The release candidate for PHP 8.4.13 has been announced, which addresses numerous bugs and security vulnerabilities across various components of the PHP ecosystem. The update fixes over 20 issues, including core, CLI, date, DBA, DOM, FPM, Intl, Opcache, OpenSSL, PGSQL, Phar, and Streams-related problems. Key fixes include resolving memory leaks, potential use-after-free errors, and integer overflow issues, as well as improving error messages and handling for various scenarios. 

PHP 8.4.13 Release Candidate

Calvin Buckley has announced the release candidate for PHP 8.4.13, a crucial update that addresses numerous bugs and security vulnerabilities in the PHP ecosystem.

Change Log Highlights

Core Fixes

1. GH-18850: A bug was fixed where repeated inclusion of a file with __halt_compiler() would trigger a "Constant already defined" warning.
2. GH-19542: The scanning of string literals over 2GB now works correctly, avoiding signed int overflow errors.
3. GH-19544: The garbage collector (GC) was corrected to treat ZEND_WEAKREF_TAG_MAP references as WeakMap references.
4. GH-19613: A stale array iterator pointer issue was resolved.
5. GH-19679: PHP's expansion path, PHP_EXPAND_PATH, now works correctly with bash 5.3.0.
6. GH-19720: An assertion failure occurred when an error handler threw while accessing a deprecated constant.

CLI Fixes

1. GH-19461: The error message for listening errors with IPv6 addresses was improved.

Date Fixes

1. date_sunrise() and date_sunset(): These functions now work correctly with partial-hour UTC offsets.

DBA Fixes

1. GH-19706: A bug in the management of DBA stream resources was fixed.

DOM Fixes

1. GH-19612: A libxml2 tree dictionary bug was mitigated.

FPM Fixes

1. Failed debug assertion: When a PHP administrator value setting fails, a failed debug assertion is no longer triggered.

Intl Fixes

1. GH-11952: The canonicalization of locale strings for IntlDateFormatter and NumberFormatter was fixed.

Opcache Fixes

1. JIT variable storage: A bug where JIT variables were not stored before YIELD was resolved.

OpenSSL Fixes

1. TLS stream accept failure: A success error message was corrected when a TLS stream accepts a connection.

PGSQL Fixes

1. Potential use after free: A bug that caused a potential use-after-free issue with persistent pgsql connections was fixed.

Phar Fixes

1. Memory leaks: Various memory leaks were resolved in Phar, including those related to verifying OpenSSL signatures and handling temporary files.
2. Metadata leak: A metadata leak occurred when phar convert logic fails was fixed.
3. Phar decompression: A bug that caused a use-after-free (UAF) issue with invalid extensions during Phar decompression was fixed.

Standard Fixes

1. GH-16649: An UAF error was resolved in array_splice().
2. GH-19577: An integer overflow issue when using a small offset and PHP_INT_MAX with LimitIterator was avoided.

Streams Fixes

1. zval_ptr_dtor() removal: An incorrect call to zval_ptr_dtor() in user_wrapper_metadata() was removed.
2. OSS-Fuzz fix: A bug reported by OSS-Fuzz (#385993744) was fixed.

The download is available on the GitHub page below:

Release php-8.4.13RC1 · php/php-src

Tag for php-8.4.13RC1

Release php-8.4.13RC1 · php/php-src