0x563e4a51c26c in php_openssl_check_cert /work/php-src/ext/openssl/openssl_backend_common.c:748
#4 0x563e4a4f529c in zif_openssl_x509_checkpurpose /work/php-src/ext/openssl/openssl.c:1221
#5 0x563e4b2b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
#6 0x563e4b5e024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
#7 0x563e4b740995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
#8 0x563e4b7558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
#9 0x563e4b8ba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
#10 0x563e4b2ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
#11 0x563e4b2ecccb in php_execute_script /work/php-src/main/main.c:2685
#12 0x563e4b8bfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
#13 0x563e4b8c21e3 in main /work/php-src/sapi/cli/php_cli.c:1362
#14 0x7f4ce8a081c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#15 0x7f4ce8a0828a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#16 0x563e4a409b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c)
```
Closes GH-21009.
Other locations of EVP_PKEY_CTX_new() pass the pointer into a function
that can handle NULL pointer inputs; OR they check for a NULL pointer.
EVP_PKEY_check() apparently cannot handle a NULL pointer argument:
```
==3749==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000088 (pc 0x7f6f4550c0fb bp 0x7ffcbff3a9c0 sp 0x7ffcbff3a9b0 T0)
==3749==The signal is caused by a READ memory access.
==3749==Hint: address points to the zero page.
#0 0x7f6f4550c0fb in EVP_PKEY_pairwise_check (/lib/x86_64-linux-gnu/libcrypto.so.3+0x20f0fb) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
#1 0x561499d27117 in php_openssl_pkey_init_ec /work/php-src/ext/openssl/openssl_backend_v3.c:459
#2 0x561499cfe328 in zif_openssl_pkey_new /work/php-src/ext/openssl/openssl.c:2061
#3 0x56149aab7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
#4 0x56149ade024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
#5 0x56149af40995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
#6 0x56149af558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
#7 0x56149b0ba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
#8 0x56149aaec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
#9 0x56149aaecccb in php_execute_script /work/php-src/main/main.c:2685
#10 0x56149b0bfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
#11 0x56149b0c21e3 in main /work/php-src/sapi/cli/php_cli.c:1362
#12 0x7f6f44f7f1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#13 0x7f6f44f7f28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#14 0x561499c09b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: eb0a8e6b6d683fbdf45156dfed4d76f9110252b9)
```
Closes GH-21013.
* PHP-8.4: Fix crash in php_openssl_pkey_init_ec() when EVP_PKEY_CTX_new() fails Fix memory leak in check_cert() when X509_STORE_CTX_init() fails Fix NPD when i2d_PKCS12_bio is called on NULL bio
* PHP-8.5: Fix crash in php_openssl_pkey_init_ec() when EVP_PKEY_CTX_new() fails Fix memory leak in check_cert() when X509_STORE_CTX_init() fails Fix NPD when i2d_PKCS12_bio is called on NULL bio
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )