Skip to content

[pull] master from php:master #606

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pull merged 5 commits into from
Dec 19, 2025
Merged

[pull] master from php:master #606

pull merged 5 commits into from
Dec 19, 2025
+33 −5

Conversation

@pull
Copy link

@pull pull bot commented Dec 19, 2025
edited
Loading

See Commits and Changes for more details.

Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

@ndossche
Fix GH-20352: UAF in php_output_handler_free via re-entrant ob_start(…
ee01438 
…) during error deactivation

The problem is that the code is doing `php_output_handler_free` in a loop on the output stack,
but prior to freeing the pointer on the stack in `php_output_handler_free` it calls
`php_output_handler_dtor` which can run user code that reallocates the stack,
resulting in a dangling pointer freed by php_output_handler_free.
Furthermore, OG(active) is set when creating a new output handler, but
the loop is supposed to clean up all handlers, so OG(active) must be
reset as well.

Closes GH-20356.
@ndossche
Merge branch 'PHP-8.3' into PHP-8.4
0590a34 
* PHP-8.3:
  Fix GH-20352: UAF in php_output_handler_free via re-entrant ob_start() during error deactivation
@ndossche
Merge branch 'PHP-8.4' into PHP-8.5
c35224e 
* PHP-8.4:
  Fix GH-20352: UAF in php_output_handler_free via re-entrant ob_start() during error deactivation
@ndossche
Merge branch 'PHP-8.5'
77eedd7 
* PHP-8.5:
  Fix GH-20352: UAF in php_output_handler_free via re-entrant ob_start() during error deactivation
@ndossche
standard: Remove nonsensical dtor of return value in fread() (#20739)
4315c3a 
It was never set to a string at this point, so why dtor it?
@pull pull bot locked and limited conversation to collaborators Dec 19, 2025
@pull pull bot added the ⤵️ pull label Dec 19, 2025
@pull pull bot merged commit 4315c3a into turkdevops:master Dec 19, 2025
1 of 2 checks passed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

⤵️ pull

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ndossche