PHP 8.3.29 released
PHP 8.3.29 has landed this week packed with bug fixes and tweaks across many areas. The core update involved syncing the boost.context files specifically with version 1.86.0 for better integration.
Beyond that core upgrade, developers have fixed several specific issues reported by users. One important fix is related to SensitiveParameter; it now correctly handles named arguments passed into variadic parameters (GH-20435). Another was addressing a problem where the program would crash during a userland stream_close() call if there was an 'use-after-destroy' situation (GH-20286), with contributions from ndossche and David Carlier.
Crash problems also got solved in other parts. For instance, inside Bz2, some assertion failures tied to specific stream filter object parameters have been resolved. Date functions aren't forgotten either; crashes related to uninstantiable classes when the date system tries to create them statically have finally been fixed (GH-20584).
Looking at security and stability: The DOM extension saw a fix for missing NUL byte checks in C14NFile(). Fibers had a tricky one too, where setting an overly small 'fiber.stack_size' value in the INI could lead to ASAN stack overflow errors (GH-20483), now resolved by David Carlier. There were also some FTP bugs cleared up; an issue with ftp_connect overflowing on certain timeout values (GH-20601) is fixed.
Over in GD, we've got imagegammacorrect handling out-of-range numbers better, and crashes during imagescale processing with very large height settings have been avoided (GH-20602). David Carlier also contributed fixes elsewhere.
For anyone working with internationalization, there's good news too. Spoofchecker::setRestrictionLevel() now gives much clearer error messages if a constant isn't defined properly; it'll point you toward the missing one (GH-20426). Daniel EScherzer made this happen.
PHP 8.3.29 didn't stop there with fixes, though. LibXML is seeing some changes, including deprecations for input buffer/parser handling when working with newer libxml versions. MbString users should note a fix for SLES15 compile errors involving mbstring/oniguruma (GH-20491) and also one that removes annoying compile warnings about non-string types (GH-20492).
MySQLnd got some attention as well, with Arnaud fixing an issue where using IPv6 addresses in specific formats broke the mysql connexion. Opcache problems were tackled too, specifically one causing opcache.file_cache to break under certain conditions related to interned strings (GH-20329). Jakub Zelenka contributed a fix for PDO quoting resulting in null dereference (CVE-2025-14180).
Packaging and file handling received updates too. Girgias fixed some types of issues in the PHPDBG extension, specifically phpdbg_get_executable() and phpdbg_end_oplog(). SPL deserialization was handled better; SplFixedArray now correctly manages references during unserialization (GH-20614). And the Phar extension's stub reading respects case-insensitivity as it should.
On the Standard side of things, several issues fixed leaks in array_diff() under custom type checks. There were also fixes for stack overflows in http_build_query when working with deeply nested arrays and null byte termination problems in dns_get_record() (GHSA-www2-q4fc-65wf). Finally, tidy-related bugs are addressed, including one involving custom tags (GH-20374).
The XML extension closes a specific gap too: it now handles special characters properly when passing data to xml_set_default_handler()'s callback. And the Zip component benefits from some stability fixes, preventing crashes in property existence checks and ensuring zip_fread() returns expected results rather than truncated ones for user-specified sizes.
Release php-8.3.29
Tag for php-8.3.29
