Dev news

Commit b63fe81e2d8 for php.net

commit b63fe81e2d829145c4e1407418126ef2fcbcb14c
Merge: e889b59ce2e 0c6fc66848a
Author: Ilija Tovilo <ilija.tovilo@me.com>
Date:   Tue Apr 7 19:05:07 2026 +0200

    Merge branch 'PHP-8.2' into PHP-8.3

    * PHP-8.2:
      curl: add support for brotli and zstd on Windows

diff --cc NEWS
index f20e8d63b02,aa91603d872..a376b45f450
--- a/NEWS
+++ b/NEWS
@@@ -1,122 -1,19 +1,124 @@@
  PHP                                                                        NEWS
  |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 -?? ??? ????, PHP 8.2.31
 +?? ??? ????, PHP 8.3.31

+ - Curl:
+   . Add support for brotli and zstd on Windows. (Shivam Mathur)

 -18 Dec 2025, PHP 8.2.30
 +15 Jan 2026, PHP 8.3.30

 -- Curl:
 -  . Fix curl build and test failures with version 8.16.
 -    (nielsdos, ilutov, Jakub Zelenka)
 +- Core:
 +  . Fix OSS-Fuzz #465488618 (Wrong assumptions when dumping function signature
 +    with dynamic class const lookup default argument). (ilutov)
 +  . Fixed bug GH-20695 (Assertion failure in normalize_value() when parsing
 +    malformed INI input via parse_ini_string()). (ndossche)
 +  . Fixed bug GH-20714 (Uncatchable exception thrown in generator). (ilutov)
 +  . Fixed bug GH-20352 (UAF in php_output_handler_free via re-entrant
 +    ob_start() during error deactivation). (ndossche)
 +
 +- Bz2:
 +  . Fixed bug GH-20620 (bzcompress overflow on large source size).
 +    (David Carlier)
 +
 +- DOM:
 +  . Fixed bug GH-20722 (Null pointer dereference in DOM namespace node cloning
 +    via clone on malformed objects). (ndossche)
 +
 +- GD:
 +  . Fixed bug GH-20622 (imagestring/imagestringup overflow). (David Carlier)
 +
 +- Intl:
 +  . Fix leak in umsg_format_helper(). (ndossche)
 +
 +- LDAP:
 +  . Fix memory leak in ldap_set_options(). (ndossche)
 +
 +- Mbstring:
 +  . Fixed bug GH-20674 (mb_decode_mimeheader does not handle separator).
 +    (Yuya Hamada)
 +
 +- Phar:
 +  . Fixed bug GH-20732 (Phar::LoadPhar undefined behavior when reading fails).
 +    (ndossche)
 +  . Fix SplFileInfo::openFile() in write mode. (ndossche)
 +  . Fix build on legacy OpenSSL 1.1.0 systems. (Giovanni Giacobbi)
 +
 +- POSIX:
 +  . Fixed crash on posix groups to php array creation on macos.
 +    (David Carlier)
 +
 +- SPL:
 +  . Fixed bug GH-20678 (resource created by GlobIterator crashes with fclose()).
 +    (David Carlier)
 +
 +- Sqlite3:
 +  . Fixed bug GH-20699 (SQLite3Result fetchArray return array|false,
 +    null returned). (ndossche, plusminmax)
 +
 +- Standard:
 +  . Fix error check for proc_open() command. (ndossche)
 +  . Fixed bug GH-20582 (Heap Buffer Overflow in iptcembed). (ndossche)
 +
 +- Zlib:
 +  . Fix OOB gzseek() causing assertion failure. (ndossche)
 +
 +18 Dec 2025, PHP 8.3.29
 +
 +- Core:
 +  . Sync all boost.context files with release 1.86.0. (mvorisek)
 +  . Fixed bug GH-20435 (SensitiveParameter doesn't work for named argument
 +    passing to variadic parameter). (ndossche)
 +  . Fixed bug GH-20286 (use-after-destroy during userland stream_close()).
 +    (ndossche, David Carlier)
 +
 +- Bz2:
 +  . Fix assertion failures resulting in crashes with stream filter
 +    object parameters. (ndossche)
 +
 +- Date:
 +  . Fix crashes when trying to instantiate uninstantiable classes via date
 +    static constructors. (ndossche)
 +
 +- DOM:
 +  . Fix missing NUL byte check on C14NFile(). (ndossche)
 +
 +- Fibers:
 +  . Fixed bug GH-20483 (ASAN stack overflow with fiber.stack_size INI
 +    small value). (David Carlier)
 +
 +- FTP:
 +  . Fixed bug GH-20601 (ftp_connect overflow on timeout). (David Carlier)
 +
 +- GD:
 +  . Fixed bug GH-20511 (imagegammacorrect out of range input/output values).
 +    (David Carlier)
 +  . Fixed bug GH-20602 (imagescale overflow with large height values).
 +    (David Carlier)
 +
 +- Intl:
 +  . Fixed bug GH-20426 (Spoofchecker::setRestrictionLevel() error message
 +    suggests missing constants). (DanielEScherzer)
 +
 +- LibXML:
 +  . Fix some deprecations on newer libxml versions regarding input
 +    buffer/parser handling. (ndossche)
 +
 +- MbString:
 +  . Fixed bug GH-20491 (SLES15 compile error with mbstring oniguruma).
 +    (ndossche)
 +  . Fixed bug GH-20492 (mbstring compile warning due to non-strings).
 +    (ndossche)
 +
 +- mysqli:
 +  . Make mysqli_begin_transaction() report errors properly. (Kamil Tekiela)
 +
 +- MySQLnd:
 +  . Fixed bug GH-20528 (Regression breaks mysql connexion using an IPv6 address
 +    enclosed in square brackets). (Remi)

  - Opcache:
 -  . Reset global pointers to prevent use-after-free in zend_jit_status().
 -    (Florian Engelhardt)
 +  . Fixed bug GH-20329 (opcache.file_cache broken with full interned string
 +    buffer). (Arnaud)

  - PDO:
    . Fixed GHSA-8xr5-qppj-gvwj (PDO quoting result null deref). (CVE-2025-14180)