Software 42787 Published by

The release candidate for PHP 8.2.26 has been released for testing. The updates fix a shebang problem in the cli-server, issues with writing to SafeArray data that are outside of their bounds, a crash that happens when Xcode 16 clang is used on macOS 15, an assertion failure in Zend/zend_weakrefs.c:646, an error in the way ZEND_ACC_RETURN_REFERENCE was propagated for call trampoline, an incorrect line number in a function redeclaration error, a use-after-free issue during array sorting, and a reference to CurlMultiHandle holding on to a reference to CurlHandle when the operation fails.



php-8.2.26RC1

- Cli:
. Fixed bug GH-16373 (Shebang is not skipped for router script in cli-server
started through shebang). (ilutov)

- COM:
. Fixed out of bound writes to SafeArray data. (cmb)

- Core:
. Fixed bug GH-16168 (php 8.1 and earlier crash immediately when compiled
with Xcode 16 clang on macOS 15). (nielsdos)
. Fixed bug GH-16371 (Assertion failure in Zend/zend_weakrefs.c:646). (Arnaud)
. Fixed bug GH-16515 (Incorrect propagation of ZEND_ACC_RETURN_REFERENCE for
call trampoline). (ilutov)
. Fixed bug GH-16509 (Incorrect line number in function redeclaration error).
(ilutov)
. Fixed bug GH-16508 (Incorrect line number in inheritance errors of delayed
early bound classes). (ilutov)
. Fixed bug GH-16648 (Use-after-free during array sorting). (ilutov)

- Curl:
. Fixed bug GH-16302 (CurlMultiHandle holds a reference to CurlHandle if
curl_multi_add_handle fails). (timwolla)

- Date:
. Fixed bug GH-16454 (Unhandled INF in date_sunset() with tiny $utcOffset).
(cmb)
. Fixed bug GH-16037 (Assertion failure in ext/date/php_date.c). (Derick)
. Fixed bug GH-14732 (date_sun_info() fails for non-finite values). (cmb)

- DBA:
. Fixed bug GH-16390 (dba_open() can segfault for "pathless" streams). (cmb)

- DOM:
. Fixed bug GH-16316 (DOMXPath breaks when not initialized properly).
(nielsdos)
. Fixed bug GH-16473 (dom_import_simplexml stub is wrong). (nielsdos)
. Fixed bug GH-16533 (Segfault when adding attribute to parent that is not
an element). (nielsdos)
. Fixed bug GH-16535 (UAF when using document as a child). (nielsdos)
. Fixed bug GH-16593 (Assertion failure in DOM->replaceChild). (nielsdos)
. Fixed bug GH-16595 (Another UAF in DOM -> cloneNode). (nielsdos)

- EXIF:
. Fixed bug GH-16409 (Segfault in exif_thumbnail when not dealing with a
real file). (nielsdos, cmb)

- FFI:
. Fixed bug GH-16397 (Segmentation fault when comparing FFI object).
(nielsdos)

- Filter:
. Fixed bug GH-16523 (FILTER_FLAG_HOSTNAME accepts ending hyphen). (cmb)

- FPM:
. Fixed bug GH-16628 (FPM logs are getting corrupted with this log
statement). (nielsdos)

- GD:
. Fixed bug GH-16334 (imageaffine overflow on matrix elements).
(David Carlier)
. Fixed bug GH-16427 (Unchecked libavif return values). (cmb)
. Fixed bug GH-16559 (UBSan abort in ext/gd/libgd/gd_interpolation.c:1007).
(nielsdos)

- GMP:
. Fixed floating point exception bug with gmp_pow when using
large exposant values. (David Carlier).
. Fixed bug GH-16411 (gmp_export() can cause overflow). (cmb)
. Fixed bug GH-16501 (gmp_random_bits() can cause overflow).
(David Carlier)
. Fixed gmp_pow() overflow bug with large base/exponents.
(David Carlier)
. Fixed segfaults and other issues related to operator overloading with
GMP objects. (Girgias)

- MBstring:
. Fixed bug GH-16361 (mb_substr overflow on start/length arguments).
(David Carlier)

- OpenSSL:
. Fixed bug GH-16357 (openssl may modify member types of certificate arrays).
(cmb)
. Fixed bug GH-16433 (Large values for openssl_csr_sign() $days overflow).
(cmb)
. Fix various memory leaks on error conditions in openssl_x509_parse().
(nielsdos)

- PDO_ODBC:
. Fixed bug GH-16450 (PDO_ODBC can inject garbage into field values). (cmb)

- Phar:
. Fixed bug GH-16406 (Assertion failure in ext/phar/phar.c:2808). (nielsdos)

- PHPDBG:
. Fixed bug GH-16174 (Empty string is an invalid expression for ev). (cmb)

- Reflection:
. Fixed bug GH-16601 (Memory leak in Reflection constructors). (nielsdos)

- Session:
. Fixed bug GH-16385 (Unexpected null returned by session_set_cookie_params).
(nielsdos)
. Fixed bug GH-16290 (overflow on cookie_lifetime ini value).
(David Carlier)

- SOAP:
. Fixed bug GH-16429 (Segmentation fault access null pointer in SoapClient).
(nielsdos)

- Sockets:
. Fixed bug with overflow socket_recvfrom $length argument. (David Carlier)

- SPL:
. Fixed bug GH-16337 (Use-after-free in SplHeap). (nielsdos)
. Fixed bug GH-16464 (Use-after-free in SplDoublyLinkedList::offsetSet()).
(ilutov)
. Fixed bug GH-16479 (Use-after-free in SplObjectStorage::setInfo()). (ilutov)
. Fixed bug GH-16478 (Use-after-free in SplFixedArray::unset()). (ilutov)
. Fixed bug GH-16588 (UAF in Observer->serialize). (nielsdos)
. Fix GH-16477 (Segmentation fault when calling __debugInfo() after failed
SplFileObject::__constructor). (Girgias)
. Fixed bug GH-16589 (UAF in SplDoublyLinked->serialize()). (nielsdos)
. Fixed bug GH-14687 (segfault on SplObjectIterator instance).
(David Carlier)
. Fixed bug GH-16604 (Memory leaks in SPL constructors). (nielsdos)
. Fixed bug GH-16646 (UAF in ArrayObject::unset() and
ArrayObject::exchangeArray()). (ilutov)

- Standard:
. Fixed bug GH-16293 (Failed assertion when throwing in assert() callback with
bail enabled). (ilutov)

- SysVMsg:
. Fixed bug GH-16592 (msg_send() crashes when a type does not properly
serialized). (David Carlier / cmb)

- SysVShm:
. Fixed bug GH-16591 (Assertion error in shm_put_var). (nielsdos, cmb)

- XMLReader:
. Fixed bug GH-16292 (Segmentation fault in ext/xmlreader/php_xmlreader.c).
(nielsdos)

- Zlib:
. Fixed bug GH-16326 (Memory management is broken for bad dictionaries.)
(cmb)

Release php-8.2.26RC1 · php/php-src