From 60b1f59081ba0b7a612198ad973bba293a70bb3c Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+ndossche@users.noreply.github.com> Date: Sat, 10 Jan 2026 10:49:37 +0100 Subject: [PATCH 1/3] fastcgi: Fix compile warning wrt safe_read() (#20887) This shouldn't be const. Fixes the following warning: ``` warning: variable 'hdr' is uninitialized when passed as a const pointer argument here [-Wuninitialized-const-pointer] 1054 | if (safe_read(req, &hdr, sizeof(fcgi_header)) != sizeof(fcgi_header) || | ^~~ ``` --- main/fastcgi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main/fastcgi.c b/main/fastcgi.c index 448576a978598..bee1fa47e662e 100644 --- a/main/fastcgi.c +++ b/main/fastcgi.c @@ -944,7 +944,7 @@ static inline ssize_t safe_write(fcgi_request *req, const void *buf, size_t coun return n; } -static inline ssize_t safe_read(fcgi_request *req, const void *buf, size_t count) +static inline ssize_t safe_read(fcgi_request *req, void *buf, size_t count) { int ret; size_t n = 0; From b5d6377adaf2465482781e24c1fec0708ba32a13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= Date: Sat, 10 Jan 2026 14:37:52 +0100 Subject: [PATCH 2/3] output: Fail starting to output buffer when the output layer is deactivated (#20846) Fixes php/php-src#20837. --- NEWS | 4 ++++ main/output.c | 4 ++++ tests/output/gh20352.phpt | 3 +++ tests/output/gh20837.phpt | 23 +++++++++++++++++++++++ 4 files changed, 34 insertions(+) create mode 100644 tests/output/gh20837.phpt diff --git a/NEWS b/NEWS index cc21664815252..a8cb10ca8f32d 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,10 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? ????, PHP 8.4.18 +- Core: + . Fixed bug GH-20837 (NULL dereference when calling ob_start() in shutdown + function triggered by bailout in php_output_lock_error()). (timwolla) + - MbString: . Fixed bug GH-20833 (mb_str_pad() divide by zero if padding string is invalid in the encoding). (ndossche) diff --git a/main/output.c b/main/output.c index 4e542318139a7..7f28c25b6c7d1 100644 --- a/main/output.c +++ b/main/output.c @@ -538,6 +538,10 @@ PHPAPI zend_result php_output_handler_start(php_output_handler *handler) HashTable *rconflicts; php_output_handler_conflict_check_t conflict; + if (!(OG(flags) & PHP_OUTPUT_ACTIVATED)) { + return FAILURE; + } + if (php_output_lock_error(PHP_OUTPUT_HANDLER_START) || !handler) { return FAILURE; } diff --git a/tests/output/gh20352.phpt b/tests/output/gh20352.phpt index 16be0b920e80f..3074add99d360 100644 --- a/tests/output/gh20352.phpt +++ b/tests/output/gh20352.phpt @@ -21,4 +21,7 @@ ob_start(new Test, 1); echo "trigger bug"; ?> --EXPECTF-- +%r(Notice: ob_start\(\): Failed to create buffer in [^\r\n]+ on line \d+\r?\n(\r?\n)?)+%r +Notice: ob_start(): Failed to create buffer in %s on line %d + Fatal error: ob_start(): Cannot use output buffering in output buffering display handlers in %s on line %d diff --git a/tests/output/gh20837.phpt b/tests/output/gh20837.phpt new file mode 100644 index 0000000000000..0952e4ef7b910 --- /dev/null +++ b/tests/output/gh20837.phpt @@ -0,0 +1,23 @@ +--TEST-- +ob_start(): NULL dereference when calling ob_start() in shutdown function triggered by bailout in php_output_lock_error() +--FILE-- + +--EXPECTF-- +Fatal error: ob_start(): Cannot use output buffering in output buffering display handlers in %s on line %d + +Notice: ob_start(): Failed to create buffer in %s on line %d From a6e0d8e359531e6daf8bdfa5f6f381a598fbe142 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+ndossche@users.noreply.github.com> Date: Fri, 9 Jan 2026 22:03:07 +0100 Subject: [PATCH 3/3] Fix GH-20882: phar buildFromIterator breaks with missing base directory Broke in f57526a07a because of changing a char*+size_t pair to zend_string* (which can't handle NULL pointers in its macros). Closes GH-20888. --- NEWS | 4 ++++ ext/phar/phar_object.c | 4 ++-- ext/phar/tests/gh20882.phpt | 22 ++++++++++++++++++++++ 3 files changed, 28 insertions(+), 2 deletions(-) create mode 100644 ext/phar/tests/gh20882.phpt diff --git a/NEWS b/NEWS index a8cb10ca8f32d..d54ff4f6039a7 100644 --- a/NEWS +++ b/NEWS @@ -10,6 +10,10 @@ PHP NEWS . Fixed bug GH-20833 (mb_str_pad() divide by zero if padding string is invalid in the encoding). (ndossche) +- Phar: + . Fixed bug GH-20882 (buildFromIterator breaks with missing base directory). + (ndossche) + - Readline: . Fixed bug GH-18139 (Memory leak when overriding some settings via readline_info()). (ndossche) diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c index 5ad31f7c295eb..18db3190bb034 100644 --- a/ext/phar/phar_object.c +++ b/ext/phar/phar_object.c @@ -1397,12 +1397,12 @@ static int phar_build(zend_object_iterator *iter, void *puser) /* {{{ */ zval *value; bool close_fp = 1; struct _phar_t *p_obj = (struct _phar_t*) puser; - size_t str_key_len, base_len = ZSTR_LEN(p_obj->base); + size_t str_key_len, base_len = p_obj->base ? ZSTR_LEN(p_obj->base) : 0; phar_entry_data *data; php_stream *fp; size_t fname_len; size_t contents_len; - char *fname, *error = NULL, *base = ZSTR_VAL(p_obj->base), *save = NULL, *temp = NULL; + char *fname, *error = NULL, *base = p_obj->base ? ZSTR_VAL(p_obj->base) : NULL, *save = NULL, *temp = NULL; zend_string *opened; char *str_key; zend_class_entry *ce = p_obj->c; diff --git a/ext/phar/tests/gh20882.phpt b/ext/phar/tests/gh20882.phpt new file mode 100644 index 0000000000000..8928178a22a9e --- /dev/null +++ b/ext/phar/tests/gh20882.phpt @@ -0,0 +1,22 @@ +--TEST-- +GH-20882 (phar buildFromIterator breaks with missing base directory) +--EXTENSIONS-- +phar +--INI-- +phar.readonly=0 +--FILE-- +buildFromIterator( + new RecursiveIteratorIterator( + new RecursiveDirectoryIterator(__DIR__.'/test79082', FilesystemIterator::SKIP_DOTS) + ), + null + ); +} catch (BadMethodCallException $e) { + echo $e->getMessage(), "\n"; +} +?> +--EXPECT-- +Iterator RecursiveIteratorIterator returns an SplFileInfo object, so base directory must be specified