[pull] master from php:master

NEWS

@@ -164,6 +164,7 @@ PHP                                                                        NEWS
     ignored. (ndossche)
   . Fixed a bypass of the magic ".phar" directory protection in
     Phar::addEmptyDir() for paths starting with "/.phar". (Weilin Du)
+  . Fixed an integer underflow when parsing ZIP extra fields. (Weilin Du)
   . Phar::addEmptyDir() now allows non-magic directory names that merely
     share the ".phar" prefix. (Weilin Du)
   . Support overridden methods in SplFileInfo for getMTime() and getPathname()
@@ -254,6 +255,8 @@ PHP                                                                        NEWS
     (Weilin Du)
   . getenv() and putenv() now raises a ValueError when the first argument
     contains null bytes. (Weilin Du)
+  . dl() now raises a ValueError when the $extension_filename argument
+    contains null bytes. (Weilin Du)
   . parse_str() now raises a ValueError when the $string argument contains
     null bytes. (Weilin Du)
   . proc_open() now raises a ValueError when the $cwd argument contains

UPGRADING

@@ -151,6 +151,8 @@ PHP 8.6 UPGRADE NOTES
     argument value is passed.
   . getenv() and putenv() now raises a ValueError when the first argument
     contains null bytes.
+  . dl() now raises a ValueError when the $extension_filename argument
+    contains null bytes.
   . parse_str() now raises a ValueError when the $string argument contains
     null bytes.
   . linkinfo() now raises a ValueError when the $path argument is empty.
@@ -233,6 +235,10 @@ PHP 8.6 UPGRADE NOTES
     tcp_keepintvl and tcp_keepcnt that allow setting socket keepalive
     options.
   . Allowed casting casting filtered streams as file descriptor for select.
+  . Added the "write_seek_mode stream" filter parameter for the bz2, iconv,
+    zlib, and string stream filters. This parameter must be set via an
+    associative array where the key is "write_seek_mode stream" and the
+    value is one of the following strings "preserve", "reset", or "strict".
 
 - URI:
   . Added Uri\Rfc3986\Uri:getUriType() and Uri\WhatWg\Url:isSpecialScheme().

ext/pdo_odbc/odbc_stmt.c

@@ -702,8 +702,9 @@ static int odbc_stmt_get_col(pdo_stmt_t *stmt, int colno, zval *result, enum pdo
 			}
 			ssize_t to_fetch_byte = to_fetch_len + 1;
 			char *buf2 = emalloc(to_fetch_byte);
-			zend_string *str = zend_string_init(C->data, to_fetch_byte, 0);
-			size_t used = to_fetch_len;
+			ssize_t seed_len = to_fetch_len > (LONG_COLUMN_BUFFER_SIZE - 1) ? (LONG_COLUMN_BUFFER_SIZE - 1) : to_fetch_len;
+			zend_string *str = zend_string_init(C->data, seed_len + 1, 0);
+			size_t used = seed_len;
 
 			do {
 				C->fetched_len = 0;

ext/pdo_odbc/tests/gh22349.phpt

@@ -0,0 +1,45 @@
+--TEST--
+GH-22349 (Heap over-read fetching a long column past the internal buffer)
+--EXTENSIONS--
+pdo_odbc
+--SKIPIF--
+<?php
+require 'ext/pdo/tests/pdo_test.inc';
+PDOTest::skip();
+?>
+--FILE--
+<?php
+require 'ext/pdo/tests/pdo_test.inc';
+$db = PDOTest::test_factory('ext/pdo_odbc/tests/common.phpt');
+$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_SILENT);
+
+$db->exec('DROP TABLE test_gh22349');
+if (false === $db->exec('CREATE TABLE test_gh22349 (data text)')
+    && false === $db->exec('CREATE TABLE test_gh22349 (data CLOB)')
+    && false === $db->exec('CREATE TABLE test_gh22349 (data longtext)')) {
+    die("BORK: no large text column type available here: " . implode(", ", $db->errorInfo()) . "\n");
+}
+
+$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
+
+// The driver fetches a long column into an internal buffer of roughly one
+// memory page and reassembles the remainder. Exercise values that span and
+// exceed that buffer so the seeded length must match the bytes present.
+foreach ([4096, 8192, 65536] as $len) {
+    $db->exec('DELETE FROM test_gh22349');
+    $text = str_repeat('A', $len);
+    $db->exec("INSERT INTO test_gh22349 VALUES ('$text')");
+    $got = $db->query('SELECT data FROM test_gh22349')->fetchColumn();
+    printf("%d: %s\n", $len, ($got === $text) ? 'ok' : ('MISMATCH len=' . strlen($got)));
+}
+?>
+--CLEAN--
+<?php
+require 'ext/pdo/tests/pdo_test.inc';
+$db = PDOTest::test_factory('ext/pdo_odbc/tests/common.phpt');
+$db->exec('DROP TABLE test_gh22349');
+?>
+--EXPECT--
+4096: ok
+8192: ok
+65536: ok

ext/phar/tests/zip/zip_extra_underflow.phpt

@@ -0,0 +1,91 @@
+--TEST--
+Phar: ZIP extra field length must not underflow
+--EXTENSIONS--
+phar
+--FILE--
+<?php
+function uint16($value) {
+    return pack('v', $value);
+}
+
+function uint32($value) {
+    return pack('V', $value);
+}
+
+$filename = __DIR__ . '/zip_extra_underflow.zip';
+$entry = 'test.txt';
+$contents = 'hello';
+$crc = crc32($contents);
+
+$local = uint32(0x04034b50)
+    . uint16(20)
+    . uint16(0)
+    . uint16(0)
+    . uint16(0)
+    . uint16(0)
+    . uint32($crc)
+    . uint32(strlen($contents))
+    . uint32(strlen($contents))
+    . uint16(strlen($entry))
+    . uint16(0)
+    . $entry
+    . $contents;
+
+$extra = 'XX' . uint16(1);
+
+/* Old code seeks one byte past the extra field and parses this as another extra header. */
+$commentPrefix = 'A'
+    . 'UT'
+    . uint16(5)
+    . "\x01"
+    . uint32(946684800)
+    . 'ZZ'
+    . uint16(65522);
+$comment = $commentPrefix . str_repeat('B', 65535 - strlen($commentPrefix));
+
+$central = uint32(0x02014b50)
+    . uint16(20)
+    . uint16(20)
+    . uint16(0)
+    . uint16(0)
+    . uint16(0)
+    . uint16(0)
+    . uint32($crc)
+    . uint32(strlen($contents))
+    . uint32(strlen($contents))
+    . uint16(strlen($entry))
+    . uint16(strlen($extra))
+    . uint16(strlen($comment))
+    . uint16(0)
+    . uint16(0)
+    . uint32(0)
+    . uint32(0)
+    . $entry
+    . $extra
+    . $comment;
+
+$eocd = uint32(0x06054b50)
+    . uint16(0)
+    . uint16(0)
+    . uint16(1)
+    . uint16(1)
+    . uint32(strlen($central))
+    . uint32(strlen($local))
+    . uint16(0);
+
+file_put_contents($filename, $local . $central . $eocd);
+
+try {
+    $phar = new PharData($filename);
+    echo "Loaded corrupt ZIP\n";
+    echo $phar[$entry]->getMTime(), "\n";
+} catch (Exception $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . '/zip_extra_underflow.zip');
+?>
+--EXPECTF--
+phar error: Unable to process extra field header for file in central directory in zip-based phar "%szip_extra_underflow.zip"

ext/phar/zip.c

@@ -39,19 +39,30 @@ static inline void phar_write_16(char buffer[2], uint32_t value)
 # define PHAR_SET_32(var, value) phar_write_32(var, (uint32_t) (value));
 # define PHAR_SET_16(var, value) phar_write_16(var, (uint16_t) (value));
 
-static zend_result phar_zip_process_extra(php_stream *fp, phar_entry_info *entry, uint16_t len) /* {{{ */
+static zend_result phar_zip_process_extra(php_stream *fp, phar_entry_info *entry, uint16_t extra_len) /* {{{ */
 {
 	union {
 		phar_zip_extra_field_header header;
 		phar_zip_unix3 unix3;
 		phar_zip_unix_time time;
 	} h;
+	size_t len = extra_len;
 	size_t read;
 
-	do {
+	while (len) {
+		size_t header_size;
+
+		if (len < sizeof(h.header)) {
+			return FAILURE;
+		}
 		if (sizeof(h.header) != php_stream_read(fp, (char *) &h.header, sizeof(h.header))) {
 			return FAILURE;
 		}
+		len -= sizeof(h.header);
+		header_size = PHAR_GET_16(h.header.size);
+		if (header_size > len) {
+			return FAILURE;
+		}
 
 		if (h.header.tag[0] == 'U' && h.header.tag[1] == 'T') {
 			/* Unix timestamp header found.
@@ -60,7 +71,6 @@ static zend_result phar_zip_process_extra(php_stream *fp, phar_entry_info *entry
 			 * We only store the modification time in the entry, so only read that.
 			 */
 			const size_t min_size = 5;
-			uint16_t header_size = PHAR_GET_16(h.header.size);
 			if (header_size >= min_size) {
 				read = php_stream_read(fp, &h.time.flags, min_size);
 				if (read != min_size) {
@@ -71,36 +81,48 @@ static zend_result phar_zip_process_extra(php_stream *fp, phar_entry_info *entry
 					entry->timestamp = PHAR_GET_32(h.time.time);
 				}
 
-				len -= header_size + 4;
-
 				/* Consume remaining bytes */
-				if (header_size != read) {
-					php_stream_seek(fp, header_size - read, SEEK_CUR);
+				if (header_size != read && -1 == php_stream_seek(fp, header_size - read, SEEK_CUR)) {
+					return FAILURE;
 				}
+				len -= header_size;
 				continue;
 			}
 			/* Fallthrough to next if to skip header */
 		}
 
 		if (h.header.tag[0] != 'n' || h.header.tag[1] != 'u') {
 			/* skip to next header */
-			php_stream_seek(fp, PHAR_GET_16(h.header.size), SEEK_CUR);
-			len -= PHAR_GET_16(h.header.size) + 4;
+			if (header_size && -1 == php_stream_seek(fp, header_size, SEEK_CUR)) {
+				return FAILURE;
+			}
+			len -= header_size;
 			continue;
 		}
 
 		/* unix3 header found */
-		read = php_stream_read(fp, (char *) &(h.unix3.crc32), sizeof(h.unix3) - sizeof(h.header));
-		len -= read + 4;
+		size_t unix3_size = sizeof(h.unix3) - sizeof(h.header);
+		size_t field_size = header_size;
+		if (field_size == unix3_size - sizeof(h.unix3.crc32)) {
+			/* Some archives omit the CRC32 from the unix3 size field. */
+			field_size = unix3_size;
+		}
+		if (field_size < unix3_size || field_size > len) {
+			return FAILURE;
+		}
 
-		if (sizeof(h.unix3) - sizeof(h.header) != read) {
+		read = php_stream_read(fp, (char *) &(h.unix3.crc32), unix3_size);
+		if (unix3_size != read) {
 			return FAILURE;
 		}
 
-		if (PHAR_GET_16(h.unix3.size) > sizeof(h.unix3) - 4) {
+		if (field_size > unix3_size) {
 			/* skip symlink filename - we may add this support in later */
-			php_stream_seek(fp, PHAR_GET_16(h.unix3.size) - sizeof(h.unix3.size), SEEK_CUR);
+			if (-1 == php_stream_seek(fp, field_size - unix3_size, SEEK_CUR)) {
+				return FAILURE;
+			}
 		}
+		len -= field_size;
 
 		/* set permissions */
 		entry->flags &= PHAR_ENT_COMPRESSION_MASK;
@@ -111,7 +133,7 @@ static zend_result phar_zip_process_extra(php_stream *fp, phar_entry_info *entry
 			entry->flags |= PHAR_GET_16(h.unix3.perms) & PHAR_ENT_PERM_MASK;
 		}
 
-	} while (len);
+	}
 
 	return SUCCESS;
 }

ext/standard/dl.c

@@ -43,7 +43,7 @@ PHPAPI PHP_FUNCTION(dl)
 	size_t filename_len;
 
 	ZEND_PARSE_PARAMETERS_START(1, 1)
-		Z_PARAM_STRING(filename, filename_len)
+		Z_PARAM_PATH(filename, filename_len)
 	ZEND_PARSE_PARAMETERS_END();
 
 	if (!PG(enable_dl)) {

ext/standard/proc_open.c

@@ -1377,7 +1377,6 @@ PHP_FUNCTION(proc_open)
 
 	if (newprocok == FALSE) {
 		DWORD dw = GetLastError();
-		close_all_descriptors(descriptors, ndesc);
 		char *msg = php_win32_error_to_msg(dw);
 		php_error_docref(NULL, E_WARNING, "CreateProcess failed: %s", msg);
 		php_win32_error_msg_free(msg);
@@ -1394,7 +1393,6 @@ PHP_FUNCTION(proc_open)
 
 	if (close_parentends_of_pipes(&factions, descriptors, ndesc) == FAILURE) {
 		posix_spawn_file_actions_destroy(&factions);
-		close_all_descriptors(descriptors, ndesc);
 		goto exit_fail;
 	}
 
@@ -1414,7 +1412,6 @@ PHP_FUNCTION(proc_open)
 	}
 	posix_spawn_file_actions_destroy(&factions);
 	if (r != 0) {
-		close_all_descriptors(descriptors, ndesc);
 		php_error_docref(NULL, E_WARNING, "posix_spawn() failed: %s", strerror(r));
 		goto exit_fail;
 	}
@@ -1456,7 +1453,6 @@ PHP_FUNCTION(proc_open)
 		_exit(127);
 	} else if (child < 0) {
 		/* Failed to fork() */
-		close_all_descriptors(descriptors, ndesc);
 		php_error_docref(NULL, E_WARNING, "Fork failed: %s", strerror(errno));
 		goto exit_fail;
 	}
@@ -1546,6 +1542,9 @@ PHP_FUNCTION(proc_open)
 	} else {
 exit_fail:
 		_php_free_envp(env);
+		if (descriptors) {
+			close_all_descriptors(descriptors, ndesc);
+		}
 		RETVAL_FALSE;
 	}
 

ext/standard/tests/general_functions/dl_null_bytes.phpt

@@ -0,0 +1,14 @@
+--TEST--
+dl() rejects null bytes in extension filename
+--FILE--
+<?php
+
+try {
+    dl("foo\0bar");
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+dl(): Argument #1 ($extension_filename) must not contain any null bytes

ext/standard/tests/general_functions/proc_open_fd_leak_on_setup_failure.phpt

@@ -0,0 +1,20 @@
+--TEST--
+proc_open() does not leak file descriptors when descriptor setup fails mid-spec
+--SKIPIF--
+<?php
+if (!function_exists("proc_open")) die("skip proc_open() unavailable");
+if (!@is_dir("/proc/self/fd")) die("skip requires /proc/self/fd");
+?>
+--FILE--
+<?php
+$before = count(scandir("/proc/self/fd"));
+for ($i = 0; $i < 100; $i++) {
+    // Index 0 opens a real pipe; index 1 is invalid, so setup fails after the
+    // pipe is already open. The aborted call must release the pipe fds.
+    @proc_open("true", [0 => ["pipe", "r"], 1 => ["bogus_type"]], $pipes);
+}
+$after = count(scandir("/proc/self/fd"));
+var_dump($after <= $before + 2);
+?>
+--EXPECT--
+bool(true)