Dev news

Commit 2467dfb18f4 for php.net

commit 2467dfb18f4640d5d4f22ed1decf4fc515b93eac
Author: ndossche <nora.dossche@ugent.be>
Date:   Tue Jan 27 11:07:42 2026 +0100

    Fix UB and error propagation when X509_gmtime_adj() fails

    This causes UB later on when the certificate is passed to another
    function:
    ```
    /work/php-src/Zend/zend_string.h:191:2: runtime error: null pointer passed as argument 2, which is declared to never be null
        #0 0x55cfb9407d94 in zend_string_init /work/php-src/Zend/zend_string.h:191
        #1 0x55cfb941ceb6 in add_assoc_stringl_ex /work/php-src/Zend/zend_API.c:1986
        #2 0x55cfb7f4c16d in add_assoc_stringl /work/php-src/Zend/zend_API.h:579
        #3 0x55cfb7f4cccd in php_openssl_add_assoc_asn1_string /work/php-src/ext/openssl/openssl_backend_common.c:113
        #4 0x55cfb7f2eb98 in zif_openssl_x509_parse /work/php-src/ext/openssl/openssl.c:1074
        #5 0x55cfb9160993 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
        #6 0x55cfb958ee2d in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
        #7 0x55cfb97854bd in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
        #8 0x55cfb9795c96 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
        #9 0x55cfb99666c6 in zend_execute_script /work/php-src/Zend/zend.c:1980
        #10 0x55cfb919583e in php_execute_script_ex /work/php-src/main/main.c:2645
        #11 0x55cfb9195b48 in php_execute_script /work/php-src/main/main.c:2685
        #12 0x55cfb996bf48 in do_cli /work/php-src/sapi/cli/php_cli.c:951
        #13 0x55cfb996e6a1 in main /work/php-src/sapi/cli/php_cli.c:1362
        #14 0x7fb0b68301c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
        #15 0x7fb0b683028a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
        #16 0x55cfb7e097d4 in _start (/work/php-src/build-dbg-ubsan/sapi/cli/php+0x14097d4) (BuildId: b2b405964cc047ab6da19abaf92a8899a99e4a47)
    ```

    Furthermore, it also simply does not propagate the error to userland.

    Closes GH-21046.

diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index bd8e7a94210..5ea8574f023 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -3392,8 +3392,11 @@ PHP_FUNCTION(openssl_csr_sign)
 		php_openssl_store_errors();
 		goto cleanup;
 	}
-	X509_gmtime_adj(X509_getm_notBefore(new_cert), 0);
-	X509_gmtime_adj(X509_getm_notAfter(new_cert), 60*60*24*num_days);
+	if (!X509_gmtime_adj(X509_getm_notBefore(new_cert), 0)
+		|| !X509_gmtime_adj(X509_getm_notAfter(new_cert), 60*60*24*num_days)) {
+		php_openssl_store_errors();
+		goto cleanup;
+	}
 	i = X509_set_pubkey(new_cert, key);
 	if (!i) {
 		php_openssl_store_errors();