From d447025b6c8a6c220d113038e61db67de9bb97c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= Date: Tue, 30 Jun 2026 00:39:26 +0200 Subject: [PATCH 1/6] lexbor: Refresh patch files (#22517) * lexbor: Clean existing patches in `update-lexbor.sh` The filename of the patch file is derived from the commit message. When the commit message changes or the patch was initially added with the wrong name the patch file might be renamed and exist twice when it's not deleted. * lexbor: Drop patch signature in `update-lexbor.sh` This includes the git version number by default which makes the patches unstable. * lexbor: Zero the commit hash in generated patches in `update-lexbor.sh` Including the commit ID of the temporary commit in the patch files makes them unstable. * lexbor: Run `update_lexbor.sh` --- ext/dom/lexbor/lexbor/core/swar.h | 2 +- ...1-Expose-line-and-column-information-for-use-in-PHP.patch | 5 +---- ...02-Track-implied-added-nodes-for-options-use-in-PHP.patch | 5 +---- ...atch-utilities-and-data-structure-to-be-able-to-gen.patch | 5 +---- .../0004-Remove-unused-upper-case-tag-static-data.patch | 5 +---- .../0005-Shrink-size-of-static-binary-search-tree.patch | 5 +---- .../patches/0006-Patch-out-unused-CSS-style-code.patch | 5 +---- ext/dom/lexbor/patches/update-lexbor.sh | 3 ++- 8 files changed, 9 insertions(+), 26 deletions(-) diff --git a/ext/dom/lexbor/lexbor/core/swar.h b/ext/dom/lexbor/lexbor/core/swar.h index 78579ad4bee7..ec0a13b8e23f 100644 --- a/ext/dom/lexbor/lexbor/core/swar.h +++ b/ext/dom/lexbor/lexbor/core/swar.h @@ -1,7 +1,7 @@ /* * Copyright (C) 2024 Alexander Borisov * - * Author: Nora Dossche + * Author: Niels Dossche */ #ifndef LEXBOR_SWAR_H diff --git a/ext/dom/lexbor/patches/0001-Expose-line-and-column-information-for-use-in-PHP.patch b/ext/dom/lexbor/patches/0001-Expose-line-and-column-information-for-use-in-PHP.patch index 32d9d42d2bf1..1b35913e91c7 100644 --- a/ext/dom/lexbor/patches/0001-Expose-line-and-column-information-for-use-in-PHP.patch +++ b/ext/dom/lexbor/patches/0001-Expose-line-and-column-information-for-use-in-PHP.patch @@ -1,4 +1,4 @@ -From 0cd2add6c46400b808329442f81451b369863983 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Sat, 26 Aug 2023 15:08:59 +0200 Subject: [PATCH 1/6] Expose line and column information for use in PHP @@ -183,6 +183,3 @@ index 7a212af..b186772 100644 } lxb_html_tree_error_t; --- -2.51.2 - diff --git a/ext/dom/lexbor/patches/0002-Track-implied-added-nodes-for-options-use-in-PHP.patch b/ext/dom/lexbor/patches/0002-Track-implied-added-nodes-for-options-use-in-PHP.patch index 1902abf96e3a..24bc21630513 100644 --- a/ext/dom/lexbor/patches/0002-Track-implied-added-nodes-for-options-use-in-PHP.patch +++ b/ext/dom/lexbor/patches/0002-Track-implied-added-nodes-for-options-use-in-PHP.patch @@ -1,4 +1,4 @@ -From a4c29ba8d1ea1065ce6bd4a34382d53140cf1924 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Mon, 14 Aug 2023 20:18:51 +0200 Subject: [PATCH 2/6] Track implied added nodes for options use in PHP @@ -62,6 +62,3 @@ index 05fe738..1e09cda 100644 tree->mode = lxb_html_tree_insertion_mode_before_head; break; --- -2.51.2 - diff --git a/ext/dom/lexbor/patches/0003-Patch-utilities-and-data-structure-to-be-able-to-gen.patch b/ext/dom/lexbor/patches/0003-Patch-utilities-and-data-structure-to-be-able-to-gen.patch index 51f77483bc6e..9c67ba740c4a 100644 --- a/ext/dom/lexbor/patches/0003-Patch-utilities-and-data-structure-to-be-able-to-gen.patch +++ b/ext/dom/lexbor/patches/0003-Patch-utilities-and-data-structure-to-be-able-to-gen.patch @@ -1,4 +1,4 @@ -From 46fc776449252e74795569759a19d13857a59069 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Thu, 24 Aug 2023 22:57:48 +0200 Subject: [PATCH 3/6] Patch utilities and data structure to be able to generate @@ -92,6 +92,3 @@ index 3e75812..2370c66 100755 result.append("};") --- -2.51.2 - diff --git a/ext/dom/lexbor/patches/0004-Remove-unused-upper-case-tag-static-data.patch b/ext/dom/lexbor/patches/0004-Remove-unused-upper-case-tag-static-data.patch index 6cb6658a164b..4640a03647b9 100644 --- a/ext/dom/lexbor/patches/0004-Remove-unused-upper-case-tag-static-data.patch +++ b/ext/dom/lexbor/patches/0004-Remove-unused-upper-case-tag-static-data.patch @@ -1,4 +1,4 @@ -From ae9d7254ac129cc3be34de6fd34af27baf3bb396 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Wed, 29 Nov 2023 21:26:47 +0100 Subject: [PATCH 4/6] Remove unused upper case tag static data @@ -48,6 +48,3 @@ index 780bc47..be5bb30 100644 /* * No inline functions for ABI. --- -2.51.2 - diff --git a/ext/dom/lexbor/patches/0005-Shrink-size-of-static-binary-search-tree.patch b/ext/dom/lexbor/patches/0005-Shrink-size-of-static-binary-search-tree.patch index 9ef6e305e498..d276ba8f2efa 100644 --- a/ext/dom/lexbor/patches/0005-Shrink-size-of-static-binary-search-tree.patch +++ b/ext/dom/lexbor/patches/0005-Shrink-size-of-static-binary-search-tree.patch @@ -1,4 +1,4 @@ -From 19cf6183813e013dfe0eb2303c15eaf6e01b9faf Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Wed, 29 Nov 2023 21:29:31 +0100 Subject: [PATCH 5/6] Shrink size of static binary search tree @@ -111,6 +111,3 @@ index 2370c66..c41e645 100755 self.buffer.append(line) fh.close() --- -2.51.2 - diff --git a/ext/dom/lexbor/patches/0006-Patch-out-unused-CSS-style-code.patch b/ext/dom/lexbor/patches/0006-Patch-out-unused-CSS-style-code.patch index a643f9716488..827375f3f05c 100644 --- a/ext/dom/lexbor/patches/0006-Patch-out-unused-CSS-style-code.patch +++ b/ext/dom/lexbor/patches/0006-Patch-out-unused-CSS-style-code.patch @@ -1,4 +1,4 @@ -From 54399ee441d922d89c32909e2028f899f6091cd6 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Sun, 7 Jan 2024 21:59:28 +0100 Subject: [PATCH 6/6] Patch out unused CSS style code @@ -27,6 +27,3 @@ index 308dced..d192a01 100644 } lxb_inline void --- -2.51.2 - diff --git a/ext/dom/lexbor/patches/update-lexbor.sh b/ext/dom/lexbor/patches/update-lexbor.sh index 7421d8e7d321..b5eff3846e11 100755 --- a/ext/dom/lexbor/patches/update-lexbor.sh +++ b/ext/dom/lexbor/patches/update-lexbor.sh @@ -29,8 +29,9 @@ for patch in "${patches[@]}"; do done # Refresh patches +rm "$PATCHES_DIR"/*.patch NUM_PATCHES=${#patches[@]} -git format-patch "HEAD~$NUM_PATCHES" -o "$PATCHES_DIR" +git format-patch --no-signature --zero-commit "HEAD~$NUM_PATCHES" -o "$PATCHES_DIR" # Run code-generation tools (cd "$LEXBOR_TMP_DIR/utils/lexbor/encoding" && python3 single-byte.py) From cf308c858c65aeb114ab89a668945379ad02893e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= Date: Tue, 30 Jun 2026 00:40:46 +0200 Subject: [PATCH 2/6] lexbor: Run `update_lexbor.sh` (PHP 8.5) --- ...nd-column-information-for-use-in-PHP.patch | 2 +- ...d-added-nodes-for-options-use-in-PHP.patch | 2 +- ...and-data-structure-to-be-able-to-gen.patch | 2 +- ...ve-unused-upper-case-tag-static-data.patch | 2 +- ...nk-size-of-static-binary-search-tree.patch | 2 +- ...0006-Patch-out-unused-CSS-style-code.patch | 2 +- ...7-URL-fixed-setters-for-empty-hosts.patch} | 30 +++++++++---------- 7 files changed, 21 insertions(+), 21 deletions(-) rename ext/lexbor/patches/{0007-Fix-empty-port-setter.patch => 0007-URL-fixed-setters-for-empty-hosts.patch} (91%) diff --git a/ext/lexbor/patches/0001-Expose-line-and-column-information-for-use-in-PHP.patch b/ext/lexbor/patches/0001-Expose-line-and-column-information-for-use-in-PHP.patch index 1b35913e91c7..2f7f7f8f53c2 100644 --- a/ext/lexbor/patches/0001-Expose-line-and-column-information-for-use-in-PHP.patch +++ b/ext/lexbor/patches/0001-Expose-line-and-column-information-for-use-in-PHP.patch @@ -1,7 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Sat, 26 Aug 2023 15:08:59 +0200 -Subject: [PATCH 1/6] Expose line and column information for use in PHP +Subject: [PATCH 1/7] Expose line and column information for use in PHP --- source/lexbor/dom/interfaces/node.h | 2 ++ diff --git a/ext/lexbor/patches/0002-Track-implied-added-nodes-for-options-use-in-PHP.patch b/ext/lexbor/patches/0002-Track-implied-added-nodes-for-options-use-in-PHP.patch index 24bc21630513..d25819d43ed0 100644 --- a/ext/lexbor/patches/0002-Track-implied-added-nodes-for-options-use-in-PHP.patch +++ b/ext/lexbor/patches/0002-Track-implied-added-nodes-for-options-use-in-PHP.patch @@ -1,7 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Mon, 14 Aug 2023 20:18:51 +0200 -Subject: [PATCH 2/6] Track implied added nodes for options use in PHP +Subject: [PATCH 2/7] Track implied added nodes for options use in PHP --- source/lexbor/html/tree.h | 3 +++ diff --git a/ext/lexbor/patches/0003-Patch-utilities-and-data-structure-to-be-able-to-gen.patch b/ext/lexbor/patches/0003-Patch-utilities-and-data-structure-to-be-able-to-gen.patch index 9c67ba740c4a..c3ad688c3cb3 100644 --- a/ext/lexbor/patches/0003-Patch-utilities-and-data-structure-to-be-able-to-gen.patch +++ b/ext/lexbor/patches/0003-Patch-utilities-and-data-structure-to-be-able-to-gen.patch @@ -1,7 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Thu, 24 Aug 2023 22:57:48 +0200 -Subject: [PATCH 3/6] Patch utilities and data structure to be able to generate +Subject: [PATCH 3/7] Patch utilities and data structure to be able to generate smaller lookup tables Changed the generation script to check if everything fits in 32-bits. diff --git a/ext/lexbor/patches/0004-Remove-unused-upper-case-tag-static-data.patch b/ext/lexbor/patches/0004-Remove-unused-upper-case-tag-static-data.patch index 4640a03647b9..5d1e9da8e4d1 100644 --- a/ext/lexbor/patches/0004-Remove-unused-upper-case-tag-static-data.patch +++ b/ext/lexbor/patches/0004-Remove-unused-upper-case-tag-static-data.patch @@ -1,7 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Wed, 29 Nov 2023 21:26:47 +0100 -Subject: [PATCH 4/6] Remove unused upper case tag static data +Subject: [PATCH 4/7] Remove unused upper case tag static data --- source/lexbor/tag/res.h | 2 ++ diff --git a/ext/lexbor/patches/0005-Shrink-size-of-static-binary-search-tree.patch b/ext/lexbor/patches/0005-Shrink-size-of-static-binary-search-tree.patch index d276ba8f2efa..1d54615a9139 100644 --- a/ext/lexbor/patches/0005-Shrink-size-of-static-binary-search-tree.patch +++ b/ext/lexbor/patches/0005-Shrink-size-of-static-binary-search-tree.patch @@ -1,7 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Wed, 29 Nov 2023 21:29:31 +0100 -Subject: [PATCH 5/6] Shrink size of static binary search tree +Subject: [PATCH 5/7] Shrink size of static binary search tree This also makes it more efficient on the data cache. --- diff --git a/ext/lexbor/patches/0006-Patch-out-unused-CSS-style-code.patch b/ext/lexbor/patches/0006-Patch-out-unused-CSS-style-code.patch index 827375f3f05c..891a2d5682d5 100644 --- a/ext/lexbor/patches/0006-Patch-out-unused-CSS-style-code.patch +++ b/ext/lexbor/patches/0006-Patch-out-unused-CSS-style-code.patch @@ -1,7 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Sun, 7 Jan 2024 21:59:28 +0100 -Subject: [PATCH 6/6] Patch out unused CSS style code +Subject: [PATCH 6/7] Patch out unused CSS style code --- source/lexbor/css/rule.h | 2 ++ diff --git a/ext/lexbor/patches/0007-Fix-empty-port-setter.patch b/ext/lexbor/patches/0007-URL-fixed-setters-for-empty-hosts.patch similarity index 91% rename from ext/lexbor/patches/0007-Fix-empty-port-setter.patch rename to ext/lexbor/patches/0007-URL-fixed-setters-for-empty-hosts.patch index 75ceaab0c63f..72a88d22ab8e 100644 --- a/ext/lexbor/patches/0007-Fix-empty-port-setter.patch +++ b/ext/lexbor/patches/0007-URL-fixed-setters-for-empty-hosts.patch @@ -1,7 +1,7 @@ -From cf07699ca0f5fa4e1f7fd05c2135fd38e6d196c2 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Alexander Borisov Date: Fri, 26 Jun 2026 18:55:56 +0300 -Subject: [PATCH] URL: fixed setters for empty hosts. +Subject: [PATCH 7/7] URL: fixed setters for empty hosts. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -22,13 +22,13 @@ This relates to #387 issue on GitHub. 3 files changed, 86 insertions(+), 9 deletions(-) diff --git a/source/lexbor/url/url.c b/source/lexbor/url/url.c -index ced4462b..e1da2c38 100644 +index 5a11434..86bcf8f 100644 --- a/source/lexbor/url/url.c +++ b/source/lexbor/url/url.c -@@ -1116,11 +1116,13 @@ lxb_url_host_copy(const lxb_url_host_t *src, lxb_url_host_t *dst, - +@@ -1115,11 +1115,13 @@ lxb_url_host_copy(const lxb_url_host_t *src, lxb_url_host_t *dst, + dst->type = src->type; - + - if (src->type <= LXB_URL_HOST_TYPE_OPAQUE) { - if (src->type == LXB_URL_HOST_TYPE__UNDEF) { - return LXB_STATUS_OK; @@ -38,15 +38,15 @@ index ced4462b..e1da2c38 100644 + { + return LXB_STATUS_OK; + } - + + if (src->type <= LXB_URL_HOST_TYPE_OPAQUE) { return lxb_url_str_copy(&src->u.domain, &dst->u.domain, dst_mraw); } -@@ -1153,6 +1155,24 @@ lxb_url_host_set_empty(lxb_url_host_t *host, lexbor_mraw_t *mraw) +@@ -1152,6 +1154,24 @@ lxb_url_host_set_empty(lxb_url_host_t *host, lexbor_mraw_t *mraw) host->type = LXB_URL_HOST_TYPE_EMPTY; } - + +lxb_inline bool +lxb_url_host_is_empty(const lxb_url_host_t *host) +{ @@ -68,7 +68,7 @@ index ced4462b..e1da2c38 100644 static bool lxb_url_host_eq(lxb_url_host_t *host, const lxb_char_t *data, size_t length) { -@@ -1252,7 +1272,7 @@ lxb_url_normalized_windows_drive_letter(const lxb_char_t *data, +@@ -1251,7 +1271,7 @@ lxb_url_normalized_windows_drive_letter(const lxb_char_t *data, static bool lxb_url_cannot_have_user_pass_port(lxb_url_t *url) { @@ -77,20 +77,20 @@ index ced4462b..e1da2c38 100644 || url->host.type == LXB_URL_HOST_TYPE__UNDEF || url->scheme.type == LXB_URL_SCHEMEL_TYPE_FILE; } -@@ -3979,6 +3999,11 @@ lxb_url_opaque_host_parse(lxb_url_parser_t *parser, const lxb_char_t *data, +@@ -3978,6 +3998,11 @@ lxb_url_opaque_host_parse(lxb_url_parser_t *parser, const lxb_char_t *data, lxb_status_t status; const lxb_char_t *p; - + + if (data == end) { + lxb_url_host_set_empty(host, mraw); + return LXB_STATUS_OK; + } + p = data; - + while (p < end) { diff --git a/test/files/lexbor/url/changes.ton b/test/files/lexbor/url/changes.ton -index 07bc9449..1a0b6e35 100644 +index 07bc944..1a0b6e3 100644 --- a/test/files/lexbor/url/changes.ton +++ b/test/files/lexbor/url/changes.ton @@ -1,5 +1,5 @@ @@ -167,7 +167,7 @@ index 07bc9449..1a0b6e35 100644 } ] diff --git a/test/files/lexbor/url/url.ton b/test/files/lexbor/url/url.ton -index 2baa4bc2..85794c5b 100644 +index 2baa4bc..85794c5 100644 --- a/test/files/lexbor/url/url.ton +++ b/test/files/lexbor/url/url.ton @@ -1,5 +1,5 @@ From 9a9312b75f0dd48d8dadeee8e1aa1e021b10be6a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= Date: Tue, 30 Jun 2026 00:51:01 +0200 Subject: [PATCH 3/6] lexbor: Add missing newline at EOL in 0007-Add-Is_Special_Url_Support.patch This prevented the patch from applying cleanly when running `./update_lexbor.sh`. --- ext/lexbor/patches/0007-Add-Is_Special_Url_Support.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/lexbor/patches/0007-Add-Is_Special_Url_Support.patch b/ext/lexbor/patches/0007-Add-Is_Special_Url_Support.patch index 6f5e126336d0..7412783a12d0 100644 --- a/ext/lexbor/patches/0007-Add-Is_Special_Url_Support.patch +++ b/ext/lexbor/patches/0007-Add-Is_Special_Url_Support.patch @@ -41,4 +41,4 @@ index 4ed3f32a..6cc6f108 100644 + /* * Inline functions. - */ \ No newline at end of file + */ From 2587b82759e350de525aa0ad1ec6daa5c175ceb1 Mon Sep 17 00:00:00 2001 From: Ilija Tovilo Date: Tue, 30 Jun 2026 01:32:02 +0200 Subject: [PATCH 4/6] Merge Lexbor patch c3a68477399d446660ac241d3a55357dc95c6e81 --- NEWS | 3 ++ ext/lexbor/lexbor/url/url.c | 3 +- ...nd-column-information-for-use-in-PHP.patch | 2 +- ...d-added-nodes-for-options-use-in-PHP.patch | 2 +- ...and-data-structure-to-be-able-to-gen.patch | 2 +- ...ve-unused-upper-case-tag-static-data.patch | 2 +- ...nk-size-of-static-binary-search-tree.patch | 2 +- ...0006-Patch-out-unused-CSS-style-code.patch | 2 +- ...07-URL-fixed-setters-for-empty-hosts.patch | 2 +- ...ialized-memory-in-the-path-buffer-gr.patch | 37 +++++++++++++++++++ 10 files changed, 49 insertions(+), 8 deletions(-) create mode 100644 ext/lexbor/patches/0008-URL-fixed-uninitialized-memory-in-the-path-buffer-gr.patch diff --git a/NEWS b/NEWS index 957e4123a227..4cfba419baa7 100644 --- a/NEWS +++ b/NEWS @@ -29,6 +29,9 @@ PHP NEWS . Fixed IntlChar methods leaving stale global error state after successful calls. (Xuyang Zhang) +- Lexbor: + . Merge patch c3a6847. (ilutov, timwolla) + - Phar: . Fixed inconsistent handling of the magic ".phar" directory. Paths such as "/.phar" remain protected, while non-magic paths that merely start with diff --git a/ext/lexbor/lexbor/url/url.c b/ext/lexbor/lexbor/url/url.c index 86bcf8f35027..b6c0a1e8f65e 100644 --- a/ext/lexbor/lexbor/url/url.c +++ b/ext/lexbor/lexbor/url/url.c @@ -499,6 +499,7 @@ lxb_url_scheme_length = sizeof(lxb_url_scheme_res) / sizeof(lxb_url_scheme_data_ if (tmp == NULL) { \ return NULL; \ } \ + memcpy(tmp, (sbuf_begin), offset); \ } \ else { \ tmp = lexbor_realloc((sbuf_begin), new_len); \ @@ -509,7 +510,7 @@ lxb_url_scheme_length = sizeof(lxb_url_scheme_res) / sizeof(lxb_url_scheme_data_ } \ \ (sbuf) = tmp + offset; \ - (last) = sbuf + lst; \ + (last) = tmp + lst; \ (sbuf_begin) = tmp; \ (sbuf_end) = tmp + new_len; \ } \ diff --git a/ext/lexbor/patches/0001-Expose-line-and-column-information-for-use-in-PHP.patch b/ext/lexbor/patches/0001-Expose-line-and-column-information-for-use-in-PHP.patch index 2f7f7f8f53c2..04136b29f58f 100644 --- a/ext/lexbor/patches/0001-Expose-line-and-column-information-for-use-in-PHP.patch +++ b/ext/lexbor/patches/0001-Expose-line-and-column-information-for-use-in-PHP.patch @@ -1,7 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Sat, 26 Aug 2023 15:08:59 +0200 -Subject: [PATCH 1/7] Expose line and column information for use in PHP +Subject: [PATCH 1/8] Expose line and column information for use in PHP --- source/lexbor/dom/interfaces/node.h | 2 ++ diff --git a/ext/lexbor/patches/0002-Track-implied-added-nodes-for-options-use-in-PHP.patch b/ext/lexbor/patches/0002-Track-implied-added-nodes-for-options-use-in-PHP.patch index d25819d43ed0..615655d7f2ec 100644 --- a/ext/lexbor/patches/0002-Track-implied-added-nodes-for-options-use-in-PHP.patch +++ b/ext/lexbor/patches/0002-Track-implied-added-nodes-for-options-use-in-PHP.patch @@ -1,7 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Mon, 14 Aug 2023 20:18:51 +0200 -Subject: [PATCH 2/7] Track implied added nodes for options use in PHP +Subject: [PATCH 2/8] Track implied added nodes for options use in PHP --- source/lexbor/html/tree.h | 3 +++ diff --git a/ext/lexbor/patches/0003-Patch-utilities-and-data-structure-to-be-able-to-gen.patch b/ext/lexbor/patches/0003-Patch-utilities-and-data-structure-to-be-able-to-gen.patch index c3ad688c3cb3..73c5afa19e12 100644 --- a/ext/lexbor/patches/0003-Patch-utilities-and-data-structure-to-be-able-to-gen.patch +++ b/ext/lexbor/patches/0003-Patch-utilities-and-data-structure-to-be-able-to-gen.patch @@ -1,7 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Thu, 24 Aug 2023 22:57:48 +0200 -Subject: [PATCH 3/7] Patch utilities and data structure to be able to generate +Subject: [PATCH 3/8] Patch utilities and data structure to be able to generate smaller lookup tables Changed the generation script to check if everything fits in 32-bits. diff --git a/ext/lexbor/patches/0004-Remove-unused-upper-case-tag-static-data.patch b/ext/lexbor/patches/0004-Remove-unused-upper-case-tag-static-data.patch index 5d1e9da8e4d1..cc0a65a7cd5c 100644 --- a/ext/lexbor/patches/0004-Remove-unused-upper-case-tag-static-data.patch +++ b/ext/lexbor/patches/0004-Remove-unused-upper-case-tag-static-data.patch @@ -1,7 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Wed, 29 Nov 2023 21:26:47 +0100 -Subject: [PATCH 4/7] Remove unused upper case tag static data +Subject: [PATCH 4/8] Remove unused upper case tag static data --- source/lexbor/tag/res.h | 2 ++ diff --git a/ext/lexbor/patches/0005-Shrink-size-of-static-binary-search-tree.patch b/ext/lexbor/patches/0005-Shrink-size-of-static-binary-search-tree.patch index 1d54615a9139..b84120bf6c8c 100644 --- a/ext/lexbor/patches/0005-Shrink-size-of-static-binary-search-tree.patch +++ b/ext/lexbor/patches/0005-Shrink-size-of-static-binary-search-tree.patch @@ -1,7 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Wed, 29 Nov 2023 21:29:31 +0100 -Subject: [PATCH 5/7] Shrink size of static binary search tree +Subject: [PATCH 5/8] Shrink size of static binary search tree This also makes it more efficient on the data cache. --- diff --git a/ext/lexbor/patches/0006-Patch-out-unused-CSS-style-code.patch b/ext/lexbor/patches/0006-Patch-out-unused-CSS-style-code.patch index 891a2d5682d5..196a5a8a62de 100644 --- a/ext/lexbor/patches/0006-Patch-out-unused-CSS-style-code.patch +++ b/ext/lexbor/patches/0006-Patch-out-unused-CSS-style-code.patch @@ -1,7 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Sun, 7 Jan 2024 21:59:28 +0100 -Subject: [PATCH 6/7] Patch out unused CSS style code +Subject: [PATCH 6/8] Patch out unused CSS style code --- source/lexbor/css/rule.h | 2 ++ diff --git a/ext/lexbor/patches/0007-URL-fixed-setters-for-empty-hosts.patch b/ext/lexbor/patches/0007-URL-fixed-setters-for-empty-hosts.patch index 72a88d22ab8e..2592372c6b02 100644 --- a/ext/lexbor/patches/0007-URL-fixed-setters-for-empty-hosts.patch +++ b/ext/lexbor/patches/0007-URL-fixed-setters-for-empty-hosts.patch @@ -1,7 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Alexander Borisov Date: Fri, 26 Jun 2026 18:55:56 +0300 -Subject: [PATCH 7/7] URL: fixed setters for empty hosts. +Subject: [PATCH 7/8] URL: fixed setters for empty hosts. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/ext/lexbor/patches/0008-URL-fixed-uninitialized-memory-in-the-path-buffer-gr.patch b/ext/lexbor/patches/0008-URL-fixed-uninitialized-memory-in-the-path-buffer-gr.patch new file mode 100644 index 000000000000..243053e87fa4 --- /dev/null +++ b/ext/lexbor/patches/0008-URL-fixed-uninitialized-memory-in-the-path-buffer-gr.patch @@ -0,0 +1,37 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alexander Borisov +Date: Fri, 5 Jun 2026 22:13:32 +0300 +Subject: [PATCH 8/8] URL: fixed uninitialized memory in the path buffer + growth. + +When a path was long enough to outgrow the on-stack buffer, the first +move to the heap didn't copy what was already written, so the start of +the path could contain garbage. Also fixed the 'last' pointer after the +move. + +Per report from Recep Asan (recep@asan.me) +--- + source/lexbor/url/url.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/source/lexbor/url/url.c b/source/lexbor/url/url.c +index 86bcf8f..b6c0a1e 100644 +--- a/source/lexbor/url/url.c ++++ b/source/lexbor/url/url.c +@@ -499,6 +499,7 @@ lxb_url_scheme_length = sizeof(lxb_url_scheme_res) / sizeof(lxb_url_scheme_data_ + if (tmp == NULL) { \ + return NULL; \ + } \ ++ memcpy(tmp, (sbuf_begin), offset); \ + } \ + else { \ + tmp = lexbor_realloc((sbuf_begin), new_len); \ +@@ -509,7 +510,7 @@ lxb_url_scheme_length = sizeof(lxb_url_scheme_res) / sizeof(lxb_url_scheme_data_ + } \ + \ + (sbuf) = tmp + offset; \ +- (last) = sbuf + lst; \ ++ (last) = tmp + lst; \ + (sbuf_begin) = tmp; \ + (sbuf_end) = tmp + new_len; \ + } \ From cbc0489126a7682796aad1e5fb4e51de74af162c Mon Sep 17 00:00:00 2001 From: David Carlier Date: Fri, 29 May 2026 21:44:14 +0100 Subject: [PATCH 5/6] ext/openssl: openssl_encrypt() zend mm heap overflow on AES-WRAP-PAD mode. Fix #22186 close GH-22187 --- NEWS | 3 +++ ext/openssl/openssl.c | 17 +++++++++++++++-- ext/openssl/tests/gh22186.phpt | 32 ++++++++++++++++++++++++++++++++ 3 files changed, 50 insertions(+), 2 deletions(-) create mode 100644 ext/openssl/tests/gh22186.phpt diff --git a/NEWS b/NEWS index 975ee123ada6..b14ecd79eacb 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,9 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? ????, PHP 8.2.32 +- OpenSSL: + . Fixed bug GH-22187 (Memory corruption (zend_mm_heap corrupted) in + openssl_encrypt with AES-WRAP-PAD). (David Carlier) 07 May 2026, PHP 8.2.31 diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 1d467f5b50af..c3e2ba2438e4 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -7396,6 +7396,7 @@ static int php_openssl_cipher_update(const EVP_CIPHER *cipher_type, const char *aad, size_t aad_len, int enc) /* {{{ */ { int i = 0; + size_t outlen = data_len + EVP_CIPHER_block_size(cipher_type); if (mode->is_single_run_aead && !EVP_CipherUpdate(cipher_ctx, NULL, &i, NULL, (int)data_len)) { php_openssl_store_errors(); @@ -7409,7 +7410,19 @@ static int php_openssl_cipher_update(const EVP_CIPHER *cipher_type, return FAILURE; } - *poutbuf = zend_string_alloc((int)data_len + EVP_CIPHER_block_size(cipher_type), 0); +#ifdef EVP_CIPH_WRAP_MODE + if ((EVP_CIPHER_mode(cipher_type)) == EVP_CIPH_WRAP_MODE) { + /* + * RFC 5649 wrap-with-padding rounds the input up to the block size + * and prepends an integrity block, we reserve one extra block. + * See EVP_EncryptUpdate(3): wrap mode may write up to + * inl + cipher_block_size bytes. + */ + outlen += EVP_CIPHER_block_size(cipher_type); + } +#endif + + *poutbuf = zend_string_alloc(outlen, false); if (!EVP_CipherUpdate(cipher_ctx, (unsigned char*)ZSTR_VAL(*poutbuf), &i, (const unsigned char *)data, (int)data_len)) { @@ -7421,7 +7434,7 @@ static int php_openssl_cipher_update(const EVP_CIPHER *cipher_type, } */ php_openssl_store_errors(); - zend_string_release_ex(*poutbuf, 0); + zend_string_release_ex(*poutbuf, false); return FAILURE; } diff --git a/ext/openssl/tests/gh22186.phpt b/ext/openssl/tests/gh22186.phpt new file mode 100644 index 000000000000..8f28e6c45b58 --- /dev/null +++ b/ext/openssl/tests/gh22186.phpt @@ -0,0 +1,32 @@ +--TEST-- +GH-22186 (Heap buffer overflow in openssl_encrypt with AES-WRAP-PAD) +--EXTENSIONS-- +openssl +--SKIPIF-- + +--FILE-- + +--EXPECT-- +done From ae00731fd2acba692d179fd1262ed19b9afa37bf Mon Sep 17 00:00:00 2001 From: Ilia Alshanetsky Date: Mon, 29 Jun 2026 19:59:17 -0400 Subject: [PATCH 6/6] Fix GH-21006: JIT SEGV with property hooks and FETCH_OBJ_FUNC_ARG (#21369) FETCH_OBJ_FUNC_ARG reading a SIMPLE_GET property hook pushed the getter call frame mid-trace and corrupted the call being built, crashing at the following SEND_FUNC_ARG. Compile it inline like FETCH_OBJ_R, clearing the SIMPLE_GET flag so the read takes read_property. Arguments to a known callee resolve their by-ref-ness at compile time through the preceding CHECK_FUNC_ARG; named arguments and arguments to an unknown callee (e.g. a __call trampoline) get a run-time guard that deoptimizes to the interpreter when the argument is passed by reference. Fixes GH-21006 --- ext/opcache/jit/zend_jit_ir.c | 20 +++++++ ext/opcache/jit/zend_jit_trace.c | 9 ++- ext/opcache/jit/zend_jit_vm_helpers.c | 2 +- ext/opcache/tests/jit/gh21006.phpt | 79 +++++++++++++++++++++++++++ 4 files changed, 107 insertions(+), 3 deletions(-) create mode 100644 ext/opcache/tests/jit/gh21006.phpt diff --git a/ext/opcache/jit/zend_jit_ir.c b/ext/opcache/jit/zend_jit_ir.c index 2fe0b1896a92..d62ef95b5513 100644 --- a/ext/opcache/jit/zend_jit_ir.c +++ b/ext/opcache/jit/zend_jit_ir.c @@ -14234,6 +14234,26 @@ static int zend_jit_class_guard(zend_jit_ctx *jit, const zend_op *opline, ir_ref return 1; } +static int zend_jit_func_arg_by_ref_guard(zend_jit_ctx *jit, const zend_op *opline) +{ + int32_t exit_point = zend_jit_trace_get_exit_point(opline, ZEND_JIT_EXIT_TO_VM); + const void *exit_addr = zend_jit_trace_get_exit_addr(exit_point); + ir_ref rx, call_info; + + if (!exit_addr) { + return 0; + } + if (jit->reuse_ip) { + rx = jit_IP(jit); + } else { + rx = ir_LOAD_A(jit_EX(call)); + } + call_info = ir_LOAD_U32(jit_CALL(rx, This.u1.type_info)); + ir_GUARD_NOT(ir_AND_U32(call_info, ir_CONST_U32(ZEND_CALL_SEND_ARG_BY_REF)), + ir_CONST_ADDR(exit_addr)); + return 1; +} + static int zend_jit_fetch_obj(zend_jit_ctx *jit, const zend_op *opline, const zend_op_array *op_array, diff --git a/ext/opcache/jit/zend_jit_trace.c b/ext/opcache/jit/zend_jit_trace.c index 024a5d0e194d..77bfaa03473a 100644 --- a/ext/opcache/jit/zend_jit_trace.c +++ b/ext/opcache/jit/zend_jit_trace.c @@ -6037,10 +6037,15 @@ static zend_vm_opcode_handler_t zend_jit_trace(zend_jit_trace_rec *trace_buffer, case ZEND_FETCH_OBJ_FUNC_ARG: if (!JIT_G(current_frame) || !JIT_G(current_frame)->call - || !JIT_G(current_frame)->call->func - || !TRACE_FRAME_IS_LAST_SEND_BY_VAL(JIT_G(current_frame)->call)) { + || TRACE_FRAME_IS_LAST_SEND_BY_REF(JIT_G(current_frame)->call)) { break; } + if (!JIT_G(current_frame)->call->func + || !TRACE_FRAME_IS_LAST_SEND_BY_VAL(JIT_G(current_frame)->call)) { + if (!zend_jit_func_arg_by_ref_guard(&ctx, opline)) { + goto jit_failure; + } + } ZEND_FALLTHROUGH; case ZEND_FETCH_OBJ_R: case ZEND_FETCH_OBJ_IS: diff --git a/ext/opcache/jit/zend_jit_vm_helpers.c b/ext/opcache/jit/zend_jit_vm_helpers.c index 271d923598d9..85a81c1573bc 100644 --- a/ext/opcache/jit/zend_jit_vm_helpers.c +++ b/ext/opcache/jit/zend_jit_vm_helpers.c @@ -978,6 +978,7 @@ zend_jit_trace_stop ZEND_FASTCALL zend_jit_trace_execute(zend_execute_data *ex, } } break; + case ZEND_FETCH_OBJ_FUNC_ARG: case ZEND_FETCH_OBJ_R: { if (opline->op2_type == IS_CONST) { /* Remove the SIMPLE_GET flag to avoid inlining hooks. */ @@ -992,7 +993,6 @@ zend_jit_trace_stop ZEND_FASTCALL zend_jit_trace_execute(zend_execute_data *ex, case ZEND_FETCH_OBJ_W: case ZEND_FETCH_OBJ_RW: case ZEND_FETCH_OBJ_IS: - case ZEND_FETCH_OBJ_FUNC_ARG: case ZEND_FETCH_OBJ_UNSET: case ZEND_ASSIGN_OBJ: case ZEND_ASSIGN_OBJ_OP: diff --git a/ext/opcache/tests/jit/gh21006.phpt b/ext/opcache/tests/jit/gh21006.phpt new file mode 100644 index 000000000000..a201391505ab --- /dev/null +++ b/ext/opcache/tests/jit/gh21006.phpt @@ -0,0 +1,79 @@ +--TEST-- +GH-21006: JIT SEGV with FETCH_OBJ_FUNC_ARG and property hooks +--INI-- +opcache.enable=1 +opcache.enable_cli=1 +opcache.jit=tracing +opcache.jit_hot_loop=1 +opcache.jit_hot_func=1 +opcache.jit_hot_return=1 +opcache.jit_hot_side_exit=1 +--FILE-- + 'sha256'; + } + + public function sign() + { + return hash_hmac( + algo: $this->prop, + data: '', + key: '', + ); + } +} + +$obj = new C(); +for ($i = 0; $i < 100; $i++) { + $obj->sign(); +} + +#[\AllowDynamicProperties] +class D +{ + public function test() + { + return hash_hmac( + algo: $this->algo, + data: '', + key: '', + ); + } +} + +$d = new D(); +$d->algo = 'sha256'; +for ($i = 0; $i < 100; $i++) { + $d->test(); +} + +class E +{ + public $prop { + get => []; + } + + public function sign() + { + (new Trampoline)->f($this->prop); + } +} + +class Trampoline +{ + public function __call($name, $args) {} +} + +$e = new E(); +for ($i = 0; $i < 100; $i++) { + $e->sign(); +} +echo "OK\n"; +?> +--EXPECT-- +OK