From b3c259c13c9d0fa9014ca59adcbdd09212bed670 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Mon, 16 Feb 2026 17:49:37 +0000 Subject: [PATCH 1/3] Revert "ext/posix: validate permissions argument in posix_mkfifo()" This reverts commit 6bd97e72b719599b3110fd5ec543b2996f52ba63. --- NEWS | 2 -- ext/posix/posix.c | 5 --- .../tests/posix_mkfifo_invalid_mode.phpt | 36 ------------------- 3 files changed, 43 deletions(-) delete mode 100644 ext/posix/tests/posix_mkfifo_invalid_mode.phpt diff --git a/NEWS b/NEWS index e6688bb6791b..dae787ab53f8 100644 --- a/NEWS +++ b/NEWS @@ -80,8 +80,6 @@ PHP NEWS - Posix: . Added validity check to the flags argument for posix_access(). (arshidkv12) - . Added validity check to the permissions argument for posix_mkfifo(). - (arshidkv12) - Reflection: . Fixed bug GH-20217 (ReflectionClass::isIterable() incorrectly returns true diff --git a/ext/posix/posix.c b/ext/posix/posix.c index a81372349fd4..76e14f6ecb0c 100644 --- a/ext/posix/posix.c +++ b/ext/posix/posix.c @@ -621,11 +621,6 @@ PHP_FUNCTION(posix_mkfifo) RETURN_FALSE; } - if (mode < 0 || (mode & ~07777)) { - zend_argument_value_error(2, "must be between 0 and 0o7777"); - RETURN_THROWS(); - } - result = mkfifo(ZSTR_VAL(path), mode); if (result < 0) { POSIX_G(last_error) = errno; diff --git a/ext/posix/tests/posix_mkfifo_invalid_mode.phpt b/ext/posix/tests/posix_mkfifo_invalid_mode.phpt deleted file mode 100644 index 5c9f251adfca..000000000000 --- a/ext/posix/tests/posix_mkfifo_invalid_mode.phpt +++ /dev/null @@ -1,36 +0,0 @@ ---TEST-- -posix_mkfifo(): invalid mode argument ---SKIPIF-- - ---FILE-- -getMessage(), "\n"; -} - -// Too large mode -try { - posix_mkfifo(__DIR__ . "/testfifo2", 010000); // > 07777 -} catch (ValueError $e) { - echo $e->getMessage(), "\n"; -} - -// Garbage bits -try { - posix_mkfifo(__DIR__ . "/testfifo3", 020000); // S_IFCHR bit -} catch (ValueError $e) { - echo $e->getMessage(), "\n"; -} -?> ---EXPECTF-- -posix_mkfifo(): Argument #2 ($permissions) must be between 0 and 0o7777 -posix_mkfifo(): Argument #2 ($permissions) must be between 0 and 0o7777 -posix_mkfifo(): Argument #2 ($permissions) must be between 0 and 0o7777 From 84bfe2fadda9e2a072d136c60ce5923b8967df31 Mon Sep 17 00:00:00 2001 From: ndossche <7771979+ndossche@users.noreply.github.com> Date: Mon, 16 Feb 2026 19:22:03 +0100 Subject: [PATCH 2/3] Update EXTENSIONS to reflect reality Not very interested in doing active development on these components anymore, I'll be around to fix critical issues however. --- EXTENSIONS | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/EXTENSIONS b/EXTENSIONS index 396974d3c1fe..e1eee3c0239c 100644 --- a/EXTENSIONS +++ b/EXTENSIONS @@ -170,57 +170,57 @@ EXTENSION: dom PRIMARY MAINTAINER: Christian Stocker (2003 - 2011) Rob Richards (2003 - 2012) Marcus Börger (2003 - 2006) - Niels Dossche (2023 - 2025) -MAINTENANCE: Maintained + Nora Dossche (2023 - 2026) +MAINTENANCE: Odd fixes STATUS: Working SINCE: 5.0 ------------------------------------------------------------------------------- EXTENSION: simplexml PRIMARY MAINTAINER: Marcus Börger (2003 - 2008) - Niels Dossche (2023 - 2025) -MAINTENANCE: Maintained + Nora Dossche (2023 - 2026) +MAINTENANCE: Odd fixes STATUS: Working SINCE: 5.0 ------------------------------------------------------------------------------- EXTENSION: soap PRIMARY MAINTAINER: Dmitry Stogov (2004 - 2018) - Niels Dossche (2024 - 2025) + Nora Dossche (2024 - 2026) MAINTENANCE: Odd fixes STATUS: Working ------------------------------------------------------------------------------- EXTENSION: xml PRIMARY MAINTAINER: Thies C. Arntzen (1999 - 2002) Rob Richards (2003 - 2013) - Niels Dossche (2023 - 2025) -MAINTENANCE: Maintained + Nora Dossche (2023 - 2026) +MAINTENANCE: Odd fixes STATUS: Working ------------------------------------------------------------------------------- EXTENSION: libxml PRIMARY MAINTAINER: Rob Richards (2003 - 2009) Christian Stocker (2004 - 2011) - Niels Dossche (2023 - 2025) -MAINTENANCE: Maintained + Nora Dossche (2023 - 2026) +MAINTENANCE: Odd fixes STATUS: Working ------------------------------------------------------------------------------- EXTENSION: xmlreader PRIMARY MAINTAINER: Rob Richards (2004 - 2010) Christian Stocker (2004 - 2004) - Niels Dossche (2023 - 2025) -MAINTENANCE: Maintained + Nora Dossche (2023 - 2026) +MAINTENANCE: Odd fixes STATUS: Working ------------------------------------------------------------------------------- EXTENSION: xmlwriter PRIMARY MAINTAINER: Rob Richards (2004 - 2010) Pierre-Alain Joye (2005-2009) - Niels Dossche (2023 - 2025) -MAINTENANCE: Maintained + Nora Dossche (2023 - 2026) +MAINTENANCE: Odd fixes STATUS: Working ------------------------------------------------------------------------------- EXTENSION: xsl PRIMARY MAINTAINER: Christian Stocker (2003 - 2011) Rob Richards (2003 - 2010) - Niels Dossche (2023 - 2025) -MAINTENANCE: Maintained + Nora Dossche (2023 - 2026) +MAINTENANCE: Odd fixes STATUS: Working SINCE: 5.0 ------------------------------------------------------------------------------- @@ -486,8 +486,8 @@ EXTENSION: tidy PRIMARY MAINTAINER: John Coggeshall (2003 - 2006) Ilia Alshanetsky (2003 - 2009) Nuno Lopes (2006 - 2012) - Niels Dossche (2025 - 2025) -MAINTENANCE: Maintained + Nora Dossche (2025 - 2026) +MAINTENANCE: Odd fixes STATUS: Working ------------------------------------------------------------------------------- EXTENSION: tokenizer From 37c5a13d67798909e18e03c81b3341950f04a409 Mon Sep 17 00:00:00 2001 From: Jordi Kroon Date: Sun, 15 Feb 2026 23:55:43 +0100 Subject: [PATCH 3/3] replace alloca with do_alloca in mb_guess_encoding_for_strings This avoids a crash in cases where the list of candidate encodings is so huge that alloca would fail. Such crashes have been observed when the list of encodings was larger than around 208,000 entries. --- NEWS | 4 ++++ ext/mbstring/mbstring.c | 11 ++++++++--- ext/mbstring/tests/gh21223.phpt | 19 +++++++++++++++++++ 3 files changed, 31 insertions(+), 3 deletions(-) create mode 100644 ext/mbstring/tests/gh21223.phpt diff --git a/NEWS b/NEWS index 4f965513037f..ee8e49f73203 100644 --- a/NEWS +++ b/NEWS @@ -27,6 +27,10 @@ PHP NEWS . Fixed bug GH-21097 (Accessing Dom\Node properties can can throw TypeError). (ndossche) +- MBString: + . Fixed bug GH-21223; mb_guess_encoding no longer crashes when passed huge + list of candidate encodings (with 200,000+ entries). (Jordi Kroon) + - Opcache: . Fixed bug GH-20718 ("Insufficient shared memory" when using JIT on Solaris). (Petr Sumbera) diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c index b320a6a5f0e4..9833a37cdb76 100644 --- a/ext/mbstring/mbstring.c +++ b/ext/mbstring/mbstring.c @@ -3376,8 +3376,9 @@ MBSTRING_API const mbfl_encoding* mb_guess_encoding_for_strings(const unsigned c return *elist; } - /* Allocate on stack; when we return, this array is automatically freed */ - struct candidate *array = alloca(elist_size * sizeof(struct candidate)); + /* Allocate on stack or heap */ + ALLOCA_FLAG(use_heap) + struct candidate *array = do_alloca(elist_size * sizeof(struct candidate), use_heap); elist_size = init_candidate_array(array, elist_size, elist, strings, str_lengths, n, strict, order_significant); while (n--) { @@ -3385,6 +3386,7 @@ MBSTRING_API const mbfl_encoding* mb_guess_encoding_for_strings(const unsigned c elist_size = count_demerits(array, elist_size, strict); if (elist_size == 0) { /* All candidates were eliminated */ + free_alloca(array, use_heap); return NULL; } } @@ -3396,7 +3398,10 @@ MBSTRING_API const mbfl_encoding* mb_guess_encoding_for_strings(const unsigned c best = i; } } - return array[best].enc; + + const mbfl_encoding *result = array[best].enc; + free_alloca(array, use_heap); + return result; } /* When doing 'strict' detection, any string which is invalid in the candidate encoding diff --git a/ext/mbstring/tests/gh21223.phpt b/ext/mbstring/tests/gh21223.phpt new file mode 100644 index 000000000000..7138868af169 --- /dev/null +++ b/ext/mbstring/tests/gh21223.phpt @@ -0,0 +1,19 @@ +--TEST-- +GH-21223 (Stack overflow in mb_guess_encoding called via mb_detect_encoding) +--EXTENSIONS-- +mbstring +--FILE-- + +--EXPECT-- +string(5) "UTF-8" +Done