Commit e776695abf4 for php.net
commit e776695abf406758650e0ef765e5d1b21f68ddba
Merge: aaae1171579 6e124d0df67
Author: Jakub Zelenka <bukka@php.net>
Date: Tue Dec 16 15:34:19 2025 +0100
Merge branch 'PHP-8.2' into PHP-8.3
* PHP-8.2:
Update NEWS with info about security issues
Fix GHSA-www2-q4fc-65wf
Fix GHSA-h96m-rvf9-jgm2
Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref
Fix GH-20584: Information Leak of Memory
diff --cc NEWS
index 5cbee8cb2c5,117481ff895..beff3f224ce
--- a/NEWS
+++ b/NEWS
@@@ -1,728 -1,709 +1,737 @@@
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-?? ??? ????, PHP 8.2.30
+?? ??? ????, PHP 8.3.30
-- Curl:
- . Fix curl build and test failures with version 8.16.
- (nielsdos, ilutov, Jakub Zelenka)
+- Core:
+ . Fix OSS-Fuzz #465488618 (Wrong assumptions when dumping function signature
+ with dynamic class const lookup default argument). (ilutov)
+ . Fixed bug GH-20695 (Assertion failure in normalize_value() when parsing
+ malformed INI input via parse_ini_string()). (ndossche)
+
+- Bz2:
+ . Fixed bug GH-20620 (bzcompress overflow on large source size).
+ (David Carlier)
+
+- GD:
+ . Fixed bug GH-20622 (imagestring/imagestringup overflow). (David Carlier)
+
+- LDAP:
+ . Fix memory leak in ldap_set_options(). (ndossche)
+
+- Mbstring
+ . Fixed bug GH-20674 (Fix GH-20674 mb_decode_mimeheader does not handle
+ separator). (Yuya Hamada)
+
+- SPL:
+ . Fixed bug GH-20678 (resource created by GlobIterator crashes with fclose()).
+ (David Carlier)
+
+- Sqlite3:
+ . Fixed bug GH-20699 (SQLite3Result fetchArray return array|false,
+ null returned). (ndossche, plusminmax)
+
+- Standard:
+ . Fix error check for proc_open() command. (ndossche)
+
+18 Dec 2025, PHP 8.3.29
+
+- Core:
+ . Sync all boost.context files with release 1.86.0. (mvorisek)
+ . Fixed bug GH-20435 (SensitiveParameter doesn't work for named argument
+ passing to variadic parameter). (ndossche)
+ . Fixed bug GH-20286 (use-after-destroy during userland stream_close()).
+ (ndossche, David Carlier)
+
+- Bz2:
+ . Fix assertion failures resulting in crashes with stream filter
+ object parameters. (ndossche)
+
+- Date:
+ . Fix crashes when trying to instantiate uninstantiable classes via date
+ static constructors. (ndossche)
+
+- DOM:
+ . Fix missing NUL byte check on C14NFile(). (ndossche)
+
+- Fibers:
+ . Fixed bug GH-20483 (ASAN stack overflow with fiber.stack_size INI
+ small value). (David Carlier)
+
+- FTP:
+ . Fixed bug GH-20601 (ftp_connect overflow on timeout). (David Carlier)
+
+- GD:
+ . Fixed bug GH-20511 (imagegammacorrect out of range input/output values).
+ (David Carlier)
+ . Fixed bug GH-20602 (imagescale overflow with large height values).
+ (David Carlier)
+
+- Intl:
+ . Fixed bug GH-20426 (Spoofchecker::setRestrictionLevel() error message
+ suggests missing constants). (DanielEScherzer)
+
+- LibXML:
+ . Fix some deprecations on newer libxml versions regarding input
+ buffer/parser handling. (ndossche)
+
+- MbString:
+ . Fixed bug GH-20491 (SLES15 compile error with mbstring oniguruma).
+ (ndossche)
+ . Fixed bug GH-20492 (mbstring compile warning due to non-strings).
+ (ndossche)
+
+- mysqli:
+ . Make mysqli_begin_transaction() report errors properly. (Kamil Tekiela)
+
+- MySQLnd:
+ . Fixed bug GH-20528 (Regression breaks mysql connexion using an IPv6 address
+ enclosed in square brackets). (Remi)
- Opcache:
- . Reset global pointers to prevent use-after-free in zend_jit_status().
- (Florian Engelhardt)
+ . Fixed bug GH-20329 (opcache.file_cache broken with full interned string
+ buffer). (Arnaud)
+ - PDO:
+ . Fixed GHSA-8xr5-qppj-gvwj (PDO quoting result null deref). (CVE-2025-14180)
+ (Jakub Zelenka)
+
+- Phar:
+ . Fixed bug GH-20442 (Phar does not respect case-insensitiveness of
+ __halt_compiler() when reading stub). (ndossche, TimWolla)
+ . Fix broken return value of fflush() for phar file entries. (ndossche)
+ . Fix assertion failure when fseeking a phar file out of bounds. (ndossche)
+
+- PHPDBG:
+ . Fixed ZPP type violation in phpdbg_get_executable() and phpdbg_end_oplog().
+ (Girgias)
+
+- SPL:
+ . Fixed bug GH-20614 (SplFixedArray incorrectly handles references
+ in deserialization). (ndossche)
+
- Standard:
+ . Fix memory leak in array_diff() with custom type checks. (ndossche)
+ . Fixed bug GH-20583 (Stack overflow in http_build_query
+ via deep structures). (ndossche)
- . Fixed bug GH-20584 (Information Leak of Memory). (ndossche)
+ . Fixed GHSA-www2-q4fc-65wf (Null byte termination in dns_get_record()).
+ (ndossche)
+ . Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()).
+ (CVE-2025-14178) (ndossche)
+ . Fixed GHSA-3237-qqm7-mfv7 (Information Leak of Memory in getimagesize).
+ (CVE-2025-14177) (ndossche)
-03 Jul 2025, PHP 8.2.29
+- Tidy:
+ . Fixed bug GH-20374 (PHP with tidy and custom-tags). (ndossche)
-- PGSQL:
- . Fixed GHSA-hrwm-9436-5mv3 (pgsql extension does not check for errors during
- escaping). (CVE-2025-1735) (Jakub Zelenka)
+- XML:
+ . Fixed bug GH-20439 (xml_set_default_handler() does not properly handle
+ special characters in attributes when passing data to callback). (ndossche)
-- SOAP:
- . Fixed GHSA-453j-q27h-5p8x (NULL Pointer Dereference in PHP SOAP Extension
- via Large XML Namespace Prefix). (CVE-2025-6491) (Lekssays, nielsdos)
+- Zip:
+ . Fix crash in property existence test. (ndossche)
+ . Don't truncate return value of zip_fread() with user sizes. (ndossche)
-- Standard:
- . Fixed GHSA-3cr5-j632-f35r (Null byte termination in hostnames).
- (CVE-2025-1220) (Jakub Zelenka)
+- Zlib:
+ . Fix assertion failures resulting in crashes with stream filter
+ object parameters. (ndossche)
-13 Mar 2025, PHP 8.2.28
+20 Nov 2025, PHP 8.3.28
- Core:
- . Fixed bug GH-17211 (observer segfault on function loaded with dl()).
- (Arnaud)
-
-- LibXML:
- . Fixed GHSA-wg4p-4hqh-c3g9 (Reocurrence of #72714). (nielsdos)
- . Fixed GHSA-p3x9-6h7p-cgfc (libxml streams use wrong `content-type` header
- when requesting a redirected resource). (CVE-2025-1219) (timwolla)
-
-- Streams:
- . Fixed GHSA-hgf5-96fm-v528 (Stream HTTP wrapper header check might omit
- basic auth header). (CVE-2025-1736) (Jakub Zelenka)
- . Fixed GHSA-52jp-hrpf-2jff (Stream HTTP wrapper truncate redirect location
- to 1024 bytes). (CVE-2025-1861) (Jakub Zelenka)
- . Fixed GHSA-pcmh-g36c-qc44 (Streams HTTP wrapper does not fail for headers
- without colon). (CVE-2025-1734) (Jakub Zelenka)
- . Fixed GHSA-v8xr-gpvj-cx9g (Header parser of `http` stream wrapper does not
- handle folded headers). (CVE-2025-1217) (Jakub Zelenka)
-
-- Windows:
- . Fixed phpize for Windows 11 (24H2). (bwoebi)
-
-19 Dec 2024, PHP 8.2.27
-
-- Calendar:
- . Fixed jdtogregorian overflow. (David Carlier)
- . Fixed cal_to_jd julian_days argument overflow. (David Carlier)
-
-- COM:
- . Fixed bug GH-16991 (Getting typeinfo of non DISPATCH variant segfaults).
- (cmb)
+ . Fixed bug GH-19934 (CGI with auto_globals_jit=0 causes uouv). (ilutov)
+ . Fixed bug GH-20073 (Assertion failure in WeakMap offset operations on
+ reference). (nielsdos)
+ . Fixed bug GH-19844 (Don't bail when closing resources on shutdown). (ilutov)
+ . Fixed bug GH-20177 (Accessing overridden private property in
+ get_object_vars() triggers assertion error). (ilutov)
+ . Fixed bug GH-20183 (Stale EG(opline_before_exception) pointer through eval).
+ (ilutov)
-- Core:
- . Fail early in *nix configuration build script. (hakre)
- . Fixed bug GH-16727 (Opcache bad signal 139 crash in ZTS bookworm
- (frankenphp)). (nielsdos)
- . Fixed bug GH-16799 (Assertion failure at Zend/zend_vm_execute.h:7469).
- (nielsdos)
- . Fixed bug GH-16630 (UAF in lexer with encoding translation and heredocs).
- (nielsdos)
- . Fix is_zend_ptr() huge block comparison. (nielsdos)
- . Fixed potential OOB read in zend_dirname() on Windows. (cmb)
+- DOM:
+ . Partially fixed bug GH-16317 (DOM classes do not allow
+ __debugInfo() overrides to work). (nielsdos)
-- Curl:
- . Fix various memory leaks in curl mime handling. (nielsdos)
+- Exif:
+ . Fix possible memory leak when tag is empty. (nielsdos)
- FPM:
- . Fixed GH-16432 (PHP-FPM 8.2 SIGSEGV in fpm_get_status). (Jakub Zelenka)
+ . Fixed bug GH-19974 (fpm_status_export_to_zval segfault for parallel
+ execution). (Jakub Zelenka, txuna)
+
+- FTP:
+ . Fixed bug GH-20240 (FTP with SSL: ftp_fput(): Connection timed out on
+ successful writes). (nielsdos)
- GD:
- . Fixed GH-16776 (imagecreatefromstring overflow). (David Carlier)
+ . Fixed bug GH-20070 (Return type violation in imagefilter when an invalid
+ filter is provided). (Girgias)
-- GMP:
- . Revert gmp_pow() overly restrictive overflow checks.
- (David Carlier)
+- Intl:
+ . Fix memory leak on error in locale_filter_matches(). (nielsdos)
-- Hash:
- . Fixed GH-16711: Segfault in mhash(). (Girgias)
+- LibXML:
+ . Fix not thread safe schema/relaxng calls. (SpencerMalone, nielsdos)
-- Opcache:
- . Fixed bug GH-16770 (Tracing JIT type mismatch when returning UNDEF).
- (nielsdos, Dmitry)
- . Fixed bug GH-16851 (JIT_G(enabled) not set correctly on other threads).
- (dktapps)
- . Fixed bug GH-16902 (Set of opcache tests fail zts+aarch64). (nielsdos)
+- MySQLnd:
+ . Fixed bug GH-8978 (SSL certificate verification fails (port doubled)).
+ (nielsdos)
+ . Fixed bug GH-20122 (getColumnMeta() for JSON-column in MySQL). (nielsdos)
-- OpenSSL:
- . Prevent unexpected array entry conversion when reading key. (nielsdos)
- . Fix various memory leaks related to openssl exports. (nielsdos)
- . Fix memory leak in php_openssl_pkey_from_zval(). (nielsdos)
+- Opcache:
+ . Fixed bug GH-20081 (access to uninitialized vars in preload_load()).
+ (Arnaud)
+ . Fixed bug GH-20121 (JIT broken in ZTS builds on MacOS 15).
+ (Arnaud, Shivam Mathur)
-- PDO:
- . Fixed memory leak of `setFetchMode()`. (SakiTakamachi)
+- PgSql:
+ . Fix memory leak when first string conversion fails. (nielsdos)
+ . Fix segfaults when attempting to fetch row into a non-instantiable class
+ name. (Girgias, nielsdos)
- Phar:
- . Fixed bug GH-16695 (phar:// tar parser and zero-length file header blocks).
- (nielsdos, Hans Krentel)
-
-- PHPDBG:
- . Fixed bug GH-15208 (Segfault with breakpoint map and phpdbg_clear()).
+ . Fix memory leak of argument in webPhar. (nielsdos)
+ . Fix memory leak when setAlias() fails. (nielsdos)
+ . Fix a bunch of memory leaks in phar_parse_zipfile() error handling.
(nielsdos)
+ . Fix file descriptor/memory leak when opening central fp fails. (nielsdos)
+ . Fix memleak+UAF when opening temp stream in buildFromDirectory() fails.
+ (nielsdos)
+ . Fix potential buffer length truncation due to usage of type int instead
+ of type size_t. (Girgias)
+ . Fix memory leak when openssl polyfill returns garbage. (nielsdos)
+ . Fix file descriptor leak in phar_zip_flush() on failure. (nielsdos)
+ . Fix memory leak when opening temp file fails while trying to open
+ gzip-compressed archive. (nielsdos)
+ . Fixed bug GH-20302 (Freeing a phar alias may invalidate
+ PharFileInfo objects). (nielsdos)
-- SAPI:
- . Fixed bug GH-16998 (UBSAN warning in rfc1867). (nielsdos)
+- Random:
+ . Fix Randomizer::__serialize() w.r.t. INDIRECTs. (nielsdos)
- SimpleXML:
- . Fixed bug GH-16808 (Segmentation fault in RecursiveIteratorIterator
- ->current() with a xml element input). (nielsdos)
-
-- SNMP:
- . Fixed bug GH-16959 (snmget modifies the object_id array).
- (David Carlier)
+ . Partially fixed bug GH-16317 (SimpleXML does not allow __debugInfo() overrides
+ to work). (nielsdos)
- Standard:
- . Fixed bug GH-16905 (Internal iterator functions can't handle UNDEF
- properties). (nielsdos)
+ . Fix shm corruption with coercion in options of unserialize(). (nielsdos)
- Streams:
- . Fixed network connect poll interuption handling. (Jakub Zelenka)
+ . Fixed bug GH-19798: XP_SOCKET XP_SSL (Socket stream modules): Incorrect
+ condition for Win32/Win64. (Jakub Zelenka)
+ . Fixed bug GH-20370 (User stream filters could violate typed property
+ constraints). (alexandre-daubois)
-- Windows:
- . Fixed bug GH-16849 (Error dialog causes process to hang). (cmb)
+- Tidy:
+ . Fixed GH-19021 (improved tidyOptGetCategory detection).
+ (arjendekorte, David Carlier, Peter Kokot)
+ . Fix UAF in tidy when tidySetErrorBuffer() fails. (nielsdos)
-21 Nov 2024, PHP 8.2.26
+- XMLReader:
+ . Fix arginfo/zpp violations when LIBXML_SCHEMAS_ENABLED is not available.
+ (nielsdos)
-- CLI:
- . Fixed bug GH-16373 (Shebang is not skipped for router script in cli-server
- started through shebang). (ilutov)
- . Fixed bug GHSA-4w77-75f9-2c8w (Heap-Use-After-Free in sapi_read_post_data
- Processing in CLI SAPI Interface). (nielsdos)
+- Windows:
+ . Fix GH-19722 (_get_osfhandle asserts in debug mode when given a socket).
+ (dktapps)
-- COM:
- . Fixed out of bound writes to SafeArray data. (cmb)
+- Zip:
+ . Fix memory leak when passing enc_method/enc_password is passed as option
+ for ZipArchive::addGlob()/addPattern() and with consecutive calls.
+ (David Carlier)
+
+23 Oct 2025, PHP 8.3.27
- Core:
- . Fixed bug GH-16168 (php 8.1 and earlier crash immediately when compiled
- with Xcode 16 clang on macOS 15). (nielsdos)
- . Fixed bug GH-16371 (Assertion failure in Zend/zend_weakrefs.c:646). (Arnaud)
- . Fixed bug GH-16515 (Incorrect propagation of ZEND_ACC_RETURN_REFERENCE for
- call trampoline). (ilutov)
- . Fixed bug GH-16509 (Incorrect line number in function redeclaration error).
- (ilutov)
- . Fixed bug GH-16508 (Incorrect line number in inheritance errors of delayed
- early bound classes). (ilutov)
- . Fixed bug GH-16648 (Use-after-free during array sorting). (ilutov)
- . Fixed bug GH-15915 (overflow with a high value for precision INI).
- (David Carlier / cmb)
+ . Fixed bug GH-19765 (object_properties_load() bypasses readonly property
+ checks). (timwolla)
+ . Fixed hard_timeout with --enable-zend-max-execution-timers. (Appla)
+ . Fixed bug GH-19792 (SCCP causes UAF for return value if both warning and
+ exception are triggered). (nielsdos)
+ . Fixed bug GH-19653 (Closure named argument unpacking between temporary
+ closures can cause a crash). (nielsdos, Arnaud, Bob)
+ . Fixed bug GH-19839 (Incorrect HASH_FLAG_HAS_EMPTY_IND flag on userland
+ array). (ilutov)
+ . Fixed bug GH-19480 (error_log php.ini cannot be unset when open_basedir is
+ configured). (nielsdos)
+ . Fixed bug GH-20002 (Broken build on *BSD with MSAN). (outtersg)
+
+- CLI:
+ . Fix useless "Failed to poll event" error logs due to EAGAIN in CLI server
+ with PHP_CLI_SERVER_WORKERS. (leotaku)
- Curl:
- . Fixed bug GH-16302 (CurlMultiHandle holds a reference to CurlHandle if
- curl_multi_add_handle fails). (timwolla)
+ . Fix cloning of CURLOPT_POSTFIELDS when using the clone operator instead
+ of the curl_copy_handle() function to clone a CurlHandle. (timwolla)
+ . Fix curl build and test failures with version 8.16.
+ (nielsdos, ilutov, Jakub Zelenka)
- Date:
- . Fixed bug GH-16454 (Unhandled INF in date_sunset() with tiny $utcOffset).
- (cmb)
- . Fixed bug GH-16037 (Assertion failure in ext/date/php_date.c). (Derick)
- . Fixed bug GH-14732 (date_sun_info() fails for non-finite values). (cmb)
+ . Fixed GH-17159: "P" format for ::createFromFormat swallows string literals.
+ (nielsdos)
- DBA:
- . Fixed bug GH-16390 (dba_open() can segfault for "pathless" streams). (cmb)
+ . Fixed GH-19885 (dba_fetch() overflow on skip argument). (David Carlier)
-- DOM:
- . Fixed bug GH-16316 (DOMXPath breaks when not initialized properly).
- (nielsdos)
- . Fixed bug GH-16473 (dom_import_simplexml stub is wrong). (nielsdos)
- . Fixed bug GH-16533 (Segfault when adding attribute to parent that is not
- an element). (nielsdos)
- . Fixed bug GH-16535 (UAF when using document as a child). (nielsdos)
- . Fixed bug GH-16593 (Assertion failure in DOM->replaceChild). (nielsdos)
- . Fixed bug GH-16595 (Another UAF in DOM -> cloneNode). (nielsdos)
+- GD:
+ . Fixed GH-19955 (imagefttext() memory leak). (David Carlier)
-- EXIF:
- . Fixed bug GH-16409 (Segfault in exif_thumbnail when not dealing with a
- real file). (nielsdos, cmb)
+- MySQLnd:
+ . Fixed bug #67563 (mysqli compiled with mysqlnd does not take ipv6 adress
+ as parameter). (nielsdos)
-- FFI:
- . Fixed bug GH-16397 (Segmentation fault when comparing FFI object).
+- Phar:
+ . Fix memory leak and invalid continuation after tar header writing fails.
+ (nielsdos)
+ . Fix memory leaks when creating temp file fails when applying zip signature.
(nielsdos)
-- Filter:
- . Fixed bug GH-16523 (FILTER_FLAG_HOSTNAME accepts ending hyphen). (cmb)
+- SimpleXML:
+ . Fixed bug GH-19988 (zend_string_init with NULL pointer in simplexml (UB)).
+ (nielsdos)
-- FPM:
- . Fixed bug GH-16628 (FPM logs are getting corrupted with this log
- statement). (nielsdos)
+- Soap:
+ . Fixed bug GH-19784 (SoapServer memory leak). (nielsdos)
+ . Fixed bug GH-20011 (Array of SoapVar of unknown type causes crash).
+ (nielsdos)
-- GD:
- . Fixed bug GH-16334 (imageaffine overflow on matrix elements).
- (David Carlier)
- . Fixed bug GH-16427 (Unchecked libavif return values). (cmb)
- . Fixed bug GH-16559 (UBSan abort in ext/gd/libgd/gd_interpolation.c:1007).
+- Standard:
+ . Fixed bug GH-12265 (Cloning an object breaks serialization recursion).
(nielsdos)
+ . Fixed bug GH-19701 (Serialize/deserialize loses some data). (nielsdos)
+ . Fixed bug GH-19801 (leaks in var_dump() and debug_zval_dump()).
+ (alexandre-daubois)
+ . Fixed bug GH-20043 (array_unique assertion failure with RC1 array
+ causing an exception on sort). (nielsdos)
+ . Fixed bug GH-19926 (reset internal pointer earlier while splicing array
+ while COW violation flag is still set). (alexandre-daubois)
+ . Fixed bug GH-19570 (unable to fseek in /dev/zero and /dev/null).
+ (nielsdos, divinity76)
-- GMP:
- . Fixed bug GH-16411 (gmp_export() can cause overflow). (cmb)
- . Fixed bug GH-16501 (gmp_random_bits() can cause overflow).
- (David Carlier)
- . Fixed segfaults and other issues related to operator overloading with
- GMP objects. (Girgias)
+- Streams:
+ . Fixed bug GH-19248 (Use strerror_r instead of strerror in main).
+ (Jakub Zelenka)
+ . Fixed bug GH-17345 (Bug #35916 was not completely fixed). (nielsdos)
+ . Fixed bug GH-19705 (segmentation when attempting to flush on non seekable
+ stream. (bukka/David Carlier)
-- LDAP:
- . Fixed bug GHSA-g665-fm4p-vhff (OOB access in ldap_escape). (CVE-2024-8932)
- (nielsdos)
+- XMLReader:
+ . Fixed bug GH-20009 (XMLReader leak on RelaxNG schema failure). (nielsdos)
-- MBstring:
- . Fixed bug GH-16361 (mb_substr overflow on start/length arguments).
+- Zip:
+ . Fixed bug GH-19688 (Remove pattern overflow in zip addGlob()). (nielsdos)
+ . Fixed bug GH-19932 (Memory leak in zip setEncryptionName()/setEncryptionIndex()).
(David Carlier)
-- MySQLnd:
- . Fixed bug GHSA-h35g-vwh6-m678 (Leak partial content of the heap through
- heap buffer over-read). (CVE-2024-8929) (Jakub Zelenka)
+- Zlib:
+ . Fixed bug GH-19922 (Double free on gzopen). (David Carlier)
-- OpenSSL:
- . Fixed bug GH-16357 (openssl may modify member types of certificate arrays).
- (cmb)
- . Fixed bug GH-16433 (Large values for openssl_csr_sign() $days overflow).
- (cmb)
- . Fix various memory leaks on error conditions in openssl_x509_parse().
- (nielsdos)
+25 Sep 2025, PHP 8.3.26
-- PDO DBLIB:
- . Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the dblib quoter causing
- OOB writes). (CVE-2024-11236) (nielsdos)
+- Core:
+ . Fixed bug GH-18850 (Repeated inclusion of file with __halt_compiler()
+ triggers "Constant already defined" warning). (ilutov)
+ . Partially fixed bug GH-19542 (Scanning of string literals >=2GB will fail
+ due to signed int overflow). (ilutov)
+ . Fixed bug GH-19544 (GC treats ZEND_WEAKREF_TAG_MAP references as WeakMap
+ references). (Arnaud, timwolla)
+ . Fixed bug GH-19613 (Stale array iterator pointer). (ilutov)
+ . Fixed bug GH-19679 (zend_ssa_range_widening may fail to converge). (Arnaud)
+ . Fixed bug GH-19681 (PHP_EXPAND_PATH broken with bash 5.3.0). (Remi)
+ . Fixed bug GH-19720 (Assertion failure when error handler throws when
+ accessing a deprecated constant). (nielsdos)
-- PDO Firebird:
- . Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the firebird quoter
- causing OOB writes). (CVE-2024-11236) (nielsdos)
-
-- PDO ODBC:
- . Fixed bug GH-16450 (PDO_ODBC can inject garbage into field values). (cmb)
+- CLI:
+ . Fixed bug GH-19461 (Improve error message on listening error with IPv6
+ address). (alexandre-daubois)
-- Phar:
- . Fixed bug GH-16406 (Assertion failure in ext/phar/phar.c:2808). (nielsdos)
+- Date:
+ . Fixed date_sunrise() and date_sunset() with partial-hour UTC offset.
+ (ilutov)
-- PHPDBG:
- . Fixed bug GH-16174 (Empty string is an invalid expression for ev). (cmb)
+- DOM:
+ . Fixed bug GH-19612 (Mitigate libxml2 tree dictionary bug). (nielsdos)
-- Reflection:
- . Fixed bug GH-16601 (Memory leak in Reflection constructors). (nielsdos)
+- FPM:
+ . Fixed failed debug assertion when php_admin_value setting fails. (ilutov)
-- Session:
- . Fixed bug GH-16385 (Unexpected null returned by session_set_cookie_params).
- (nielsdos)
- . Fixed bug GH-16290 (overflow on cookie_lifetime ini value).
+- GD:
+ . Fixed bug GH-19579 (imagefilledellipse underflow on width argument).
(David Carlier)
-- SOAP:
- . Fixed bug GH-16429 (Segmentation fault access null pointer in SoapClient).
- (nielsdos)
+- Intl:
+ . Fixed bug GH-11952 (Fix locale strings canonicalization for IntlDateFormatter
+ and NumberFormatter). (alexandre-daubois)
-- Sockets:
- . Fixed bug with overflow socket_recvfrom $length argument. (David Carlier)
+- OpenSSL:
+ . Fixed bug GH-19245 (Success error message on TLS stream accept failure).
+ (Jakub Zelenka)
-- SPL:
- . Fixed bug GH-16337 (Use-after-free in SplHeap). (nielsdos)
- . Fixed bug GH-16464 (Use-after-free in SplDoublyLinkedList::offsetSet()).
- (ilutov)
- . Fixed bug GH-16479 (Use-after-free in SplObjectStorage::setInfo()). (ilutov)
- . Fixed bug GH-16478 (Use-after-free in SplFixedArray::unset()). (ilutov)
- . Fixed bug GH-16588 (UAF in Observer->serialize). (nielsdos)
- . Fix GH-16477 (Segmentation fault when calling __debugInfo() after failed
- SplFileObject::__constructor). (Girgias)
- . Fixed bug GH-16589 (UAF in SplDoublyLinked->serialize()). (nielsdos)
- . Fixed bug GH-14687 (segfault on SplObjectIterator instance).
- (David Carlier)
- . Fixed bug GH-16604 (Memory leaks in SPL constructors). (nielsdos)
- . Fixed bug GH-16646 (UAF in ArrayObject::unset() and
- ArrayObject::exchangeArray()). (ilutov)
+- PGSQL:
+ . Fixed bug GH-19485 (potential use after free when using persistent pgsql
+ connections). (Mark Karpeles)
+
+- Phar:
+ . Fixed memory leaks when verifying OpenSSL signature. (Girgias)
+ . Fix memory leak in phar tar temporary file error handling code. (nielsdos)
+ . Fix metadata leak when phar convert logic fails. (nielsdos)
+ . Fix memory leak on failure in phar_convert_to_other(). (nielsdos)
+ . Fixed bug GH-19752 (Phar decompression with invalid extension
+ can cause UAF). (nielsdos)
- Standard:
- . Fixed bug GH-16293 (Failed assertion when throwing in assert() callback with
- bail enabled). (ilutov)
+ . Fixed bug GH-16649 (UAF during array_splice). (alexandre-daubois)
+ . Fixed bug GH-19577 (Avoid integer overflow when using a small offset
+ and PHP_INT_MAX with LimitIterator). (alexandre-daubois)
- Streams:
- . Fixed bug GHSA-c5f2-jwm7-mmq2 (Configuring a proxy in a stream context
- might allow for CRLF injection in URIs). (CVE-2024-11234) (Jakub Zelenka)
- . Fixed bug GHSA-r977-prxv-hc43 (Single byte overread with
- convert.quoted-printable-decode filter). (CVE-2024-11233) (nielsdos)
-
-- SysVMsg:
- . Fixed bug GH-16592 (msg_send() crashes when a type does not properly
- serialized). (David Carlier / cmb)
-
-- SysVShm:
- . Fixed bug GH-16591 (Assertion error in shm_put_var). (nielsdos, cmb)
-
-- XMLReader:
- . Fixed bug GH-16292 (Segmentation fault in ext/xmlreader/php_xmlreader.c).
+ . Remove incorrect call to zval_ptr_dtor() in user_wrapper_metadata().
(nielsdos)
+ . Fix OSS-Fuzz #385993744. (nielsdos)
-- Zlib:
- . Fixed bug GH-16326 (Memory management is broken for bad dictionaries.)
- (cmb)
-
-24 Oct 2024, PHP 8.2.25
+- Tidy:
+ . Fixed GH-19021 build issue with libtidy in regard of tidyOptIsReadonly
+ deprecation and TidyInternalCategory being available later than
+ tidyOptGetCategory. (arjendekorte)
-- Calendar:
- . Fixed GH-16240: jdtounix overflow on argument value. (David Carlier)
- . Fixed GH-16241: easter_days/easter_date overflow on year argument.
- (David Carlier)
- . Fixed GH-16263: jddayofweek overflow. (cmb)
- . Fixed GH-16234: jewishtojd overflow. (nielsdos)
+- Zip:
+ . Fix memory leak in zip when encountering empty glob result. (nielsdos)
-- CLI:
- . Fixed bug GH-16137: duplicate http headers when set several times by
- the client. (David Carlier)
+28 Aug 2025, PHP 8.3.25
- Core:
- . Fixed bug GH-15712: zend_strtod overflow with precision INI set on
- large value. (David Carlier)
- . Fixed bug GH-15905 (Assertion failure for TRACK_VARS_SERVER). (cmb)
- . Fixed bug GH-15907 (Failed assertion when promoting Serialize deprecation to
- exception). (ilutov)
- . Fixed bug GH-15851 (Segfault when printing backtrace during cleanup of
- nested generator frame). (ilutov)
- . Fixed bug GH-15866 (Core dumped in Zend/zend_generators.c). (Arnaud)
- . Fixed bug GH-16188 (Assertion failure in Zend/zend_exceptions.c). (Arnaud)
- . Fixed bug GH-16233 (Observer segfault when calling user function in
- internal function via trampoline). (nielsdos)
+ . Fixed GH-19169 build issue with C++17 and ZEND_STATIC_ASSERT macro.
+ (psumbera)
+ . Fixed bug GH-18581 (Coerce numeric string keys from iterators when argument
+ unpacking). (ilutov)
+ . Fixed OSS-Fuzz #434346548 (Failed assertion with throwing __toString in
+ binary const expr). (ilutov)
+ . Fixed bug GH-19305 (Operands may be being released during comparison).
+ (Arnaud)
+ . Fixed bug GH-19303 (Unpacking empty packed array into uninitialized array
+ causes assertion failure). (nielsdos)
+ . Fixed bug GH-19306 (Generator can be resumed while fetching next value from
+ delegated Generator). (Arnaud)
+ . Fixed bug GH-19326 (Calling Generator::throw() on a running generator with
+ a non-Generator delegate crashes). (Arnaud)
+ . Fixed bug GH-18736 (Circumvented type check with return by ref + finally).
+ (ilutov)
+ . Fixed zend call stack size for macOs/arm64. (David Carlier)
+ . Fixed bug GH-19065 (Long match statement can segfault compiler during
+ recursive SSA renaming). (nielsdos, Arnaud)
-- Date:
- . Fixed bug GH-15582: Crash when not calling parent constructor of
- DateTimeZone. (Derick)
- . Fixed regression where signs after the first one were ignored while parsing
- a signed integer, with the DateTimeInterface::modify() function. (Derick)
+- Calendar:
+ . Fixed bug GH-19371 (integer overflow in calendar.c). (nielsdos)
-- DOM:
- . Fixed bug GH-16039 (Segmentation fault (access null pointer) in
- ext/dom/parentnode/tree.c). (nielsdos)
- . Fixed bug GH-16151 (Assertion failure in ext/dom/parentnode/tree.c).
- (nielsdos)
+- FTP:
+ . Fix theoretical issues with hrtime() not being available. (nielsdos)
- GD:
- . Fixed bug GH-16232 (bitshift overflow on wbmp file content reading /
- fix backport from upstream). (David Carlier)
- . Fixed bug GH-12264 (overflow/underflow on imagerotate degrees value)
+ . Fix incorrect comparison with result of php_stream_can_cast(). (Girgias)
+
+- Hash:
+ . Fix crash on clone failure. (nielsdos)
+
+- Intl:
+ . Fixed GH-19261: msgfmt_parse_message leaks on message creation failure.
(David Carlier)
- . Fixed bug GH-16274 (imagescale underflow on RBG channels /
- fix backport from upstream). (David Carlier)
+ . Fix return value on failure for resourcebundle count handler. (Girgias)
- LDAP:
- . Fixed bug GH-16032 (Various NULL pointer dereferencements in
- ldap_modify_batch()). (Girgias)
- . Fixed bug GH-16101 (Segfault in ldap_list(), ldap_read(), and ldap_search()
- when LDAPs array is not a list). (Girgias)
- . Fix GH-16132 (php_ldap_do_modify() attempts to free pointer not allocated
- by ZMM.). (Girgias)
- . Fix GH-16136 (Memory leak in php_ldap_do_modify() when entry is not a
- proper dictionary). (Girgias)
-
-- MBString:
- . Fixed bug GH-16261 (Reference invariant broken in mb_convert_variables()).
- (nielsdos)
+ . Fixed bug GH-18529 (additional inheriting of TLS int options).
+ (Jakub Zelenka)
-- OpenSSL:
- . Fixed stub for openssl_csr_new. (Jakub Zelenka)
+- LibXML:
+ . Fixed bug GH-19098 (libxml<2.13 segmentation fault caused by
+ php_libxml_node_free). (nielsdos)
-- PCRE:
- . Fixed bug GH-16189 (underflow on offset argument). (David Carlier)
- . Fixed bug GH-16184 (UBSan address overflowed in ext/pcre/php_pcre.c).
+- MbString:
+ . Fixed bug GH-19397 (mb_list_encodings() can cause crashes on shutdown).
(nielsdos)
-- PHPDBG:
- . Fixed bug GH-15901 (phpdbg: Assertion failure on i funcs). (cmb)
- . Fixed bug GH-16181 (phpdbg: exit in exception handler reports fatal error).
- (cmb)
-
-- Reflection:
- . Fixed bug GH-16187 (Assertion failure in ext/reflection/php_reflection.c).
- (DanielEScherzer)
+- Opcache:
+ . Reset global pointers to prevent use-after-free in zend_jit_status().
+ (Florian Engelhardt)
-- SAPI:
- . Fixed bug GH-15395 (php-fpm: zend_mm_heap corrupted with cgi-fcgi request).
- (Jakub Zelenka, David Carlier)
+- OpenSSL:
+ . Fixed bug GH-18986 (OpenSSL backend: incorrect RAND_{load,write}_file()
+ return value check). (nielsdos, botovq)
+ . Fix error return check of EVP_CIPHER_CTX_ctrl(). (nielsdos)
+ . Fixed bug GH-19428 (openssl_pkey_derive segfaults for DH derive with low
+ key_length param). (Jakub Zelenka)
-- SimpleXML:
- . Fixed bug GH-15837 (Segmentation fault in ext/simplexml/simplexml.c).
- (nielsdos)
+- PDO Pgsql:
+ . Fixed dangling pointer access on _pdo_pgsql_trim_message helper.
+ (dixyes)
-- Sockets:
- . Fixed bug GH-16267 (socket_strerror overflow on errno argument).
- (David Carlier)
+- Readline:
+ . Fixed bug GH-19250 and bug #51360 (Invalid conftest for rl_pending_input).
+ (petk, nielsdos)
- SOAP:
- . Fixed bug #62900 (Wrong namespace on xsd import error message). (nielsdos)
- . Fixed bug GH-16237 (Segmentation fault when cloning SoapServer). (nielsdos)
- . Fix Soap leaking http_msg on error. (nielsdos)
- . Fixed bug GH-16256 (Assertion failure in ext/soap/php_encoding.c:460).
- (nielsdos)
- . Fixed bug GH-16259 (Soap segfault when classmap instantiation fails).
- (nielsdos)
+ . Fixed bug GH-18640 (heap-use-after-free ext/soap/php_encoding.c:299:32
+ in soap_check_zval_ref). (nielsdos)
-- Standard:
- . Fixed bug GH-15613 (overflow on unpack call hex string repeater).
- (David Carlier)
- . Fixed bug GH-15937 (overflow on stream timeout option value).
- (David Carlier)
- . Fixed bug GH-16053 (Assertion failure in Zend/zend_hash.c). (Arnaud)
+- Sockets:
+ . Fix some potential crashes on incorrect argument value. (nielsdos)
-- Streams:
- . Fixed bugs GH-15908 and GH-15026 (leak / assertion failure in streams.c).
+- Standard:
+ . Fixed OSS Fuzz #433303828 (Leak in failed unserialize() with opcache).
+ (ilutov)
+ . Fix theoretical issues with hrtime() not being available. (nielsdos)
+ . Fixed bug GH-19300 (Nested array_multisort invocation with error breaks).
(nielsdos)
- . Fixed bug GH-15980 (Signed integer overflow in main/streams/streams.c).
- (cmb)
-- TSRM:
- . Prevent closing of unrelated handles. (cmb)
-
-- XML:
- . Fixed bug GH-15868 (Assertion failure in xml_parse_into_struct after
- exception). (nielsdos)
+- Windows:
+ . Free opened_path when opened_path_len >= MAXPATHLEN. (dixyes)
-26 Sep 2024, PHP 8.2.24
+31 Jul 2025, PHP 8.3.24
-- CGI:
- . Fixed bug GHSA-p99j-rfp4-xqvq (Bypass of CVE-2024-4577, Parameter Injection
- Vulnerability). (CVE-2024-8926) (nielsdos)
- . Fixed bug GHSA-94p6-54jq-9mwp (cgi.force_redirect configuration is
- bypassable due to the environment variable collision). (CVE-2024-8927)
- (nielsdos)
+- Calendar:
+ . Fixed jewishtojd overflow on year argument. (David Carlier)
- Core:
- . Fixed bug GH-15408 (MSan false-positve on zend_max_execution_timer).
- (zeriyoshi)
- . Fixed bug GH-15515 (Configure error grep illegal option q). (Peter Kokot)
- . Fixed bug GH-15514 (Configure error: genif.sh: syntax error). (Peter Kokot)
- . Fixed bug GH-15565 (--disable-ipv6 during compilation produces error
- EAI_SYSTEM not found). (nielsdos)
- . Fixed bug GH-15587 (CRC32 API build error on arm 32-bit).
- (Bernd Kuhls, Thomas Petazzoni)
- . Fixed bug GH-15330 (Do not scan generator frames more than once). (Arnaud)
- . Fixed uninitialized lineno in constant AST of internal enums. (ilutov)
+ . Fixed bug GH-18833 (Use after free with weakmaps dependent on destruction
+ order). (Daniil Gentili)
+ . Fix OSS-Fuzz #427814456. (nielsdos)
+ . Fix OSS-Fuzz #428983568 and #428760800. (nielsdos)
+ . Fixed bug GH-17204 -Wuseless-escape warnings emitted by re2c. (Peter Kokot)
- Curl:
- . FIxed bug GH-15547 (curl_multi_select overflow on timeout argument).
- (David Carlier)
+ . Fix memory leaks when returning refcounted value from curl callback.
+ (nielsdos)
+ . Remove incorrect string release. (nielsdos)
-- DOM:
- . Fixed bug GH-15551 (Segmentation fault (access null pointer) in
- ext/dom/xml_common.h). (nielsdos)
+- Intl:
+ . Fix memleak on failure in collator_get_sort_key(). (nielsdos)
-- Fileinfo:
- . Fixed bug GH-15752 (Incorrect error message for finfo_file
- with an empty filename argument). (DanielEScherzer)
+- LDAP:
+ . Fixed GH-18902 ldap_exop/ldap_exop_sync assert triggered on empty
+ request OID. (David Carlier)
-- FPM:
- . Fixed bug GHSA-865w-9rf3-2wh5 (Logs from childrens may be altered).
- (CVE-2024-9026) (Jakub Zelenka)
+- MbString:
+ . Fixed bug GH-18901 (integer overflow mb_split). (nielsdos)
-- MySQLnd:
- . Fixed bug GH-15432 (Heap corruption when querying a vector). (cmb,
- Kamil Tekiela)
+- OCI8:
+ . Fixed bug GH-18873 (OCI_RETURN_LOBS flag causes oci8 to leak memory).
+ (Saki Takamachi)
- Opcache:
- . Fixed bug GH-15661 (Access null pointer in
- Zend/Optimizer/zend_inference.c). (nielsdos)
- . Fixed bug GH-15658 (Segmentation fault in Zend/zend_vm_execute.h).
+ . Fixed bug GH-18639 (Internal class aliases can break preloading + JIT).
(nielsdos)
+ . Fixed bug GH-14082 (Segmentation fault on unknown address 0x600000000018
+ in ext/opcache/jit/zend_jit.c). (nielsdos)
-- SAPI:
- . Fixed bug GHSA-9pqp-7h25-4f32 (Erroneous parsing of multipart form data).
- (CVE-2024-8925) (Arnaud)
+- OpenSSL:
+ . Fixed bug #80770 (It is not possible to get client peer certificate with
+ stream_socket_server). (Jakub Zelenka)
+
+- PCNTL:
+ . Fixed bug GH-18958 (Fatal error during shutdown after pcntl_rfork() or
+ pcntl_forkx() with zend-max-execution-timers). (Arnaud)
+
+- Phar:
+ . Fix stream double free in phar. (nielsdos, dixyes)
+ . Fix phar crash and file corruption with SplFileObject. (nielsdos)
- SOAP:
- . Fixed bug #73182 (PHP SOAPClient does not support stream context HTTP
- headers in array form). (nielsdos)
+ . Fixed bug GH-18990, bug #81029, bug #47314 (SOAP HTTP socket not closing
+ on object destruction). (nielsdos)
+ . Fix memory leak when URL parsing fails in redirect. (Girgias)
+
+- SPL:
+ . Fixed bug GH-19094 (Attaching class with no Iterator implementation to
+ MultipleIterator causes crash). (nielsdos)
- Standard:
- . Fixed bug GH-15552 (Signed integer overflow in ext/standard/scanf.c). (cmb)
+ . Fix misleading errors in printf(). (nielsdos)
+ . Fix RCN violations in array functions. (nielsdos)
+ . Fixed GH-18976 pack() overflow with h/H format and INT_MAX repeater value.
+ (David Carlier)
- Streams:
- . Fixed bug GH-15628 (php_stream_memory_get_buffer() not zero-terminated).
- (cmb)
+ . Fixed GH-13264 (fgets() and stream_get_line() do not return false on filter
+ fatal error). (Jakub Zelenka)
-29 Aug 2024, PHP 8.2.23
+- Zip:
+ . Fix leak when path is too long in ZipArchive::extractTo(). (nielsdos)
+
+03 Jul 2025, PHP 8.3.23
- Core:
- . Fixed bug GH-15020 (Memory leak in Zend/Optimizer/escape_analysis.c).
- (nielsdos)
- . Fixed bug GH-15023 (Memory leak in Zend/zend_ini.c). (nielsdos)
- . Fixed bug GH-13330 (Append -Wno-implicit-fallthrough flag conditionally).
- (Peter Kokot)
- . Fix uninitialized memory in network.c. (nielsdos)
- . Fixed bug GH-15108 (Segfault when destroying generator during shutdown).
- (Arnaud)
- . Fixed bug GH-15275 (Crash during GC of suspended generator delegate).
- (Arnaud)
+ . Fixed GH-18695 (zend_ast_export() - float number is not preserved).
+ (Oleg Efimov)
+ . Do not delete main chunk in zend_gc. (danog, Arnaud)
+ . Fix compile issues with zend_alloc and some non-default options. (nielsdos)
- Curl:
- . Fixed case when curl_error returns an empty string.
- (David Carlier)
+ . Fix memory leak when setting a list via curl_setopt fails. (nielsdos)
+ . Fix incorrect OpenSSL version detection. (Peter Kokot)
-- DOM:
- . Fix UAF when removing doctype and using foreach iteration. (nielsdos)
+- Date:
+ . Fix leaks with multiple calls to DatePeriod iterator current(). (nielsdos)
-- FFI:
- . Fixed bug GH-14286 (ffi enum type (when enum has no name) make memory
- leak). (nielsdos, dstogov)
+- FPM:
+ . Fixed GH-18662 (fpm_get_status segfault). (txuna)
- Hash:
- . Fix crash when converting array data for array in shm in xxh3. (nielsdos)
+ . Fixed bug GH-14551 (PGO build fails with xxhash). (nielsdos)
- Intl:
- . Fixed bug GH-15087 (IntlChar::foldCase()'s $option is not optional). (cmb)
+ . Fix memory leak in intl_datetime_decompose() on failure. (nielsdos)
+ . Fix memory leak in locale lookup on failure. (nielsdos)
+
+- ODBC:
+ . Fix memory leak on php_odbc_fetch_hash() failure. (nielsdos)
- Opcache:
- . Fixed bug GH-13817 (Segmentation fault for enabled observers after pass 4).
- (Bob)
- . Fixed bug GH-13775 (Memory leak possibly related to opcache SHM placement).
- (Arnaud, nielsdos)
+ . Fixed bug GH-18743 (Incompatibility in Inline TLS Assembly on Alpine 3.22).
+ (nielsdos, Arnaud)
-- Output:
- . Fixed bug GH-15179 (Segmentation fault (null pointer dereference) in
- ext/standard/url_scanner_ex.re). (nielsdos)
+- OpenSSL:
+ . Fix memory leak of X509_STORE in php_openssl_setup_verify() on failure.
+ (nielsdos)
+ . Fixed bug #74796 (Requests through http proxy set peer name).
+ (Jakub Zelenka)
-- PDO_Firebird:
- . Fix bogus fallthrough path in firebird_handle_get_attribute(). (nielsdos)
+- Phar:
+ . Add missing filter cleanups on phar failure. (nielsdos)
+ . Fixed bug GH-18642 (Signed integer overflow in ext/phar fseek). (nielsdos)
- PHPDBG:
- . Fixed bug GH-13199 (EOF emits redundant prompt in phpdbg local console mode
- with libedit/readline). (Peter Kokot)
- . Fixed bug GH-15268 (heap buffer overflow in phpdbg
- (zend_hash_num_elements() Zend/zend_hash.h)). (nielsdos)
- . Fixed bug GH-15210 use-after-free on watchpoint allocations. (nielsdos)
+ . Fix 'phpdbg --help' segfault on shutdown with USE_ZEND_ALLOC=0. (nielsdos)
+
+- PDO ODBC:
+ . Fix memory leak if WideCharToMultiByte() fails. (nielsdos)
+
+- PGSQL:
+ . Fix warning not being emitted when failure to cancel a query with
+ pg_cancel_query(). (Girgias)
+ . Fixed GHSA-hrwm-9436-5mv3 (pgsql extension does not check for errors during
+ escaping). (CVE-2025-1735) (Jakub Zelenka)
- Random:
- . Fixed part of bug GH-15381, checking getrandom availability on solaris.
- (David Carlier)
+ . Fix reference type confusion and leak in user random engine.
+ (nielsdos, timwolla)
+
+- Readline:
+ . Fix memory leak when calloc() fails in php_readline_completion_cb().
+ (nielsdos)
- Soap:
- . Fixed bug #55639 (Digest autentication dont work). (nielsdos)
- . Fix SoapFault property destruction. (nielsdos)
- . Fixed bug GH-15252 (SOAP XML broken since PHP 8.3.9 when using classmap
- constructor option). (nielsdos)
+ . Fix memory leaks in php_http.c when call_user_function() fails. (nielsdos)
+ . Fixed GHSA-453j-q27h-5p8x (NULL Pointer Dereference in PHP SOAP ExtensionAdd commentMore actions
+ via Large XML Namespace Prefix). (CVE-2025-6491) (Lekssays, nielsdos)
- Standard:
- . Fix passing non-finite timeout values in stream functions. (nielsdos)
- . Fixed GH-14780 p(f)sockopen timeout overflow. (David Carlier)
- . Fixed GH-15653 overflow on fgetcsv length parameter. (David Carlier)
-
-- Streams:
- . Fixed bug GH-15028 (Memory leak in ext/phar/stream.c). (nielsdos)
- . Fixed bug GH-15034 (Integer overflow on stream_notification_callback
- byte_max parameter with files bigger than 2GB). (nielsdos)
+ . Fixed GHSA-3cr5-j632-f35r (Null byte termination in hostnames).
+ (CVE-2025-1220) (Jakub Zelenka)
- Tidy:
- . Fix memory leaks in ext/tidy basedir restriction code. (nielsdos)
+ . Fix memory leak in tidy output handler on error. (nielsdos)
+ . Fix tidyOptIsReadonly deprecation, using tidyOptGetCategory. (David Carlier)
-01 Aug 2024, PHP 8.2.22
+05 Jun 2025, PHP 8.3.22
- Core:
- . Fixed bug GH-13922 (Fixed support for systems with
- sysconf(_SC_GETPW_R_SIZE_MAX) == -1). (Arnaud)
- . Fixed bug GH-14626 (Fix is_zend_ptr() for huge blocks). (Arnaud)
- . Fixed bug GH-14590 (Memory leak in FPM test gh13563-conf-bool-env.phpt.
- (nielsdos)
- . Fixed OSS-Fuzz #69765. (nielsdos)
- . Fixed bug GH-14741 (Segmentation fault in Zend/zend_types.h). (nielsdos)
- . Fixed bug GH-14969 (Use-after-free in property coercion with __toString()).
- (ilutov)
- . Fixed bug GH-14961 (Comment between -> and keyword results in parse error).
- (ilutov)
-
-- Dom:
- . Fixed bug GH-14702 (DOMDocument::xinclude() crash). (nielsdos)
-
-- Gd:
- . ext/gd/tests/gh10614.phpt: skip if no PNG support. (orlitzky)
- . restored warning instead of fata error. (dryabov)
+ . Fixed GH-18480 (array_splice with large values for offset/length arguments).
+ (nielsdos/David Carlier)
+ . Partially fixed GH-18572 (nested object comparisons leading to stack overflow).
+ (David Carlier)
+ . Fixed OSS-Fuzz #417078295. (nielsdos)
+ . Fixed OSS-Fuzz #418106144. (nielsdos)
-- LibXML:
- . Fixed bug GH-14563 (Build failure with libxml2 v2.13.0). (nielsdos)
+- Curl:
+ . Fixed GH-18460 (curl_easy_setopt with CURLOPT_USERPWD/CURLOPT_USERNAME/
+ CURLOPT_PASSWORD set the Authorization header when set to NULL).
+ (David Carlier)
-- Opcache:
- . Fixed bug GH-14550 (No warning message when Zend DTrace is enabled that
- opcache.jit is implictly disabled). (nielsdos)
+- Date:
+ . Fixed bug GH-18076 (Since PHP 8, the date_sun_info() function returns
+ inaccurate sunrise and sunset times, but other calculated times are
+ correct) (JiriJozif).
+ . Fixed bug GH-18481 (date_sunrise with unexpected nan value for the offset).
+ (nielsdos/David Carlier)
-- Output:
- . Fixed bug GH-14808 (Unexpected null pointer in Zend/zend_string.h with
- empty output buffer). (nielsdos)
+- Intl:
+ . Fix various reference issues. (nielsdos)
-- PDO:
- . Fixed bug GH-14712 (Crash with PDORow access to null property).
- (David Carlier)
+- LDAP:
+ . Fixed bug GH-18529 (ldap no longer respects TLS_CACERT from ldaprc in
+ ldap_start_tls()). (Remi)
-- Phar:
- . Fixed bug GH-14603 (null string from zip entry).
- (David Carlier)
+- Opcache:
+ . Fixed bug GH-18417 (Windows SHM reattachment fails when increasing
+ memory_consumption or jit_buffer_size). (nielsdos)
+ . Fixed bug GH-18567 (Preloading with internal class alias triggers assertion
+ failure). (nielsdos)
+ . Fix leak of accel_globals->key. (nielsdos)
-- PHPDBG:
- . Fixed bug GH-14596 (crashes with ASAN and ZEND_RC_DEBUG=1).
- (David Carlier)
- . Fixed bug GH-14553 (echo output trimmed at NULL byte). (nielsdos)
+- OpenSSL:
+ . Fix missing checks against php_set_blocking() in xp_ssl.c. (nielsdos)
-- Shmop:
- . Fixed bug GH-14537 (shmop Windows 11 crashes the process). (nielsdos)
+- PDO_OCI:
+ . Fixed bug GH-18494 (PDO OCI segfault in statement GC). (nielsdos)
-- SimpleXML:
- . Fixed bug GH-14638 (null dereference after XML parsing failure).
- (David Carlier)
+- Sockets:
+ - Fixed bug GH-18617 (socket_import_file_descriptor return value
+ unchecked). (David Carlier)
- SPL:
- . Fixed bug GH-14639 (Member access within null pointer in
- ext/spl/spl_observer.c). (nielsdos)
+ . Fixed bug GH-18421 (Integer overflow with large numbers in LimitIterator).
+ (nielsdos)
- Standard:
- . Fix 32-bit wordwrap test failures. (orlitzky)
- . Fixed bug GH-14774 (time_sleep_until overflow). (David Carlier)
-
-- Tidy:
- . Fix memory leak in tidy_repair_file(). (nielsdos)
+ . Fixed bug GH-17403 (Potential deadlock when putenv fails). (nielsdos)
+ . Fixed bug GH-18509 (Dynamic calls to assert() ignore zend.assertions).
+ (timwolla)
-- Treewide:
- . Fix compatibility with libxml2 2.13.2. (nielsdos)
+- Windows:
+ . Fix leak+crash with sapi_windows_set_ctrl_handler(). (nielsdos)
-- XML:
- . Move away from to-be-deprecated libxml fields. (nielsdos)
- . Fixed bug GH-14834 (Error installing PHP when --with-pear is used).
+- Zip:
+ . Fixed bug GH-18431 (Registering ZIP progress callback twice doesn't work).
(nielsdos)
+ . Fixed bug GH-18438 (Handling of empty data and errors in
+ ZipArchive::addPattern). (nielsdos)
-04 Jul 2024, PHP 8.2.21
+08 May 2025, PHP 8.3.21
- Core:
- . Fixed bug GH-14315 (Incompatible pointer type warnings). (Peter Kokot)
- . Fixed bug GH-12814 (max_execution_time reached too early on MacOS 14
- when running on Apple Silicon). (Manuel Kress)
- . Fixed bug GH-14387 (Crash when stack walking in destructor of yielded from
- values during Generator->throw()). (Bob)
- . Fixed bug GH-14456 (Attempting to initialize class with private constructor
- calls destructor). (Girgias)
- . Fixed bug GH-14549 (Incompatible function pointer type for fclose).
- (Ryan Carsten Schmidt)
-
-- BCMath:
- . Fixed bug (bcpowmod() with mod = -1 returns 1 when it must be 0). (Girgias)
-
-- Curl:
- . Fixed bug GH-14307 (Test curl_basic_024 fails with curl 8.8.0). (nielsdos)
-
-- DOM:
- . Fixed bug GH-14343 (Memory leak in xml and dom). (nielsdos)
+ . Fixed bug GH-18304 (Changing the properties of a DateInterval through
+ dynamic properties triggers a SegFault). (nielsdos)
+ . Fix some leaks in php_scandir. (nielsdos)
-- FPM:
- . Fixed bug GH-14037 (PHP-FPM ping.path and ping.response config vars are
- ignored in status pool). (Wilhansen Li, Pierrick Charron)
+- Filter:
+ . Fixed bug GH-18309 (ipv6 filter integer overflow). (nielsdos)
- GD:
- . Fix parameter numbers for imagecolorset(). (Giovanni Giacobbi)
+ . Fixed imagecrop() overflow with rect argument with x/width y/heigh usage
+ in gdImageCrop(). (David Carlier)
+ . Fixed GH-18243 imagettftext() overflow/underflow on font size value.
+ (David Carlier)
- Intl:
- . Fix reference handling in SpoofChecker. (nielsdos)
-
-- MySQLnd:
- . Partially fix bug GH-10599 (Apache crash on Windows when using a
- self-referencing anonymous function inside a class with an active
- mysqli connection). (nielsdos)
-
-- Opcache:
- . Fixed bug GH-14267 (opcache.jit=off does not allow enabling JIT at runtime).
- (ilutov)
- . Fixed TLS access in JIT on FreeBSD/amd64. (Arnaud)
- . Fixed bug GH-11188 (Error when building TSRM in ARM64). (nielsdos)
+ . Fix reference support for intltz_get_offset(). (nielsdos)
-- PDO ODBC:
- . Fixed bug GH-14367 (incompatible SDWORD type with iODBC). (Calvin Buckley)
+- LDAP:
+ . Fixed bug GH-17776 (LDAP_OPT_X_TLS_* options can't be overridden). (Remi)
+ . Fix NULL deref on high modification key. (nielsdos)
-- PHPDBG:
- . Fixed bug GH-13681 (segfault on watchpoint addition failure). (David Carlier)
+- libxml:
+ . Fixed custom external entity loader returning an invalid resource leading
+ to a confusing TypeError message. (Girgias)
-- Soap:
- . Fixed bug #47925 (PHPClient can't decompress response). (nielsdos)
- . Fix missing error restore code. (nielsdos)
- . Fix memory leak if calling SoapServer::setObject() twice. (nielsdos)
- . Fix memory leak if calling SoapServer::setClass() twice. (nielsdos)
- . Fix reading zlib ini settings in ext-soap. (nielsdos)
- . Fix memory leaks with string function name lookups. (nielsdos)
- . Fixed bug #69280 (SoapClient classmap doesn't support fully qualified class
- name). (nielsdos)
- . Fixed bug #76232 (SoapClient Cookie Header Semicolon). (nielsdos)
- . Fixed memory leaks when calling SoapFault::__construct() twice. (Girgias)
+- OpenSSL:
+ . Fix memory leak in openssl_sign() when passing invalid algorithm.
+ (nielsdos)
+ . Fix potential leaks when writing to BIO fails. (nielsdos)
-- Sodium:
- . Fix memory leaks in ext/sodium on failure of some functions. (nielsdos)
+- PDO Firebird:
+ . Fixed GH-18276 - persistent connection - "zend_mm_heap corrupted"
+ with setAttribute() (SakiTakamachi).
- SPL:
- . Fixed bug GH-14290 (Member access within null pointer in extension spl).
+ . Fixed bug GH-18322 (SplObjectStorage debug handler mismanages memory).
(nielsdos)
- Standard:
diff --cc ext/standard/array.c
index 37c80e0989c,30b9a425b20..6021f88b379
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@@ -4151,10 -3900,10 +4151,10 @@@ static zend_always_inline void php_arra
{
zval *args = NULL;
zval *arg;
- int argc, i;
+ uint32_t argc, i;
zval *src_entry;
HashTable *src, *dest;
- uint32_t count = 0;
+ uint64_t count = 0;
ZEND_PARSE_PARAMETERS_START(0, -1)
Z_PARAM_VARIADIC('+', args, argc)
diff --cc ext/standard/basic_functions.c
index 02b63beb59d,b2282750fd0..35715c6abe5
mode 100644,100755..100644
--- a/ext/standard/basic_functions.c
+++ b/ext/standard/basic_functions.c