Merge pull request #20 from php/master

sync

Author: chopins

EXTENSIONS

@@ -234,7 +234,7 @@ SINCE:               5.0
 -------------------------------------------------------------------------------
 EXTENSION:           bcmath
 PRIMARY MAINTAINER:  Andi Gutmans <[email protected]> (2000 - 2004)
-MAINTENANCE:         Unknown
+MAINTENANCE:         Maintained
 STATUS:              Working
 -------------------------------------------------------------------------------
 EXTENSION:           bz2

NEWS

@@ -34,9 +34,12 @@ PHP                                                                        NEWS
   . Fixed bug #81738: buffer overflow in hash_update() on long parameter.
     (CVE-2022-37454) (nicky at mouha dot be)
 
+- Intl:
+  . Added pattern format error infos for msgfmt_set_pattern. (David Carlier)
+  . Added pattern format error infos for numfmt_set_pattern. (David Carlier)
+
 - JSON:
-  . Implemented RFC: json_validate()
-    https://wiki.php.net/rfc/json_validate (Juan Morales)
+  . Added json_validate(). (Juan Morales)
 
 - Opcache:
   . Added start, restart and force restart time to opcache's
@@ -55,6 +58,9 @@ PHP                                                                        NEWS
 - Posix:
   . Added posix_sysconf. (David Carlier)
 
+- Random:
+  . Added Randomizer::getBytesFromString(). (Joshua Rüsweg)
+
 - Reflection:
   . Fix GH-9470 (ReflectionMethod constructor should not find private parent
     method). (ilutov)

TSRM/tsrm_win32.c

@@ -30,6 +30,7 @@
 #include "tsrm_win32.h"
 #include "zend_virtual_cwd.h"
 #include "win32/ioutil.h"
+#include "win32/winutil.h"
 
 #ifdef ZTS
 static ts_rsrc_id win32_globals_id;
@@ -610,6 +611,22 @@ TSRM_API int pclose(FILE *stream)
 #define SEGMENT_PREFIX "TSRM_SHM_SEGMENT:"
 #define INT_MIN_AS_STRING "-2147483648"
 
+
+#define TSRM_BASE_SHM_KEY_ADDRESS 0x20000000
+/* Returns a number between 0x2000_0000 and 0x3fff_ffff. On Windows, key_t is int. */
+static key_t tsrm_choose_random_shm_key(key_t prev_key) {
+	unsigned char buf[4];
+	if (php_win32_get_random_bytes(buf, 4) != SUCCESS) {
+		return prev_key + 2;
+	}
+	uint32_t n =
+		((uint32_t)(buf[0]) << 24) |
+	    (((uint32_t)buf[1]) << 16) |
+	    (((uint32_t)buf[2]) << 8) |
+	    (((uint32_t)buf[3]));
+	return (n & 0x1fffffff) + TSRM_BASE_SHM_KEY_ADDRESS;
+}
+
 TSRM_API int shmget(key_t key, size_t size, int flags)
 {/*{{{*/
 	shm_pair *shm;
@@ -621,11 +638,14 @@ TSRM_API int shmget(key_t key, size_t size, int flags)
 		snprintf(shm_segment, sizeof(shm_segment), SEGMENT_PREFIX "%d", key);
 
 		shm_handle  = OpenFileMapping(FILE_MAP_ALL_ACCESS, FALSE, shm_segment);
+	} else {
+		/* IPC_PRIVATE always creates a new segment even if IPC_CREAT flag isn't passed. */
+		flags |= IPC_CREAT;
 	}
 
 	if (!shm_handle) {
 		if (flags & IPC_CREAT) {
-			if (size > SIZE_MAX - sizeof(shm->descriptor)) {
+			if (size == 0 || size > SIZE_MAX - sizeof(shm->descriptor)) {
 				return -1;
 			}
 			size += sizeof(shm->descriptor);
@@ -649,6 +669,19 @@ TSRM_API int shmget(key_t key, size_t size, int flags)
 		}
 	}
 
+	if (key == IPC_PRIVATE) {
+		/* This should call shm_get with a brand new key id that isn't used yet. See https://man7.org/linux/man-pages/man2/shmget.2.html
+		 * Because extensions such as shmop/sysvshm can be used in userland to attach to shared memory segments, use unpredictable high positive numbers to avoid accidentally conflicting with userland. */
+		key = tsrm_choose_random_shm_key(TSRM_BASE_SHM_KEY_ADDRESS);
+		for (shm_pair *ptr = TWG(shm); ptr < (TWG(shm) + TWG(shm_size)); ptr++) {
+			if (ptr->descriptor && ptr->descriptor->shm_perm.key == key) {
+				key = tsrm_choose_random_shm_key(key);
+				ptr = TWG(shm);
+				continue;
+			}
+		}
+	}
+
 	shm = shm_get(key, NULL);
 	if (!shm) {
 		CloseHandle(shm_handle);

UPGRADING

@@ -58,10 +58,15 @@ PHP 8.3 UPGRADE NOTES
 - JSON:
   . Added json_validate(), which returns whether the json is valid for
     the given $depth and $options.
+    RFC: https://wiki.php.net/rfc/json_validate
 
 - Posix:
   . Added posix_sysconf call to get runtime informations.
 
+- Random:
+  . Added Randomizer::getBytesFromString().
+    RFC: https://wiki.php.net/rfc/randomizer_additions
+
 - Sockets:
   . Added socket_atmark to checks if the socket is OOB marked.
 

Zend/tests/array_unpack/gh9769.phpt

@@ -0,0 +1,15 @@
+--TEST--
+Unpacking arrays in constant expression
+--FILE--
+<?php
+
+const A = [...[1, 2, 3]];
+const B = [...['a'=>1, 'b'=>2, 'c'=>3]];
+const C = [...new ArrayObject()];
+
+?>
+--EXPECTF--
+Fatal error: Uncaught Error: Only arrays can be unpacked in constant expression in %sgh9769.php:5
+Stack trace:
+#0 {main}
+  thrown in %sgh9769.php on line 5

Zend/tests/gh10014.phpt

@@ -0,0 +1,14 @@
+--TEST--
+GH-10014: Incorrect short-circuiting in constant expressions
+--FILE--
+<?php
+
+#[Attribute(+[[][2]?->y]->y)]
+class y {
+}
+
+?>
+--EXPECTF--
+Warning: Undefined array key 2 in %s on line %d
+
+Warning: Attempt to read property "y" on array in %s on line %d

Zend/zend_API.h

@@ -733,6 +733,14 @@ ZEND_API zend_result zend_fcall_info_call(zend_fcall_info *fci, zend_fcall_info_
 /* Zend FCC API to store and handle PHP userland functions */
 static zend_always_inline bool zend_fcc_equals(const zend_fcall_info_cache* a, const zend_fcall_info_cache* b)
 {
+	if (UNEXPECTED((a->function_handler->common.fn_flags & ZEND_ACC_CALL_VIA_TRAMPOLINE) &&
+		(b->function_handler->common.fn_flags & ZEND_ACC_CALL_VIA_TRAMPOLINE))) {
+		return a->object == b->object
+			&& a->calling_scope == b->calling_scope
+			&& a->closure == b->closure
+			&& zend_string_equals(a->function_handler->common.function_name, b->function_handler->common.function_name)
+		;
+	}
 	return a->function_handler == b->function_handler
 		&& a->object == b->object
 		&& a->calling_scope == b->calling_scope