PHP 8 ChangeLog
8.2 | 8.1 | 8.0
Version 8.2.5
13 Apr 2023
Core:
Added optional support for max_execution_time in ZTS/Linux builds (Kévin Dunglas)
Fixed use-after-free in recursive AST evaluation.
Fixed bug GH-8646 (Memory leak PHP FPM 8.1).
Re-add some CTE functions that were removed from being CTE by a mistake.
Remove CTE flag from array_diff_ukey(), which was added by mistake.
Fixed bug GH-10801 (Named arguments in CTE functions cause a segfault).
Fixed bug GH-8789 (PHP 8.0.20 (ZTS) zend_signal_handler_defer crashes on apache).
Fixed bug GH-10015 (zend_signal_handler_defer crashes on apache shutdown).
Fixed bug GH-10810 (Fix NUL byte terminating Exception::__toString()).
Fix potential memory corruption when mixing __callStatic() and FFI.
Date:
Fixed bug GH-10747 (Private and protected properties in serialized Date* objects throw).
FPM:
Fixed bug GH-10611 (fpm_env_init_main leaks environ).
Destroy file_handle in fpm_main.
Fixed bug #74129 (Incorrect SCRIPT_NAME with apache ProxyPassMatch when spaces are in path).
FTP:
Propagate success status of ftp_close().
Fixed bug GH-10521 (ftp_get/ftp_nb_get resumepos offset is maximum 10GB).
IMAP:
Fix build failure with Clang 16.
MySQLnd:
Fixed bug GH-8979 (Possible Memory Leak with SSL-enabled MySQL connections).
Opcache:
Fixed build for macOS to cater with pkg-config settings.
Fixed bug GH-8065 (opcache.consistency_checks > 0 causes segfaults in PHP >= 8.1.5 in fpm context).
OpenSSL:
Add missing error checks on file writing functions.
PDO Firebird:
Fixed bug GH-10908 (Bus error with PDO Firebird on RPI with 64 bit kernel and 32 bit userland).
Phar:
Fixed bug GH-10766 (PharData archive created with Phar::Zip format does not keep files metadata (datetime)).
Add missing error checks on EVP_MD_CTX_create() and EVP_VerifyInit().
PDO ODBC:
Fixed missing and inconsistent error checks on SQLAllocHandle.
PGSQL:
Fixed typo in the array returned from pg_meta_data (extended mode).
SPL:
Fixed bug GH-10519 (Array Data Address Reference Issue).
Fixed bug GH-10907 (Unable to serialize processed SplFixedArrays in PHP 8.2.4).
Fixed bug GH-10844 (ArrayIterator allows modification of readonly props).
Standard:
Fixed bug GH-10885 (stream_socket_server context leaks).
Fixed bug GH-10052 (Browscap crashes PHP 8.1.12 on request shutdown (apache2)).
Fixed oss-fuzz #57392 (Buffer-overflow in php_fgetcsv() with \0 delimiter and enclosure).
Fixed undefined behaviour in unpack().
Version 8.2.4
16 Mar 2023
Core:
Fixed incorrect check condition in ZEND_YIELD.
Fixed incorrect check condition in type inference.
Fix incorrect check in zend_internal_call_should_throw().
Fixed overflow check in OnUpdateMemoryConsumption.
Fixed bug GH-9916 (Entering shutdown sequence with a fiber suspended in a Generator emits an unavoidable fatal error or crashes).
Fixed bug GH-10437 (Segfault/assertion when using fibers in shutdown function after bailout).
Fixed SSA object type update for compound assignment opcodes.
Fixed language scanner generation build.
Fixed zend_update_static_property() calling zend_update_static_property_ex() misleadingly with the wrong return type.
Fix bug GH-10570 (Fixed unknown string hash on property fetch with integer constant name).
Fixed php_fopen_primary_script() call resulted on zend_destroy_file_handle() freeing dangling pointers on the handle as it was uninitialized.
Curl:
Fixed deprecation warning at compile time.
Fixed bug GH-10270 (Unable to return CURL_READFUNC_PAUSE in readfunc callback).
Date:
Fix GH-10447 ('p' format specifier does not yield 'Z' for 00:00).
Fix GH-10152 (Custom properties of Date's child classes are not serialised).
Fixed bug GH-10747 (Private and protected properties in serialized Date* objects throw).
FFI:
Fixed incorrect bitshifting and masking in ffi bitfield.
Fiber:
Fixed assembly on alpine x86.
Fixed bug GH-10496 (segfault when garbage collector is invoked inside of fiber).
FPM:
Fixed bug GH-10315 (FPM unknown child alert not valid).
Fixed bug GH-10385 (FPM successful config test early exit).
GMP:
Properly implement GMP::__construct().
Intl:
Fixed bug GH-10647 (Spoolchecker isSuspicious/areConfusable methods error code's argument always returning NULL0.
JSON:
Fixed JSON scanner and parser generation build.
MBString:
ext/mbstring: fix new_value length check.
Fix bug GH-10627 (mb_convert_encoding crashes PHP on Windows).
Opcache:
Fix incorrect page_size check.
OpenSSL:
Fixed php_openssl_set_server_dh_param() DH params errors handling.
PDO OCI:
Fixed bug #60994 (Reading a multibyte CLOB caps at 8192 chars).
PHPDBG:
Fixed bug GH-10715 (heap buffer overflow on --run option misuse).
PGSQL:
Fix GH-10672 (pg_lo_open segfaults in the strict_types mode).
Phar:
Fix incorrect check in phar tar parsing.
Random:
Fix GH-10390 (Do not trust arc4random_buf() on glibc).
Fix GH-10292 (Made the default value of the first param of srand() and mt_srand() unknown).
Reflection:
Fixed bug GH-10623 (Reflection::getClosureUsedVariables opcode fix with variadic arguments).
Fix Segfault when using ReflectionFiber suspended by an internal function.
Session:
Fixed ps_files_cleanup_dir() on failure code paths with -1 instead of 0 as the latter was considered success by callers. (nielsdos).
Standard:
Fixed bug GH-8086 (Introduce mail.mixed_lf_and_crlf INI).
Fixed bug GH-10292 (Made the default value of the first param of srand() and mt_srand() unknown).
Fix incorrect check in cs_8559_5 in map_from_unicode().
Fix bug GH-9697 for reset/end/next/prev() attempting to move pointer of properties table for certain internal classes such as FFI classes
Fix incorrect error check in browsecap for pcre2_match().
Streams:
Fixed bug GH-10370 (File corruption in _php_stream_copy_to_stream_ex when using copy_file_range).
Fixed bug GH-10548 (copy() fails on cifs mounts because of incorrect copy_file_range() len).
Tidy:
Fix memory leaks when attempting to open a non-existing file or a file over 4GB.
Add missing error check on tidyLoadConfig.
Zlib:
Fixed output_handler directive value's length which counted the string terminator.
Version 8.2.3
14 Feb 2023
Core:
Fixed bug #81744 (Password_verify() always return true with some hash). (CVE-2023-0567)
Fixed bug #81746 (1-byte array overrun in common path resolve code). (CVE-2023-0568)
SAPI:
Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart request body). (CVE-2023-0662)
Version 8.2.2
02 Feb 2023
Core:
Fixed bug GH-10200 (zif_get_object_vars: Assertion `!(((__ht)->u.flags & (1<<2)) != 0)' failed).
Fix GH-10251 (Assertion `(flag & (1<<3)) == 0' failed).
Fix GH-10240 (Assertion failure when adding more than 2**30 elements to an unpacked array).
Fix GH-9735 (Fiber stack variables do not participate in cycle collector).
Fix GH-9675 (Broken run_time_cache init for internal enum methods).
FPM:
Fixed bug #77106 (Missing separator in FPM FastCGI errors).
Fixed bug GH-9981 (FPM does not reset fastcgi.error_header).
Fixed bug #68591 (Configuration test does not perform UID lookups).
Fixed memory leak when running FPM config test.
Fixed bug #67244 (Wrong owner:group for listening unix socket).
Hash:
Handle exceptions from __toString in XXH3's initialization (nielsdos)
LDAP:
Fixed bug GH-10112 (LDAP\Connection::__construct() refers to ldap_create()).
Opcache:
Fix inverted bailout value in zend_runtime_jit() (Max Kellermann).
Fix access to uninitialized variable in accel_preload().
Fix zend_jit_find_trace() crashes.
Added missing lock for EXIT_INVALIDATE in zend_jit_trace_exit.
Phar:
Fix wrong flags check for compression method in phar_object.c (nielsdos)
PHPDBG:
Fix undefined behaviour in phpdbg_load_module_or_extension().
Fix NULL pointer dereference in phpdbg_create_conditional_breal().
Fix GH-9710 : phpdbg memory leaks by option "-h" (nielsdos)
Fix phpdbg segmentation fault in case of malformed input (nielsdos)
Posix:
Fix memory leak in posix_ttyname() (girgias)
Random:
Fixed bug GH-10247 (Theoretical file descriptor leak for /dev/urandom).
Standard:
Fix GH-10187 (Segfault in stripslashes() with arm64).
Fixed bug GH-10214 (Incomplete validation of object syntax during unserialize()).
Fix substr_replace with slots in repl_ht being UNDEF.
XMLWriter:
Fix missing check for xmlTextWriterEndElement (nielsdos)
Version 8.2.1
05 Jan 2023
Core:
Fixed bug GH-9905 (constant() behaves inconsistent when class is undefined).
Fixed bug GH-9918 (License information for xxHash is not included in README.REDIST.BINS file).
Fixed bug GH-9890 (OpenSSL legacy providers not available on Windows).
Fixed bug GH-9650 (Can't initialize heap: [0x000001e7]).
Fixed potentially undefined behavior in Windows ftok(3) emulation.
Fixed GH-9769 (Misleading error message for unpacking of objects).
Apache:
Fixed bug GH-9949 (Partial content on incomplete POST request).
FPM:
Fixed bug GH-9959 (Solaris port event mechanism is still broken after bug #66694).
Fixed bug #68207 (Setting fastcgi.error_header can result in a WARNING).
Fixed bug #80669 (FPM numeric user fails to set groups).
Fixed bug GH-8517 (Random crash of FPM master process in fpm_stdio_child_said).
Imap:
Fixed bug GH-10051 (IMAP: there's no way to check if a IMAP\Connection is still open).
MBString:
Fixed bug GH-9535 (The behavior of mb_strcut in mbstring has been changed in PHP8.1).
Opcache:
Fixed bug GH-9968 (Segmentation Fault during OPCache Preload).
OpenSSL:
Fixed bug GH-9997 (OpenSSL engine clean up segfault).
Fixed bug GH-9064 (PHP fails to build if openssl was built with --no-ec).
Fixed bug GH-10000 (OpenSSL test failures when OpenSSL compiled with no-dsa).
Pcntl:
Fixed bug GH-9298 (Signal handler called after rshutdown leads to crash).
PDO_Firebird:
Fixed bug GH-9971 (Incorrect NUMERIC value returned from PDO_Firebird).
PDO/SQLite:
Fixed bug #81740 (PDO::quote() may return unquoted string). (CVE-2022-31631)
Session:
Fixed GH-9932 (session name silently fails with . and [).
SPL:
Fixed GH-9883 (SplFileObject::__toString() reads next line).
Fixed GH-10011 (Trampoline autoloader will get reregistered and cannot be unregistered).
SQLite3:
Fixed bug #81742 (open_basedir bypass in SQLite3 by using file URI).
TSRM:
Fixed Windows shmget() wrt. IPC_PRIVATE.
Version 8.2.0
08 Dec 2022
CLI:
Fixed bug #81496 (Server logs incorrect request method).
Updated the mime-type table for the builtin-server.
Fixed potential overflow for the builtin server via the PHP_CLI_SERVER_WORKERS environment variable.
Fixed GH-8575 by changing STDOUT, STDERR and STDIN to not close on resource destruction.
Implement built-in web server responding without body to HEAD request on a static resource.
Implement built-in web server responding with HTTP status 405 to DELETE/PUT/PATCH request on a static resource.
Fixed bug GH-9709 (Null pointer dereference with -w/-s options).
COM:
Fixed bug GH-8750 (Can not create VT_ERROR variant type).
Core:
Fixed bug #81380 (Observer may not be initialized properly).
Fixed bug GH-7771 (Fix filename/lineno of constant expressions).
Fixed bug GH-7792 (Improve class type in error messages).
Support huge pages on MacOS.
Fixed bug GH-8655 (Casting an object to array does not unwrap refcount=1 references).
Fixed bug GH-8661 (Nullsafe in coalesce triggers undefined variable warning).
Fixed bug GH-7821 and GH-8418 (Allow arbitrary const expressions in backed enums).
Fixed bug GH-8810 (Incorrect lineno in backtrace of multi-line function calls).
Optimised code path for newly created file with the stream plain wrapper.
Uses safe_perealloc instead of perealloc for the ZEND_PTR_STACK_RESIZE_IF_NEEDED to avoid possible overflows.
Reduced the memory footprint of strings returned by var_export(), json_encode(), serialize(), iconv_*(), mb_ereg*(), session_create_id(), http_build_query(), strstr(), Reflection*::__toString().
Fixed bug GH-8995 (WeakMap object reference offset causing TypeError).
Added error_log_mode ini setting.
Updated request startup messages.
Fixed bug GH-7900 (Arrow function with never return type compile-time errors).
Fixed incorrect double to long casting in latest clang.
Added support for defining constants in traits.
Stop incorrectly emitting false positive deprecation notice alongside unsupported syntax fatal error for `"{$g{'h'}}"`.
Fix unexpected deprecated dynamic property warning, which occurred when exit() in finally block after an exception was thrown without catching.
Fixed bug GH-9323 (Crash in ZEND_RETURN/GC/zend_call_function) (Tim Starling)
Fixed bug GH-9227 (Trailing dots and spaces in filenames are ignored).
Fixed bug GH-9285 (Traits cannot be used in readonly classes).
Fixed bug GH-9186 (@strict-properties can be bypassed using unserialization).
Fixed bug GH-9500 (Using dnf type with parentheses after readonly keyword results in a parse error).
Fixed bug GH-9516 ((A&B)|D as a param should allow AB or D. Not just A).
Fixed observer class notify with Opcache file_cache_only=1.
Fixes segfault with Fiber on FreeBSD i386 architecture.
Fixed bug GH-9655 (Pure intersection types cannot be implicitly nullable) (Girgias)
Fixed bug GH-9589 (dl() segfaults when module is already loaded).
Fixed bug GH-9752 (Generator crashes when interrupted during argument evaluation with extra named params).
Fixed bug GH-9801 (Generator crashes when memory limit is exceeded during initialization).
Fixed a bug with preloaded enums possibly segfaulting.
Fixed bug GH-9823 (Don’t reset func in zend_closure_internal_handler).
Fixed potential NULL pointer dereference Windows shm*() functions.
Fix target validation for internal attributes with constructor property promotion.
Fixed bug GH-9750 (Generator memory leak when interrupted during argument evaluation.
Move observer_declared_function_notify until after pass_two().
Do not report MINIT stage internal class aliases in extensions.
Curl:
Added support for CURLOPT_XFERINFOFUNCTION.
Added support for CURLOPT_MAXFILESIZE_LARGE.
Added new constants from cURL 7.62 to 7.80.
New function curl_upkeep().
Date:
Fixed GH-8458 (DateInterval::createFromDateString does not throw if non-relative items are present).
Fixed bug #52015 (Allow including end date in DatePeriod iterations) (Daniel Egeberg, Derick)
idate() now accepts format specifiers "N" (ISO Day-of-Week) and "o" (ISO Year).
Fixed bug GH-8730 (DateTime::diff miscalculation is same time zone of different type).
Fixed bug GH-8964 (DateTime object comparison after applying delta less than 1 second).
Fixed bug GH-9106 (DateInterval 1.5s added to DateTimeInterface is rounded down since PHP 8.1.0).
Fixed bug #75035 (Datetime fails to unserialize "extreme" dates).
Fixed bug #80483 (DateTime Object with 5-digit year can't unserialized).
Fixed bug #81263 (Wrong result from DateTimeImmutable::diff).
Fixed bug GH-9431 (DateTime::getLastErrors() not returning false when no errors/warnings).
Fixed bug with parsing large negative numbers with the @ notation.
DBA:
Fixed LMDB driver hanging when attempting to delete a non-existing key (Girgias)
Fixed LMDB driver memory leak on DB creation failure (Girgias)
Fixed GH-8856 (dba: lmdb: allow to override the MDB_NOSUBDIR flag).
FFI:
Fixed bug GH-9090 (Support assigning function pointers in FFI).
Fileinfo:
Fixed bug GH-8805 (finfo returns wrong mime type for woff/woff2 files).
Filter:
Added FILTER_FLAG_GLOBAL_RANGE to filter Global IPs.
FPM:
Emit error for invalid port setting.
Added extra check for FPM proc dumpable on SELinux based systems.
Added support for listening queue on macOS.
Changed default for listen.backlog on Linux to -1.
Added listen.setfib pool option to set route FIB on FreeBSD.
Added access.suppress_path pool option to filter access log entries.
Fixed on fpm scoreboard occasional warning on acquisition failure.
Fixed bug GH-9754 (SaltStack (using Python subprocess) hangs when running php-fpm 8.1.11).
FTP:
Fix datetime format string to follow POSIX spec in ftp_mdtm().
GD:
Fixed bug #81739 : OOB read due to insufficient input validation in imageloadfont(). (CVE-2022-31630)
GMP:
Fixed bug GH-9308 (GMP throws the wrong error when a GMP object is passed to gmp_init()).
Hash:
Fixed bug #81738 : buffer overflow in hash_update() on long parameter. (CVE-2022-37454)
Intl:
Update all grandfathered language tags with preferred values
Fixed GH-7939 (Cannot unserialize IntlTimeZone objects).
Fixed build for ICU 69.x and onwards.
Declared Transliterator::$id as readonly to unlock subclassing it.
Fixed bug GH-9421 (Incorrect argument number for ValueError in NumberFormatter).
MBString:
Fixed bug GH-9248 (Segmentation fault in mb_strimwidth()).
mysqli:
Fixed bug GH-9841 (mysqli_query throws warning despite using silenced error mode).
MySQLnd:
Fixed potential heap corruption due to alignment mismatch.
OCI8:
Added oci8.prefetch_lob_size directive to tune LOB query performance
Support for building against Oracle Client libraries 10.1 and 10.2 has been dropped. Oracle Client libraries 11.2 or newer are now required.
ODBC:
Fixed bug GH-8300 (User input not escaped when building connection string).
Fixed bug GH-9347 (Current ODBC liveness checks may be inadequate).
Opcache:
Allocate JIT buffer close to PHP .text segemnt to allow using direct IP-relative calls and jumps.
Added initial support for JIT performance profiling generation for macOs Instrument.
Fixed bug GH-8030 (Segfault with JIT and large match/switch statements).
Added JIT support improvement for macOs for segments and executable permission bit handling.
Added JIT buffer allocation near the .text section on FreeNSD.
Fixed bug GH-9371 (Crash with JIT on mac arm64) (jdp1024/David Carlier)
Fixed bug GH-9259 (opcache.interned_strings_buffer setting integer overflow).
Added indirect call reduction for jit on x86 architectures.
Fixed bug GH-9164 (Segfault in zend_accel_class_hash_copy).
Fix opcache preload with observers enabled.
OpenSSL:
Discard poll calls on socket when no timeout/non blocking/MSG_DONTWAIT.
Fixed bug GH-9310 (SSL local_cert and local_pk do not respect open_basedir).
Implement FR #76935 ("chacha20-poly1305" is an AEAD but does not work like AEAD).
Added openssl_cipher_key_length function.
Fixed bug GH-9517 (Compilation error openssl extension related to PR GH-9366 ).
Fixed missing clean up of OpenSSL engine list - attempt to fix GH-8620 .
Fixed bug GH-8430 (OpenSSL compiled with no-md2, no-md4 or no-rmd160 does not build).
PCNTL:
Fixed pcntl_(get|set)priority error handling for MacOS.
PCRE:
Implemented FR #77726 (Allow null character in regex patterns).
Updated bundled libpcre to 10.40.
PDO:
Fixed bug GH-9818 (Initialize run time cache in PDO methods).
PDO_Firebird:
Fixed bug GH-8576 (Bad interpretation of length when char is UTF-8).
PDO_ODBC:
Fixed bug #80909 (crash with persistent connections in PDO_ODBC).
Fixed bug GH-8300 (User input not escaped when building connection string).
Fixed bug GH-9347 (Current ODBC liveness checks may be inadequate).
Fixed bug GH-9372 (HY010 when binding overlong parameter).
PDO_PGSQL:
Fixed bug GH-9411 (PgSQL large object resource is incorrectly closed).
Random:
Added new random extension.
Fixed bug GH-9067 (random extension is not thread safe).
Fixed bug GH-9055 (segmentation fault if user engine throws).
Fixed bug GH-9066 (signed integer overflow).
Fixed bug GH-9083 (undefined behavior during shifting).
Fixed bug GH-9088 , GH-9056 (incorrect expansion of bytes when generating uniform integers within a given range).
Fixed bug GH-9089 (Fix memory leak on Randomizer::__construct() call twice).
Fixed bug GH-9212 (PcgOneseq128XslRr64::jump() should not allow negative $advance).
Changed Mt19937 to throw a ValueError instead of InvalidArgumentException for invalid $mode.
Splitted Random\Randomizer::getInt() (without arguments) to Random\Randomizer::nextInt().
Fixed bug GH-9235 (non-existant $sequence parameter in stub for PcgOneseq128XslRr64::__construct()).
Fixed bug GH-9190 , GH-9191 (undefined behavior for MT_RAND_PHP when handling large ranges).
Fixed bug GH-9249 (Xoshiro256StarStar does not reject the invalid all-zero state).
Removed redundant RuntimeExceptions from Randomizer methods. The exceptions thrown by the engines will be exposed directly.
Added extension specific Exceptions/Errors (RandomException, RandomError, BrokenRandomEngineError).
Fixed bug GH-9415 (Randomizer::getInt(0, 2**32 - 1) with Mt19937 always returns 1).
Fixed Randomizer::getInt() consistency for 32-bit engines.
Fixed bug GH-9464 (build on older macOs releases).
Fixed bug GH-9839 (Pre-PHP 8.2 output compatibility for non-mt_rand() functions for MT_RAND_PHP).
Reflection:
Added ReflectionFunction::isAnonymous().
Added ReflectionMethod::hasPrototype().
Narrow ReflectionEnum::getBackingType() return type to ReflectionNamedType.
Fixed bug GH-8932 (ReflectionFunction provides no way to get the called class of a Closure).
Session:
Fixed bug GH-7787 (Improve session write failure message for user error handlers).
Fixed GH-9200 (setcookie has an obsolete expires date format).
Fixed GH-9584 (Avoid memory corruption when not unregistering custom session handler).
Fixed bug GH-9583 (session_create_id() fails with user defined save handler that doesn't have a validateId() method).
SOAP:
Fixed bug GH-9720 (Null pointer dereference while serializing the response).
Sockets:
Added TCP_NOTSENT_LOWAT socket option.
Added SO_MEMINFO socket option.
Added SO_RTABLE socket option (OpenBSD), equivalent of SO_MARK (Linux).
Added TCP_KEEPALIVE, TCP_KEEPIDLE, TCP_KEEPINTVL, TCP_KEEPCNT socket options.
Added ancillary data support for FreeBSD.
Added ancillary data support for NetBSD.
Added SO_BPF_EXTENSIONS socket option.
Added SO_SETFIB socket option.
Added TCP_CONGESTION socket option.
Added SO_ZEROCOPY/MSG_ZEROCOPY options.
Added SOL_FILTER socket option for Solaris.
Fixed socket constants regression as of PHP 8.2.0beta3.
Sodium:
Added sodium_crypto_stream_xchacha20_xor_ic().
SPL:
Uses safe_erealloc instead of erealloc to handle heap growth for the SplHeap::insert method to avoid possible overflows.
Widen iterator_to_array() and iterator_count()'s $iterator parameter to iterable.
Fixed bug #69181 (READ_CSV|DROP_NEW_LINE drops newlines within fields).
Fixed bug #65069 (GlobIterator incorrect handling of open_basedir check).
SQLite3:
Changed sqlite3.defensive from PHP_INI_SYSTEM to PHP_INI_USER.
Standard:
net_get_interfaces() also reports wireless network interfaces on Windows.
Finished AVIF support in getimagesize().
Fixed bug GH-7847 (stripos with large haystack has bad performance).
New function memory_reset_peak_usage().
Fixed parse_url(): can not recognize port without scheme.
Deprecated utf8_encode() and utf8_decode().
Fixed the crypt_sha256/512 api build with clang > 12.
Uses safe_erealloc instead of erealloc to handle options in getopt to avoid possible overflows.
Implemented FR GH-8924 (str_split should return empty array for empty string).
Added ini_parse_quantity function to convert ini quantities shorthand notation to int.
Enable arc4random_buf for Linux glibc 2.36 and onwards for the random_bytes.
Uses CCRandomGenerateBytes instead of arc4random_buf on macOs. (David Carlier).
Fixed bug #65489 (glob() basedir check is inconsistent).
Fixed GH-9200 (setcookie has an obsolete expires date format).
Fixed GH-9244 (Segfault with array_multisort + array_shift).
Fixed bug GH-9296 (`ksort` behaves incorrectly on arrays with mixed keys).
Marked crypt()'s $string parameter as #[\SensitiveParameter].
Fixed bug GH-9464 (build on older macOs releases).
Fixed bug GH-9518 (Disabling IPv6 support disables unrelated constants).
Revert "Fixed parse_url(): can not recognize port without scheme." (andypost)
Fix crash reading module_entry after DL_UNLOAD() when module already loaded.
Streams:
Set IP_BIND_ADDRESS_NO_PORT if available when connecting to remote host.
Fixed bug GH-8548 (stream_wrapper_unregister() leaks memory).
Discard poll calls on socket when no timeout/non blocking/MSG_DONTWAIT.
Fixed bug GH-9316 ($http_response_header is wrong for long status line).
Fixed bug GH-9590 (stream_select does not abort upon exception or empty valid fd set).
Fixed bug GH-9653 (file copy between different filesystems).
Fixed bug GH-9779 (stream_copy_to_stream fails if dest in append mode).
Windows:
Added preliminary support for (cross-)building for ARM64.
XML:
Added libxml_get_external_entity_loader() function.
Zip:
add ZipArchive::clearError() method
add ZipArchive::getStreamName() method
add ZipArchive::getStreamIndex() method
On Windows, the Zip extension is now built as shared library (DLL) by default.
Implement fseek for zip stream when possible with libzip 1.9.1.
Version 8.1.18
13 Apr 2023
Core:
Added optional support for max_execution_time in ZTS/Linux builds.
Fixed use-after-free in recursive AST evaluation.
Fixed bug GH-8646 (Memory leak PHP FPM 8.1).
Fixed bug GH-10801 (Named arguments in CTE functions cause a segfault).
Fixed bug GH-8789 (PHP 8.0.20 (ZTS) zend_signal_handler_defer crashes on apache).
Fixed bug GH-10015 (zend_signal_handler_defer crashes on apache shutdown).
Fixed bug GH-10810 (Fix NUL byte terminating Exception::__toString()).
Fix potential memory corruption when mixing __callStatic() and FFI.
Date:
Fixed bug GH-10583 (DateTime modify with tz pattern should not update linked timezone).
FPM:
Fixed bug GH-10611 (fpm_env_init_main leaks environ).
Destroy file_handle in fpm_main.
Fixed bug #74129 (Incorrect SCRIPT_NAME with apache ProxyPassMatch when spaces are in path).
FTP:
Propagate success status of ftp_close().
Fixed bug GH-10521 (ftp_get/ftp_nb_get resumepos offset is maximum 10GB).
IMAP:
Fix build failure with Clang 16.
MySQLnd:
Fixed bug GH-8979 (Possible Memory Leak with SSL-enabled MySQL connections).
Opcache:
Fixed build for macOS to cater with pkg-config settings.
Fixed bug GH-8065 (opcache.consistency_checks > 0 causes segfaults in PHP >= 8.1.5 in fpm context).
OpenSSL:
Add missing error checks on file writing functions.
PDO Firebird:
Fixed bug GH-10908 (Bus error with PDO Firebird on RPI with 64 bit kernel and 32 bit userland).
PDO ODBC:
Fixed missing and inconsistent error checks on SQLAllocHandle.
Phar:
Fixed bug GH-10766 (PharData archive created with Phar::Zip format does not keep files metadata (datetime)).
Add missing error checks on EVP_MD_CTX_create() and EVP_VerifyInit().
PGSQL:
Fixed typo in the array returned from pg_meta_data (extended mode).
SPL:
Fixed bug GH-10519 (Array Data Address Reference Issue).
Fixed bug GH-10844 (ArrayIterator allows modification of readonly props).
Standard:
Fixed bug GH-10885 (stream_socket_server context leaks).
Fixed bug GH-10052 (Browscap crashes PHP 8.1.12 on request shutdown (apache2)).
Fixed oss-fuzz #57392 (Buffer-overflow in php_fgetcsv() with \0 delimiter and enclosure).
Fixed undefined behaviour in unpack().
Version 8.1.17
16 Mar 2023
Core:
Fixed incorrect check condition in ZEND_YIELD.
Fixed incorrect check condition in type inference.
Fixed overflow check in OnUpdateMemoryConsumption.
Fixed bug GH-9916 (Entering shutdown sequence with a fiber suspended in a Generator emits an unavoidable fatal error or crashes).
Fixed bug GH-10437 (Segfault/assertion when using fibers in shutdown function after bailout).
Fixed SSA object type update for compound assignment opcodes.
Fixed language scanner generation build.
Fixed zend_update_static_property() calling zend_update_static_property_ex() misleadingly with the wrong return type.
Fix bug GH-10570 (Fixed unknown string hash on property fetch with integer constant name).
Fixed php_fopen_primary_script() call resulted on zend_destroy_file_handle() freeing dangling pointers on the handle as it was uninitialized.
Curl:
Fixed deprecation warning at compile time.
Fixed bug GH-10270 (Unable to return CURL_READFUNC_PAUSE in readfunc callback).
Date:
Fix GH-10447 ('p' format specifier does not yield 'Z' for 00:00).
FFI:
Fixed incorrect bitshifting and masking in ffi bitfield.
Fiber:
Fixed assembly on alpine x86.
Fixed bug GH-10496 (segfault when garbage collector is invoked inside of fiber).
FPM:
Fixed bug GH-10315 (FPM unknown child alert not valid).
Fixed bug GH-10385 (FPM successful config test early exit).
Intl:
Fixed bug GH-10647 (Spoolchecker isSuspicious/areConfusable methods error code's argument always returning NULL0.
JSON:
Fixed JSON scanner and parser generation build.
MBString:
ext/mbstring: fix new_value length check.
Fix bug GH-10627 (mb_convert_encoding crashes PHP on Windows).
Opcache:
Fix incorrect page_size check.
OpenSSL:
Fixed php_openssl_set_server_dh_param() DH params errors handling.
PDO OCI:
Fixed bug #60994 (Reading a multibyte CLOB caps at 8192 chars).
PHPDBG:
Fixed bug GH-10715 (heap buffer overflow on --run option misuse).
PGSQL:
Fix GH-10672 (pg_lo_open segfaults in the strict_types mode).
Phar:
Fix incorrect check in phar tar parsing.
Reflection:
Fixed bug GH-10623 (Reflection::getClosureUsedVariables opcode fix with variadic arguments).
Fix Segfault when using ReflectionFiber suspended by an internal function.
Session:
Fixed ps_files_cleanup_dir() on failure code paths with -1 instead of 0 as the latter was considered success by callers. (nielsdos).
Standard:
Fixed bug GH-10292 (Made the default value of the first param of srand() and mt_srand() unknown).
Fix incorrect check in cs_8559_5 in map_from_unicode().
Fix bug GH-9697 for reset/end/next/prev() attempting to move pointer of properties table for certain internal classes such as FFI classes
Fix incorrect error check in browsecap for pcre2_match().
Tidy:
Fix memory leaks when attempting to open a non-existing file or a file over 4GB.
Add missing error check on tidyLoadConfig.
Zlib:
Fixed output_handler directive value's length which counted the string terminator.
Version 8.1.16
14 Feb 2023
Core:
Fixed bug #81744 (Password_verify() always return true with some hash).
Fixed bug #81746 (1-byte array overrun in common path resolve code).
SAPI:
Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart request body). (CVE-2023-0662)
Version 8.1.15
02 Feb 2023
Apache:
Fixed bug GH-9949 (Partial content on incomplete POST request).
Core:
Fixed bug GH-10072 (PHP crashes when execute_ex is overridden and a __call trampoline is used from internal code).
Fix GH-10251 (Assertion `(flag & (1<<3)) == 0' failed).
Fix wrong comparison in block optimisation pass after opcode update.
Date:
Fixed bug GH-9891 (DateTime modify with unixtimestamp (@) must work like setTimestamp).
Fixed bug GH-10218 (DateTimeZone fails to parse time zones that contain the "+" character).
Fiber:
Fix assertion on stack allocation size.
FPM:
Fixed bug GH-9981 (FPM does not reset fastcgi.error_header).
Fixed bug #67244 (Wrong owner:group for listening unix socket).
Hash:
Handle exceptions from __toString in XXH3's initialization (nielsdos)
LDAP:
Fixed bug GH-10112 (LDAP\Connection::__construct() refers to ldap_create()).
MBString:
Fixed: mb_strlen (and a couple of other mbstring functions) would wrongly treat 0x80, 0xFD, 0xFE, 0xFF, and certain other byte values as the first byte of a 2-byte SJIS character.
Opcache:
Fix inverted bailout value in zend_runtime_jit() (Max Kellermann).
Fix access to uninitialized variable in accel_preload().
Fix zend_jit_find_trace() crashes.
Added missing lock for EXIT_INVALIDATE in zend_jit_trace_exit.
Phar:
Fix wrong flags check for compression method in phar_object.c (nielsdos)
PHPDBG:
Fix undefined behaviour in phpdbg_load_module_or_extension().
Fix NULL pointer dereference in phpdbg_create_conditional_breal().
Fix GH-9710 : phpdbg memory leaks by option "-h" (nielsdos)
Fix phpdbg segmentation fault in case of malformed input (nielsdos)
Posix:
Fix memory leak in posix_ttyname() (girgias)
Standard:
Fix GH-10187 (Segfault in stripslashes() with arm64).
Fix substr_replace with slots in repl_ht being UNDEF.
TSRM:
Fixed Windows shmget() wrt. IPC_PRIVATE.
XMLWriter:
Fix missing check for xmlTextWriterEndElement (nielsdos)
Version 8.1.14
05 Jan 2023
Core:
Fixed bug GH-9905 (constant() behaves inconsistent when class is undefined).
Fixed bug GH-9918 (License information for xxHash is not included in README.REDIST.BINS file).
Fixed bug GH-9650 (Can't initialize heap: [0x000001e7]).
Fixed potentially undefined behavior in Windows ftok(3) emulation.
Date:
Fixed bug GH-9699 (DateTimeImmutable::diff differences in 8.1.10 onwards - timezone related).
Fixed bug GH-9700 (DateTime::createFromFormat: Parsing TZID string is too greedy).
Fixed bug GH-9866 (Time zone bug with \DateTimeInterface::diff()).
Fixed bug GH-9880 (DateTime diff returns wrong sign on day count when using a timezone).
FPM:
Fixed bug GH-9959 (Solaris port event mechanism is still broken after bug #66694).
Fixed bug #68207 (Setting fastcgi.error_header can result in a WARNING).
Fixed bug GH-8517 (Random crash of FPM master process in fpm_stdio_child_said).
MBString:
Fixed bug GH-9535 (The behavior of mb_strcut in mbstring has been changed in PHP8.1).
Opcache:
Fixed bug GH-9968 (Segmentation Fault during OPCache Preload).
OpenSSL:
Fixed bug GH-9064 (PHP fails to build if openssl was built with --no-ec).
Fixed bug GH-10000 (OpenSSL test failures when OpenSSL compiled with no-dsa).
Pcntl:
Fixed bug GH-9298 (Signal handler called after rshutdown leads to crash).
PDO_Firebird:
Fixed bug GH-9971 (Incorrect NUMERIC value returned from PDO_Firebird).
PDO/SQLite:
Fixed bug #81740 (PDO::quote() may return unquoted string). (CVE-2022-31631)
Session:
Fixed GH-9932 (session name silently fails with . and [).
SPL:
Fixed GH-9883 (SplFileObject::__toString() reads next line).
Fixed GH-10011 (Trampoline autoloader will get reregistered and cannot be unregistered).
SQLite3:
Fixed bug #81742 (open_basedir bypass in SQLite3 by using file URI).
Version 8.1.13
24 Nov 2022
CLI:
Fixed bug GH-9709 (Null pointer dereference with -w/-s options).
Core:
Fixed bug GH-9752 (Generator crashes when interrupted during argument evaluation with extra named params).
Fixed bug GH-9801 (Generator crashes when memory limit is exceeded during initialization).
Fixed potential NULL pointer dereference Windows shm*() functions.
Fixed bug GH-9750 (Generator memory leak when interrupted during argument evaluation.
Date:
Fixed bug GH-9763 (DateTimeZone ctr mishandles input and adds null byte if the argument is an offset larger than 100*60 minutes).
FPM:
Fixed bug GH-9754 (SaltStack (using Python subprocess) hangs when running php-fpm 8.1.11).
mysqli:
Fixed bug GH-9841 (mysqli_query throws warning despite using silenced error mode).
MySQLnd:
Fixed potential heap corruption due to alignment mismatch.
OpenSSL:
Fixed bug GH-8430 (OpenSSL compiled with no-md2, no-md4 or no-rmd160 does not build).
SOAP:
Fixed GH-9720 (Null pointer dereference while serializing the response).
Version 8.1.12
27 Oct 2022
Core:
Fixes segfault with Fiber on FreeBSD i386 architecture.
Fileinfo:
Fixed bug GH-8805 (finfo returns wrong mime type for woff/woff2 files).
GD:
Fixed bug #81739 : OOB read due to insufficient input validation in imageloadfont(). (CVE-2022-31630)
Hash:
Fixed bug #81738 : buffer overflow in hash_update() on long parameter. (CVE-2022-37454)
MBString:
Fixed bug GH-9683 (Problem when ISO-2022-JP-MS is specified in mb_ encode_mimeheader).
Opcache:
Added indirect call reduction for jit on x86 architectures.
Session:
Fixed bug GH-9583 (session_create_id() fails with user defined save handler that doesn't have a validateId() method).
Streams:
Fixed bug GH-9590 (stream_select does not abort upon exception or empty valid fd set).
Version 8.1.11
29 Sep 2022
Core:
Fixed bug #81726 : phar wrapper: DOS when using quine gzip file. (CVE-2022-31628)
Fixed bug #81727 : Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning. (CVE-2022-31629)
Fixed bug GH-9323 (Crash in ZEND_RETURN/GC/zend_call_function) (Tim Starling)
Fixed bug GH-9361 (Segmentation fault on script exit #9379).
Fixed bug GH-9447 (Invalid class FQN emitted by AST dump for new and class constants in constant expressions).
DOM:
Fixed bug #79451 (DOMDocument->replaceChild on doctype causes double free).
FPM:
Fixed bug GH-8885 (FPM access.log with stderr begins to write logs to error_log after daemon reload).
Fixed bug #77780 ("Headers already sent..." when previous connection was aborted).
GMP:
Fixed bug GH-9308 (GMP throws the wrong error when a GMP object is passed to gmp_init()).
Intl:
Fixed bug GH-9421 (Incorrect argument number for ValueError in NumberFormatter).
PCRE:
Fixed pcre.jit on Apple Silicon.
PDO_PGSQL:
Fixed bug GH-9411 (PgSQL large object resource is incorrectly closed).
Reflection:
Fixed bug GH-8932 (ReflectionFunction provides no way to get the called class of a Closure).
Streams:
Fixed bug GH-9316 ($http_response_header is wrong for long status line).
Version 8.1.10
01 Sep 2022
Core:
Fixed --CGI-- support of run-tests.php.
Fixed incorrect double to long casting in latest clang.
Fixed bug GH-9266 (GC root buffer keeps growing when dtors are present).
Date:
Fixed bug GH-8730 (DateTime::diff miscalculation is same time zone of different type).
Fixed bug GH-8964 (DateTime object comparison after applying delta less than 1 second).
Fixed bug GH-9106 : (DateInterval 1.5s added to DateTimeInterface is rounded down since PHP 8.1.0).
Fixed bug #81263 (Wrong result from DateTimeImmutable::diff).
DBA:
Fixed LMDB driver memory leak on DB creation failure.
Fixed bug GH-9155 (dba_open("non-existing", "c-", "flatfile") segfaults).
IMAP:
Fixed bug GH-9309 (Segfault when connection is used after imap_close()).
Intl:
Fixed IntlDateFormatter::formatObject() parameter type.
MBString:
Fixed bug GH-9008 (mb_detect_encoding(): wrong results with null $encodings).
OPcache:
Fixed bug GH-9033 (Loading blacklist file can fail due to negative length).
Fixed bug GH-9164 (Segfault in zend_accel_class_hash_copy).
PDO_SQLite:
Fixed bug GH-9032 (SQLite3 authorizer crashes on NULL values).
SQLite3:
Fixed bug GH-9032 (SQLite3 authorizer crashes on NULL values).
Streams:
Fixed bug GH-8472 (The resource returned by stream_socket_accept may have incorrect metadata).
Fixed bug GH-8409 (SSL handshake timeout leaves persistent connections hanging).
Version 8.1.9
04 Aug 2022
CLI:
Fixed potential overflow for the builtin server via the PHP_CLI_SERVER_WORKERS environment variable.
Fixed GH-8952 (Intentionally closing std handles no longer possible).
Core:
Fixed bug GH-8923 (error_log on Windows can hold the file write lock).
Fixed bug GH-8995 (WeakMap object reference offset causing TypeError).
Date:
Fixed bug #80047 (DatePeriod doesn't warn with custom DateTimeImmutable).
FPM:
Fixed zlog message prepend, free on incorrect address.
Fixed possible double free on configuration loading failure. (Heiko Weber).
GD:
Fixed bug GH-8848 (imagecopyresized() error refers to the wrong argument).
Intl:
Fixed build for ICU 69.x and onwards.
OPcache:
Fixed bug GH-8847 (PHP hanging infinitly at 100% cpu when check php syntax of a valid file).
Fixed bug GH-8030 (Segfault with JIT and large match/switch statements).
Reflection:
Fixed bug GH-8943 (Fixed Reflection::getModifierNames() with readonly modifier).
Standard:
Fixed the crypt_sha256/512 api build with clang > 12.
Uses CCRandomGenerateBytes instead of arc4random_buf on macOs. (David Carlier).
Fixed bug GH-9017 (php_stream_sock_open_from_socket could return NULL).
Version 8.1.8
07 Jul 2022
Core:
Fixed bug GH-8338 (Intel CET is disabled unintentionally).
Fixed leak in Enum::from/tryFrom for internal enums when using JIT
Fixed calling internal methods with a static return type from extension code.
Fixed bug GH-8655 (Casting an object to array does not unwrap refcount=1 references).
Fixed potential use after free in php_binary_init().
CLI:
Fixed GH-8827 (Intentionally closing std handles no longer possible).
COM:
Fixed bug GH-8778 (Integer arithmethic with large number variants fails).
Curl:
Fixed CURLOPT_TLSAUTH_TYPE is not treated as a string option.
Date:
Fixed bug #72963 (Null-byte injection in CreateFromFormat and related functions).
Fixed bug #74671 (DST timezone abbreviation has incorrect offset).
Fixed bug #77243 (Weekdays are calculated incorrectly for negative years).
Fixed bug #78139 (timezone_open accepts invalid timezone string argument).
Fileinfo:
Fixed bug #81723 (Heap buffer overflow in finfo_buffer). (CVE-2022-31627)
FPM:
Fixed bug #67764 (fpm: syslog.ident don't work).
GD:
Fixed imagecreatefromavif() memory leak.
MBString:
mb_detect_encoding recognizes all letters in Czech alphabet
mb_detect_encoding recognizes all letters in Hungarian alphabet
Fixed bug GH-8685 (pcre not ready at mbstring startup).
Backwards-compatible mappings for 0x5C/0x7E in Shift-JIS are restored, after they had been changed in 8.1.0.
ODBC:
Fixed handling of single-key connection strings.
OPcache:
Fixed bug GH-8591 (tracing JIT crash after private instance method change).
OpenSSL:
Fixed bug #50293 (Several openssl functions ignore the VCWD).
Fixed bug #81713 (NULL byte injection in several OpenSSL functions working with certificates).
PDO_ODBC:
Fixed handling of single-key connection strings.
Zip:
Fixed bug GH-8781 (ZipArchive::close deletes zip file without updating stat cache).
Version 8.1.7
09 Jun 2022
CLI:
Fixed bug GH-8575 (CLI closes standard streams too early).
Date:
Fixed bug #51934 (strtotime plurals / incorrect time).
Fixed bug #51987 (Datetime fails to parse an ISO 8601 ordinal date (extended format)).
Fixed bug #66019 (DateTime object does not support short ISO 8601 time format - YYYY-MM-DDTHH)
Fixed bug #68549 (Timezones and offsets are not properly used when working with dates)
Fixed bug #81565 (date parsing fails when provided with timezones including seconds).
Fixed bug GH-7758 (Problems with negative timestamps and fractions).
FPM:
Fixed ACL build check on MacOS.
Fixed bug #72185 : php-fpm writes empty fcgi record causing nginx 502.
mysqlnd:
Fixed bug #81719 : mysqlnd/pdo password buffer overflow. (CVE-2022-31626)
OPcache:
Fixed bug GH-8461 (tracing JIT crash after function/method change).
OpenSSL:
Fixed bug #79589 (error:14095126:SSL routines:ssl3_read_n:unexpected eof while reading).
Pcntl:
pgsql:
Fixed bug #81720 : Uninitialized array in pg_query_params(). (CVE-2022-31625)
Soap:
Fixed bug GH-8578 (Error on wrong parameter on SoapHeader constructor).
Fixed bug GH-8538 (SoapClient may strip parts of nmtokens).
SPL:
Fixed bug GH-8235 (iterator_count() may run indefinitely).
Standard:
Fixed bug GH-8185 (Crash during unloading of extension after dl() in ZTS).
Zip:
Fixed type for index in ZipArchive::replaceFile.
Version 8.1.6
12 May 2022
Core:
Fixed bug GH-8310 (Registry settings are no longer recognized).
Fixed potential race condition during resource ID allocation.
Fixed bug GH-8133 (Preloading of constants containing arrays with enums segfaults).
Fixed Haiku ZTS builds.
Date:
Fixed bug GH-7752 (DateTimeZone::getTransitions() returns insufficient data).
Fixed bug GH-8108 (Timezone doesn't work as intended).
Fixed bug #81660 (DateTimeZone::getTransitions() returns invalid data).
Fixed bug GH-8289 (Exceptions thrown within a yielded from iterator are not rethrown into the generator).
FFI:
Fixed bug GH-8433 (Assigning function pointers to structs in FFI leaks).
FPM:
Fixed bug #76003 (FPM /status reports wrong number of active processe).
Fixed bug #77023 (FPM cannot shutdown processes).
Fixed comment in kqueue remove callback log message.
Hash:
Fixed bug #81714 (segfault when serializing finalized HashContext).
Iconv:
Fixed bug GH-8218 (ob_end_clean does not reset Content-Encoding header).
Intl:
Fixed bug GH-8364 (msgfmt_format $values may not support references).
MBString:
Number of error markers emitted for invalid UTF-8 text matches WHATWG specification. This is a return to the behavior of PHP 8.0 and earlier.
MySQLi:
Fixed bug GH-8267 (MySQLi uses unsupported format specifier on Windows).
SPL:
Fixed bug GH-8366 (ArrayIterator may leak when calling __construct()).
Fixed bug GH-8273 (SplFileObject: key() returns wrong value).
Streams:
Fixed php://temp does not preserve file-position when switched to temporary file.
zlib:
Fixed bug GH-8218 (ob_end_clean does not reset Content-Encoding header).
Version 8.1.5
14 Apr 2022
Core:
Fixed bug GH-8176 (Enum values in property initializers leak).
Fixed freeing of internal attribute arguments.
Fixed bug GH-8070 (memory leak of internal function attribute hash).
Fixed bug GH-8160 (ZTS support on Alpine is broken).
Filter:
Fixed signedness confusion in php_filter_validate_domain().
Intl:
Fixed bug GH-8115 (Can't catch arg type deprecation when instantiating Intl classes).
Fixed bug GH-8142 (Compilation error on cygwin).
Fixed bug GH-7734 (Fix IntlPartsIterator key off-by-one error and first key).
MBString:
Fixed bug GH-8208 (mb_encode_mimeheader: $indent functionality broken).
MySQLi:
Fixed bug GH-8068 (mysqli_fetch_object creates inaccessible properties).
Pcntl:
Fixed bug GH-8142 (Compilation error on cygwin).
PgSQL:
Fixed result_type related stack corruption on LLP64 architectures.
Fixed bug GH-8253 (pg_insert() fails for references).
Sockets:
SPL:
Fixed bug GH-8121 (SplFileObject - seek and key with csv file inconsistent).
Fixed bug GH-8192 (Cannot override DirectoryIterator::current() without return typehint in 8.1).
Standard:
Fixed bug GH-8048 (Force macOS to use statfs).
Version 8.1.4
17 Mar 2022
Core:
Fixed Haiku ZTS build.
Fixed bug GH-8059 arginfo not regenerated for extension.
Fixed bug GH-8083 Segfault when dumping uncalled fake closure with static variables.
Fixed bug GH-7958 (Nested CallbackFilterIterator is leaking memory).
Fixed bug GH-8074 (Wrong type inference of range() result).
Fixed bug GH-8140 (Wrong first class callable by name optimization).
Fixed bug GH-8082 (op_arrays with temporary run_time_cache leak memory when observed).
GD:
Fixed libpng warning when loading interlaced images.
FPM:
Fixed bug #76109 (Unsafe access to fpm scoreboard).
Iconv:
Fixed bug GH-7953 (ob_clean() only does not set Content-Encoding).
Fixed bug GH-7980 (Unexpected result for iconv_mime_decode).
MBString:
Fixed bug GH-8128 (mb_check_encoding wrong result for 7bit).
MySQLnd:
Fixed bug GH-8058 (NULL pointer dereference in mysqlnd package).
Reflection:
Fixed bug GH-8080 (ReflectionClass::getConstants() depends on def. order).
Zlib:
Fixed bug GH-7953 (ob_clean() only does not set Content-Encoding).
Version 8.1.3
17 Feb 2022
Core:
Fixed bug #81430 (Attribute instantiation leaves dangling pointer).
Fixed bug GH-7896 (Environment vars may be mangled on Windows).
Fixed bug GH-7883 (Segfault when INI file is not readable).
FFI:
Fixed bug GH-7867 (FFI::cast() from pointer to array is broken).
Filter:
Fix #81708: UAF due to php_filter_float() failing for ints. (CVE-2021-21708)
FPM:
Fixed memory leak on invalid port.
Fixed bug GH-7842 (Invalid OpenMetrics response format returned by FPM status page.
MBString:
Fixed bug GH-7902 (mb_send_mail may delimit headers with LF only).
MySQLnd:
Fixed bug GH-7972 (MariaDB version prefix 5.5.5- is not stripped).
pcntl:
Fixed pcntl_rfork build for DragonFlyBSD.
Sockets:
Fixed bug GH-7978 (sockets extension compilation errors).
Standard:
Fixed bug GH-7899 (Regression in unpack for negative int value).
Fixed bug GH-7875 (mails are sent even if failure to log throws exception).
Version 8.1.2
20 Jan 2022
Core:
Fixed bug #81216 (Nullsafe operator leaks dynamic property name).
Fixed bug #81684 (Using null coalesce assignment with $GLOBALS["x"] produces opcode error).
Fixed bug #81656 (GCC-11 silently ignores -R).
Fixed bug #81683 (Misleading "access type ... must be public" error message on final or abstract interface methods).
Fixed bug #81585 (cached_chunks are not counted to real_size on shutdown).
Fixed bug GH-7757 (Multi-inherited final constant causes fatal error).
Fixed zend_fibers.c build with ZEND_FIBER_UCONTEXT.
Added riscv64 support for fibers.
Filter:
Fixed FILTER_FLAG_NO_RES_RANGE flag.
Hash:
Fixed bug GH-7759 (Incorrect return types for hash() and hash_hmac()).
Fixed bug GH-7826 (Inconsistent argument name in hash_hmac_file and hash_file).
MBString:
Fixed bug #81693 (mb_check_encoding(7bit) segfaults).
MySQLi:
Fixed bug #81658 (MYSQL_OPT_LOAD_DATA_LOCAL_DIR not available in MariaDB).
Introduced MYSQLI_IS_MARIADB.
Fixed bug GH-7746 (mysqli_sql_exception->getSqlState()).
MySQLnd:
Fixed bug where large bigints may be truncated.
OCI8:
Fixed bug GH-7765 (php_oci_cleanup_global_handles segfaults at second call).
OPcache:
Fixed bug #81679 (Tracing JIT crashes on reattaching).
Readline:
Fixed bug #81598 (Cannot input unicode characters in PHP 8 interactive shell).
Reflection:
Fixed bug #81681 (ReflectionEnum throwing exceptions).
PDO_PGSQL:
Fixed error message allocation of PDO PgSQL.
Sockets:
Avoid void* arithmetic in sockets/multicast.c on NetBSD.
Fixed ext/sockets build on Haiku.
Spl:
Fixed bug #75917 (SplFileObject::seek broken with CSV flags).
Fixed bug GH-7809 (Cloning a faked SplFileInfo object may segfault).
Standard:
Fixed bug GH-7748 (gethostbyaddr outputs binary string).
Fixed bug GH-7815 (php_uname doesn't recognise latest Windows versions).
Version 8.1.1
02 Dec 2021
IMAP:
Fixed bug #81649 (imap_(un)delete accept sequences, not single numbers).
PCRE:
Update bundled PCRE2 to 10.39.
Fixed bug #74604 (Out of bounds in php_pcre_replace_impl).
Standard:
Fixed bug #81659 (stream_get_contents() may unnecessarily overallocate).
Version 8.0.28
14 Feb 2023
Core:
Fixed bug #81744 (Password_verify() always return true with some hash).
Fixed bug #81746 (1-byte array overrun in common path resolve code).
SAPI:
Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart request body). (CVE-2023-0662)
Version 8.0.27
05 Jan 2023
PDO/SQLite:
Fixed bug #81740 (PDO::quote() may return unquoted string). (CVE-2022-31631)
Version 8.0.26
24 Nov 2022
CLI:
Fixed bug GH-9709 (Null pointer dereference with -w/-s options).
Core:
Fixed bug GH-9752 (Generator crashes when interrupted during argument evaluation with extra named params).
Fixed bug GH-9801 (Generator crashes when memory limit is exceeded during initialization).
Fixed potential NULL pointer dereference in Windows shm*() functions.
Fixed bug GH-9750 (Generator memory leak when interrupted during argument evaluation.
Date:
Fixed bug GH-9763 (DateTimeZone ctr mishandles input and adds null byte if the argument is an offset larger than 100*60 minutes).
FPM:
Fixed bug GH-9754 (SaltStack (using Python subprocess) hangs when running php-fpm 8.1.11).
mysqli:
Fixed bug GH-9841 (mysqli_query throws warning despite using silenced error mode).
OpenSSL:
Fixed bug GH-8430 (OpenSSL compiled with no-md2, no-md4 or no-rmd160 does not build).
SOAP:
Fixed GH-9720 (Null pointer dereference while serializing the response).
Version 8.0.25
27 Oct 2022
GD:
Fixed bug #81739 : OOB read due to insufficient input validation in imageloadfont(). (CVE-2022-31630)
Hash:
Fixed bug #81738 : buffer overflow in hash_update() on long parameter. (CVE-2022-37454)
Session:
Fixed bug GH-9583 (session_create_id() fails with user defined save handler that doesn't have a validateId() method).
Streams:
Fixed bug GH-9590 (stream_select does not abort upon exception or empty valid fd set).
Version 8.0.24
29 Sep 2022
Core:
Fixed bug GH-9323 (Crash in ZEND_RETURN/GC/zend_call_function) (Tim Starling)
Fixed bug GH-9361 (Segmentation fault on script exit #9379).
Fixed bug GH-9407 (LSP error in eval'd code refers to wrong class for static type).
Fixed bug #81727 : Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning. (CVE-2022-31629)
DOM:
Fixed bug #79451 (DOMDocument->replaceChild on doctype causes double free).
FPM:
Fixed bug GH-8885 (FPM access.log with stderr begins to write logs to error_log after daemon reload).
Fixed bug #77780 ("Headers already sent..." when previous connection was aborted).
GMP:
Fixed bug GH-9308 (GMP throws the wrong error when a GMP object is passed to gmp_init()).
Intl:
Fixed bug GH-9421 (Incorrect argument number for ValueError in NumberFormatter).
Phar:
Fixed bug #81726 : phar wrapper: DOS when using quine gzip file. (CVE-2022-31628)
PDO_PGSQL:
Fixed bug GH-9411 (PgSQL large object resource is incorrectly closed).
Reflection:
Fixed bug GH-8932 (ReflectionFunction provides no way to get the called class of a Closure).
Fixed bug GH-9409 (Private method is incorrectly dumped as "overwrites").
Streams:
Fixed bug GH-9316 ($http_response_header is wrong for long status line).
Version 8.0.23
01 Sep 2022
Core:
Fixed incorrect double to long casting in latest clang.
DBA:
Fixed LMDB driver memory leak on DB creation failure.
Fixed bug GH-9155 (dba_open("non-existing", "c-", "flatfile") segfaults).
Intl:
Fixed IntlDateFormatter::formatObject() parameter type.
OPcache:
Fixed bug GH-9033 (Loading blacklist file can fail due to negative length).
PDO_SQLite:
Fixed bug GH-9032 (SQLite3 authorizer crashes on NULL values).
SQLite3:
Fixed bug GH-9032 (SQLite3 authorizer crashes on NULL values).
Standard:
Fixed bug GH-9017 (php_stream_sock_open_from_socket could return NULL).
Streams:
Fixed bug GH-8472 (The resource returned by stream_socket_accept may have incorrect metadata).
Fixed bug GH-8409 (SSL handshake timeout leaves persistent connections hanging).
Version 8.0.22
04 Aug 2022
CLI:
Fixed potential overflow for the builtin server via the PHP_CLI_SERVER_WORKERS environment variable.
Core:
Fixed bug GH-8923 (error_log on Windows can hold the file write lock).
Fixed bug GH-8995 (WeakMap object reference offset causing TypeError).
Date:
Fixed bug #80047 (DatePeriod doesn't warn with custom DateTimeImmutable).
DBA:
Fixed LMDB driver hanging when attempting to delete a non-existing key.
FPM:
Fixed zlog message prepend, free on incorrect address.
Fixed possible double free on configuration loading failure.
GD:
Fixed bug GH-8848 (imagecopyresized() error refers to the wrong argument).
Intl:
Fixed build for ICU 69.x and onwards.
OPcache:
Fixed bug GH-8847 (PHP hanging infinitly at 100% cpu when check php syntaxe of a valid file).
Standard:
Fixed the crypt_sha256/512 api build with clang > 12.
Uses CCRandomGenerateBytes instead of arc4random_buf on macOs.
Version 8.0.21
07 Jul 2022
Core:
Fixed potential use after free in php_binary_init().
CLI:
Fixed GH-8827 (Intentionally closing std handles no longer possible).
COM:
Fixed bug GH-8778 (Integer arithmethic with large number variants fails).
Curl:
Fixed CURLOPT_TLSAUTH_TYPE is not treated as a string option.
Date:
Fixed bug #74671 (DST timezone abbreviation has incorrect offset).
Fixed bug #77243 (Weekdays are calculated incorrectly for negative years).
Fixed bug #78139 (timezone_open accepts invalid timezone string argument).
FPM:
Fixed bug #67764 (fpm: syslog.ident don't work).
MBString:
Fixed bug GH-8685 (pcre not ready at mbstring startup).
ODBC:
Fixed handling of single-key connection strings.
OpenSSL:
Fixed bug #50293 (Several openssl functions ignore the VCWD).
Fixed bug #81713 (NULL byte injection in several OpenSSL functions working with certificates).
PDO_ODBC:
Fixed errorInfo() result on successful PDOStatement->execute().
Fixed handling of single-key connection strings.
Zip:
Fixed bug GH-8781 (ZipArchive::close deletes zip file without updating stat cache).
Version 8.0.20
09 Jun 2022
CLI:
Fixed bug GH-8575 (CLI closes standard streams too early).
Core:
Date:
Fixed bug GH-8471 (Segmentation fault when converting immutable and mutable DateTime instances created using reflection).
FPM:
Fixed ACL build check on MacOS.
Fixed bug #72185 : php-fpm writes empty fcgi record causing nginx 502.
Mysqlnd:
Fixed bug #81719 : mysqlnd/pdo password buffer overflow. (CVE-2022-31626)
OPcache:
Fixed bug GH-8466 (ini_get() is optimized out when the option does not exist).
Pcntl:
Pgsql:
Fixed bug #81720 : Uninitialized array in pg_query_params(). (CVE-2022-31625)
Soap:
Fixed bug GH-8578 (Error on wrong parameter on SoapHeader constructor).
Fixed bug GH-8538 (SoapClient may strip parts of nmtokens).
SPL:
Fixed bug GH-8235 (iterator_count() may run indefinitely).
Zip:
Fixed type for index in ZipArchive::replaceFile.
Version 8.0.19
12 May 2022
Core:
Fixed bug GH-8289 (Exceptions thrown within a yielded from iterator are not rethrown into the generator).
Date:
Fixed bug GH-7979 (DatePeriod iterator advances when checking if valid).
FFI:
Fixed bug GH-8433 (Assigning function pointers to structs in FFI leaks).
FPM:
Fixed bug #76003 (FPM /status reports wrong number of active processe).
Fixed bug #77023 (FPM cannot shutdown processes).
Fixed comment in kqueue remove callback log message.
Iconv:
Fixed bug GH-8218 (ob_end_clean does not reset Content-Encoding header).
Intl:
Fixed bug GH-8364 (msgfmt_format $values may not support references).
MySQLi:
Fixed bug GH-8267 (MySQLi uses unsupported format specifier on Windows).
SPL:
Fixed bug GH-8366 (ArrayIterator may leak when calling __construct()).
Fixed bug GH-8273 (SplFileObject: key() returns wrong value).
Streams:
Fixed php://temp does not preserve file-position when switched to temporary file.
zlib:
Fixed bug GH-8218 (ob_end_clean does not reset Content-Encoding header).
Version 8.0.18
14 Apr 2022
Core:
Fixed freeing of internal attribute arguments.
Fixed bug GH-8070 (memory leak of internal function attribute hash).
Fixed bug GH-8160 (ZTS support on Alpine is broken).
Filter:
Fixed signedness confusion in php_filter_validate_domain().
Intl:
Fixed bug GH-8142 (Compilation error on cygwin).
MBString:
Fixed bug GH-8208 (mb_encode_mimeheader: $indent functionality broken).
MySQLi:
Fixed bug GH-8068 (mysqli_fetch_object creates inaccessible properties).
Pcntl:
Fixed bug GH-8142 (Compilation error on cygwin).
PgSQL:
Fixed result_type related stack corruption on LLP64 architectures.
Fixed bug GH-8253 (pg_insert() fails for references).
Sockets:
SPL:
Fixed bug GH-8121 (SplFileObject - seek and key with csv file inconsistent).
Standard:
Fixed bug GH-8048 (Force macOS to use statfs).
Version 8.0.17
17 Mar 2022
Core:
GD:
Fixed libpng warning when loading interlaced images.
FPM:
Fixed bug #76109 (Unsafe access to fpm scoreboard).
Iconv:
Fixed bug GH-7953 (ob_clean() only does not set Content-Encoding).
Fixed bug GH-7980 (Unexpected result for iconv_mime_decode).
MySQLnd:
Fixed bug GH-8058 (NULL pointer dereference in mysqlnd package).
OPcache:
Fixed bug GH-8074 (Wrong type inference of range() result).
Reflection:
Fixed bug GH-8080 (ReflectionClass::getConstants() depends on def. order).
Zlib:
Fixed bug GH-7953 (ob_clean() only does not set Content-Encoding).
Version 8.0.16
17 Feb 2022
Core:
Fixed bug #81430 (Attribute instantiation leaves dangling pointer).
Fixed bug GH-7896 (Environment vars may be mangled on Windows).
FFI:
Fixed bug GH-7867 (FFI::cast() from pointer to array is broken).
Filter:
Fix #81708: UAF due to php_filter_float() failing for ints.
FPM:
Fixed memory leak on invalid port.
MBString:
Fixed bug GH-7902 (mb_send_mail may delimit headers with LF only).
MySQLnd:
Fixed bug GH-7972 (MariaDB version prefix 5.5.5- is not stripped).
Sockets:
Fixed ext/sockets build on Haiku.
Fixed bug GH-7978 (sockets extension compilation errors).
Standard:
Fixed bug GH-7875 (mails are sent even if failure to log throws exception).
Version 8.0.15
20 Jan 2022
Core:
Fixed bug #81656 (GCC-11 silently ignores -R).
Fixed bug #81585 (cached_chunks are not counted to real_size on shutdown).
Filter:
Fixed FILTER_FLAG_NO_RES_RANGE flag.
Hash:
Fixed bug GH-7759 (Incorrect return types for hash() and hash_hmac()).
Fixed bug GH-7826 (Inconsistent argument name in hash_hmac_file and hash_file).
MySQLnd:
Fixed bug where large bigints may be truncated.
OCI8:
Fixed bug GH-7765 (php_oci_cleanup_global_handles segfaults at second call).
OPcache:
Fixed bug #81679 (Tracing JIT crashes on reattaching).
PDO_PGSQL:
Fixed error message allocation of PDO PgSQL.
Sockets:
Avoid void* arithmetic in sockets/multicast.c on NetBSD.
Spl:
Fixed bug #75917 (SplFileObject::seek broken with CSV flags).
Version 8.0.14
16 Dec 2021
Core:
Fixed bug #81582 (Stringable not implicitly declared if __toString() came from a trait).
Fixed bug #81591 (Fatal Error not properly logged in particular cases).
Fixed bug #81626 (Error on use static:: in __сallStatic() wrapped to Closure::fromCallable()).
Fixed bug #81631 (::class with dynamic class name may yield wrong line number).
FPM:
Fixed bug #81513 (Future possibility for heap overflow in FPM zlog).
GD:
Fixed bug #71316 (libpng warning from imagecreatefromstring).
IMAP:
Fixed bug #81649 (imap_(un)delete accept sequences, not single numbers).
OpenSSL:
Fixed bug #75725 (./configure: detecting RAND_egd).
PCRE:
Fixed bug #74604 (Out of bounds in php_pcre_replace_impl).
SPL:
Fixed bug #81587 (MultipleIterator Segmentation fault w/ SimpleXMLElement attached).
Standard:
Fixed bug #81618 (dns_get_record fails on FreeBSD for missing type).
Fixed bug #81659 (stream_get_contents() may unnecessarily overallocate).
Version 8.0.13
18 Nov 2021
Core:
Fixed bug #81518 (Header injection via default_mimetype / default_charset).
Date:
Fixed bug #81500 (Interval serialization regression since 7.3.14 / 7.4.2).
DBA:
Fixed bug #81588 (TokyoCabinet driver leaks memory).
MBString:
Fixed bug #76167 (mbstring may use pointer from some previous request).
Opcache:
Fixed bug #81512 (Unexpected behavior with arrays and JIT).
PCRE:
Fixed bug #81424 (PCRE2 10.35 JIT performance regression).
XML:
Fixed bug #79971 (special character is breaking the path in xml function). (CVE-2021-21707)
XMLReader:
Fixed bug #81521 (XMLReader::getParserProperty may throw with a valid property).
Version 8.0.12
21 Oct 2021
CLI:
Fixed bug #81496 (Server logs incorrect request method).
Core:
Fixed bug #81435 (Observer current_observed_frame may point to an old (overwritten) frame).
Fixed bug #81380 (Observer may not be initialized properly).
DOM:
Fixed bug #81433 (DOMElement::setIdAttribute() called twice may remove ID).
FFI:
Fixed bug #79576 ("TYPE *" shows unhelpful message when type is not defined).
FPM:
Fixed bug #81026 (PHP-FPM oob R/W in root process leading to privilege escalation) (CVE-2021-21703).
Fileinfo:
Fixed bug #78987 (High memory usage during encoding detection).
Filter:
Fixed bug #61700 (FILTER_FLAG_IPV6/FILTER_FLAG_NO_PRIV|RES_RANGE failing).
Opcache:
Fixed bug #81472 (Cannot support large linux major/minor device number when read /proc/self/maps).
Reflection:
ReflectionAttribute is no longer final.
SPL:
Fixed bug #80663 (Recursive SplFixedArray::setSize() may cause double-free).
Fixed bug #81477 (LimitIterator + SplFileObject regression in 8.0.1).
Standard:
Fixed bug #69751 (Change Error message of sprintf/printf for missing/typo position specifier).
Streams:
Fixed bug #81475 (stream_isatty emits warning with attached stream wrapper).
XML:
Fixed bug #70962 (XML_OPTION_SKIP_WHITE strips embedded whitespace).
Zip:
Fixed bug #81490 (ZipArchive::extractTo() may leak memory).
Fixed bug #77978 (Dirname ending in colon unzips to wrong dir).
Version 8.0.11
23 Sep 2021
Core:
Fixed bug #81302 (Stream position after stream filter removed).
Fixed bug #81346 (Non-seekable streams don't update position after write).
Fixed bug #73122 (Integer Overflow when concatenating strings).
GD:
Fixed bug #53580 (During resize gdImageCopyResampled cause colors change).
Opcache:
Fixed bug #81353 (segfault with preloading and statically bound closure).
Shmop:
Fixed bug #81407 (shmop_open won't attach and causes php to crash).
Standard:
Fixed bug #71542 (disk_total_space does not work with relative paths).
Fixed bug #81400 (Unterminated string in dns_get_record() results).
SysVMsg:
Fixed bug #78819 (Heap Overflow in msg_send).
XML:
Fixed bug #81351 (xml_parse may fail, but has no error code).
Zip:
Fixed bug #80833 (ZipArchive::getStream doesn't use setPassword).
Fixed bug #81420 (ZipArchive::extractTo extracts outside of destination).
Version 8.0.10
26 Aug 2021
Core:
Fixed bug #72595 (php_output_handler_append illegal write access).
Fixed bug #66719 (Weird behaviour when using get_called_class() with call_user_func()).
Fixed bug #81305 (Built-in Webserver Drops Requests With "Upgrade" Header).
BCMath:
Fixed bug #78238 (BCMath returns "-0").
CGI:
Fixed bug #80849 (HTTP Status header truncation).
Date:
Fixed bug #64975 (Error parsing when AM/PM not at the end).
Fixed bug #78984 (DateTimeZone accepting invalid UTC timezones).
Fixed bug #79580 (date_create_from_format misses leap year).
Fixed bug #80409 (DateTime::modify() loses time with 'weekday' parameter).
GD:
Fixed bug #51498 (imagefilledellipse does not work for large circles).
MySQLi:
Fixed bug #74544 (Integer overflow in mysqli_real_escape_string()).
Opcache:
Fixed bug #81225 (Wrong result with pow operator with JIT enabled).
Fixed bug #81249 (Intermittent property assignment failure with JIT enabled).
Fixed bug #81206 (Multiple PHP processes crash with JIT enabled).
Fixed bug #81272 (Segfault in var[] after array_slice with JIT).
Fixed bug #81255 (Memory leak in PHPUnit with functional JIT).
Fixed bug #80959 (Infinite loop in building cfg during JIT compilation) (Nikita, Dmitry)
Fixed bug #81226 (Integer overflow behavior is different with JIT enabled).
OpenSSL:
Fixed bug #81327 (Error build openssl extension on php 7.4.22).
PDO_ODBC:
Fixed bug #81252 (PDO_ODBC doesn't account for SQL_NO_TOTAL).
Phar:
Fixed bug #81211 : Symlinks are followed when creating PHAR archive
Shmop:
Fixed bug #81283 (shmop can't read beyond 2147483647 bytes).
SimpleXML:
Fixed bug #81325 (Segfault in zif_simplexml_import_dom).
Standard:
Fixed bug #72146 (Integer overflow on substr_replace).
Fixed bug #81265 (getimagesize returns 0 for 256px ICO images).
Fixed bug #74960 (Heap buffer overflow via str_repeat).
Streams:
Fixed bug #81294 (Segfault when removing a filter).
Version 8.0.9
29 Jul 2021
Core:
Fixed bug #81145 (copy() and stream_copy_to_stream() fail for +4GB files).
Fixed bug #81163 (incorrect handling of indirect vars in __sleep).
Fixed bug #81159 (Object to int warning when using an object as a string offset).
Fixed bug #80728 (PHP built-in web server resets timeout when it can kill the process).
Fixed bug #73630 (Built-in Webserver - overwrite $_SERVER['request_uri']).
Fixed bug #80173 (Using return value of zend_assign_to_variable() is not safe).
Fixed bug #73226 (--r[fcez] always return zero exit code).
Intl:
Fixed bug #72809 (Locale::lookup() wrong result with canonicalize option).
Fixed bug #68471 (IntlDateFormatter fails for "GMT+00:00" timezone).
Fixed bug #74264 (grapheme_strrpos() broken for negative offsets).
OpenSSL:
Fixed bug #52093 (openssl_csr_sign truncates $serial).
PCRE:
Fixed bug #81101 (PCRE2 10.37 shows unexpected result).
Fixed bug #81243 (Too much memory is allocated for preg_replace()).
Reflection:
Fixed bug #81208 (Segmentation fault while create newInstance from attribute).
Standard:
Fixed bug #81223 (flock() only locks first byte of file).
Version 8.0.8
01 Jul 2021
Core:
Fixed bug #81076 (incorrect debug info on Closures with implicit binds).
Fixed bug #81068 (Double free in realpath_cache_clean()).
Fixed bug #76359 (open_basedir bypass through adding "..").
Fixed bug #81090 (Typed property performance degradation with .= operator).
Fixed bug #81070 (Integer underflow in memory limit comparison).
Fixed bug #81122 (SSRF bypass in FILTER_VALIDATE_URL). (CVE-2021-21705)
Bzip2:
Fixed bug #81092 (fflush before stream_filter_remove corrupts stream).
Fileinfo:
Fixed bug #80197 (implicit declaration of function 'magic_stream' is invalid).
GMP:
Fixed bug #81119 (GMP operators throw errors with wrong parameter names).
OCI8:
Fixed bug #81088 (error in regression test for oci_fetch_object() and oci_fetch_array()).
Opcache:
Fixed bug #81051 (Broken property type handling after incrementing reference).
Fixed bug #80968 (JIT segfault with return from required file).
OpenSSL:
Fixed bug #76694 (native Windows cert verification uses CN as server name).
MySQLnd:
Fixed bug #80761 (PDO uses too much memory).
PDO_Firebird:
Fixed bug #76448 (Stack buffer overflow in firebird_info_cb). (CVE-2021-21704)
Fixed bug #76449 (SIGSEGV in firebird_handle_doer). (CVE-2021-21704)
Fixed bug #76450 (SIGSEGV in firebird_stmt_execute). (CVE-2021-21704)
Fixed bug #76452 (Crash while parsing blob data in firebird_fetch_blob). (CVE-2021-21704)
readline:
Fixed bug #72998 (invalid read in readline completion).
Standard:
Fixed bug #81048 (phpinfo(INFO_VARIABLES) "Array to string conversion").
Fixed bug #77627 (method_exists on Closure::__invoke inconsistency).
Windows:
Fixed bug #81120 (PGO data for main PHP DLL are not used).
Version 8.0.7
03 Jun 2021
Core:
Fixed bug #80960 (opendir() warning wrong info when failed on Windows).
Fixed bug #67792 (HTTP Authorization schemes are treated as case-sensitive).
Fixed bug #80972 (Memory exhaustion on invalid string offset).
FPM:
Fixed bug #65800 (Events port mechanism).
FTP:
Fixed bug #80901 (Info leak in ftp extension).
Fixed bug #79100 (Wrong FTP error messages).
GD:
Fixed bug #81032 (GD install is affected by external libgd installation).
Intl:
Fixed bug #81019 (Unable to clone NumberFormatter after failed parse()).
MBString:
Fixed bug #81011 (mb_convert_encoding removes references from arrays).
ODBC:
Fixed bug #80460 (ODBC doesn't account for SQL_NO_TOTAL indicator).
Opcache:
Fixed bug #81007 (JIT "not supported" on 32-bit x86 -- build problem?).
Fixed bug #81015 (Opcache optimization assumes wrong part of ternary operator in if-condition).
Fixed bug #81046 (Literal compaction merges non-equal related literals).
PDO_MySQL:
Fixed bug #81037 (PDO discards error message text from prepared statement).
PDO_ODBC:
Fixed bug #44643 (bound parameters ignore explicit type definitions).
pgsql:
Fixed php_pgsql_fd_cast() wrt. php_stream_can_cast().
SPL:
Fixed bug #80933 (SplFileObject::DROP_NEW_LINE is broken for NUL and CR).
XMLReader:
Fixed bug #73246 (XMLReader: encoding length not checked).
Zip:
Fixed bug #80863 (ZipArchive::extractTo() ignores references).
Version 8.0.6
06 May 2021
PDO_pgsql:
Revert "Fixed bug #80892 (PDO::PARAM_INT is treated the same as PDO::PARAM_STR)"
Version 8.0.5
29 Apr 2021
Core:
Fixed bug #75776 (Flushing streams with compression filter is broken).
Fixed bug #80811 (Function exec without $output but with $restult_code parameter crashes).
Fixed bug #80814 (threaded mod_php won't load on FreeBSD: No space available for static Thread Local Storage).
Changed PowerPC CPU registers used by Zend VM to work around GCC bug. Old registers (r28/r29) might be clobbered by _restgpr routine used for return from C function compiled with -Os.
Dba:
Fixed bug #80817 (dba_popen() may cause segfault during RSHUTDOWN).
DOM:
Fixed bug #66783 (UAF when appending DOMDocument to element).
FFI:
Fixed bug #80847 (CData structs with fields of type struct can't be passed as C function argument).
FPM:
Fixed bug #80024 (Duplication of info about inherited socket after pool removing).
FTP:
Fixed bug #80880 (SSL_read on shutdown, ftp/proc_open).
IMAP:
Fixed bug #80800 (imap_open() fails when the flags parameter includes CL_EXPUNGE).
Fixed bug #80710 (imap_mail_compose() header injection).
Intl:
Fixed bug #80763 (msgfmt_format() does not accept DateTime references).
LibXML:
Fixed bug #73533 (Invalid memory access in php_libxml_xmlCheckUTF8).
Fixed bug #51903 (simplexml_load_file() doesn't use HTTP headers).
MySQLnd:
Fixed bug #80837 (Calling stmt_store_result after fetch doesn't throw an error).
Opcache:
Fixed bug #80839 (PHP problem with JIT).
Fixed bug #80861 (erronous array key overflow in 2D array with JIT).
Fixed bug #80786 (PHP crash using JIT).
Fixed bug #80782 (DASM_S_RANGE_VREG on PHP_INT_MIN-1).
Pcntl:
Fixed bug #79812 (Potential integer overflow in pcntl_exec()).
PCRE:
Fixed bug #80866 (preg_split ignores limit flag when pattern with \K has 0-width fullstring match).
PDO_ODBC:
Fixed bug #80783 (PDO ODBC truncates BLOB records at every 256th byte).
PDO_pgsql:
Fixed bug #80892 (PDO::PARAM_INT is treated the same as PDO::PARAM_STR).
Session:
Fixed bug #80889 (Cannot set save handler when save_handler is invalid).
Fixed bug #80774 (session_name() problem with backslash).
SOAP:
Fixed bug #69668 (SOAP special XML characters in namespace URIs not encoded).
Standard:
Fixed bug #80915 (Taking a reference to $_SERVER hides its values from phpinfo()).
Fixed bug #80914 ('getdir' accidentally defined as an alias of 'dir').
Fixed bug #80771 (phpinfo(INFO_CREDITS) displays nothing in CLI).
Fixed bug #78719 (http wrapper silently ignores long Location headers).
Fixed bug #80838 (HTTP wrapper waits for HTTP 1 response after HTTP 101).
Zip:
Fixed bug #80825 (ZipArchive::isCompressionMethodSupported does not exist).
Version 8.0.3
04 Mar 2021
Core:
Fixed bug #80706 (mail(): Headers after Bcc headers may be ignored).
DOM:
Fixed bug #80600 (DOMChildNode::remove() doesn't work on CharacterData nodes).
Gettext:
Fixed bug #53251 (bindtextdomain with null dir doesn't return old value).
MySQLnd:
Fixed bug #78680 (mysqlnd's mysql_clear_password does not transmit null-terminated password).
Fixed bug #80713 (SegFault when disabling ATTR_EMULATE_PREPARES and MySQL 8.0).
MySQLi:
Fixed bug #74779 (x() and y() truncating floats to integers).
Opcache:
Fixed bug #80634 (write_property handler of internal classes is skipped on preloaded JITted code).
Fixed bug #80682 (opcache doesn't honour pcre.jit option).
Fixed bug #80742 (Opcache JIT makes some boolean logic unexpectedly be true).
Fixed bug #80745 (JIT produces Assert failure and UNKNOWN:0 var_dumps in code involving bitshifts).
OpenSSL:
Fixed bug #80747 (Providing RSA key size < 512 generates key that crash PHP).
Phar:
Fixed bug #75850 (Unclear error message wrt. __halt_compiler() w/o semicolon)
Fixed bug #70091 (Phar does not mark UTF-8 filenames in ZIP archives).
Fixed bug #53467 (Phar cannot compress large archives).
Socket:
Fixed bug #80723 (Different sockets compare as equal (regression in 8.0)).
SPL:
Fixed bug #80719 (Iterating after failed ArrayObject::setIteratorClass() causes Segmentation fault).
Standard:
Fixed bug #80654 (file_get_contents() maxlen fails above (2**31)-1 bytes).
Fixed bug #80718 (ext/standard/dl.c fallback code path with syntax error).
Version 8.0.2
04 Feb 2021
Core:
Fixed bug #80523 (bogus parse error on >4GB source code).
Fixed bug #80384 (filter buffers entire read until file closed).
Fixed bug #80596 (Invalid union type TypeError in anonymous classes).
Fixed bug #80617 (GCC throws warning about type narrowing in ZEND_TYPE_INIT_CODE).
BCMath:
Fixed bug #80545 (bcadd('a', 'a') doesn't throw an exception).
Curl:
Fixed bug #80595 (Resetting POSTFIELDS to empty array breaks request).
Date:
Fixed bug #80376 (last day of the month causes runway cpu usage).
DOM:
Fixed bug #80537 (Wrong parameter type in DOMElement::removeAttributeNode stub).
Filter:
Fixed bug #80584 (0x and 0X are considered valid hex numbers by filter_var()).
GMP:
Fixed bug #80560 (Strings containing only a base prefix return 0 object).
Intl:
Fixed bug #80644 (Missing resource causes subsequent get() calls to fail).
MySQLi:
Fixed bug #67983 (mysqlnd with MYSQLI_OPT_INT_AND_FLOAT_NATIVE fails to interpret bit columns).
Fixed bug #64638 (Fetching resultsets from stored procedure with cursor fails).
Fixed bug #72862 (segfault using prepared statements on stored procedures that use a cursor).
Fixed bug #77935 (Crash in mysqlnd_fetch_stmt_row_cursor when calling an SP with a cursor).
ODBC:
Fixed bug #80592 (all floats are the same in ODBC parameters).
Opcache:
Fixed bug #80422 (php_opcache.dll crashes when using Apache 2.4 with JIT).
PDO_Firebird:
Fixed bug #80521 (Parameters with underscores no longer recognized).
Phar:
Fixed bug #76929 (zip-based phar does not respect phar.require_hash).
Fixed bug #77565 (Incorrect locator detection in ZIP-based phars).
Fixed bug #69279 (Compressed ZIP Phar extractTo() creates garbage files).
Phpdbg:
Reverted fix for bug #76813 (Access violation near NULL on source operand).
SOAP:
Fixed bug #80672 (Null Dereference in SoapClient). (CVE-2021-21702)
Version 8.0.1
07 Jan 2021
Core:
Fixed bug #80345 (PHPIZE configuration has outdated PHP_RELEASE_VERSION).
Fixed bug #72964 (White space not unfolded for CC/Bcc headers).
Fixed bug #80391 (Iterable not covariant to mixed).
Fixed bug #80393 (Build of PHP extension fails due to configuration gap with libtool).
Fixed bug #77069 (stream filter loses final block of data).
Fileinfo:
Fixed bug #77961 (finfo_open crafted magic parsing SIGABRT).
FPM:
Fixed bug #69625 (FPM returns 200 status on request without SCRIPT_FILENAME env).
IMAP:
Fixed bug #80438 (imap_msgno() incorrectly warns and return false on valid UIDs in PHP 8).
Fix a regression with valid UIDs in imap_savebody().
Make warnings for invalid message numbers/UIDs between functions consistent.
Intl:
Fixed bug #80425 (MessageFormatAdapter::getArgTypeList redefined).
Opcache:
Fixed bug #80404 (Incorrect range inference result when division results in float).
Fixed bug #80377 (Opcache misses executor_globals).
Fixed bug #80433 (Unable to disable the use of the AVX command when using JIT).
Fixed bug #80447 (Strange out of memory error when running with JIT).
Fixed bug #80480 (Segmentation fault with JIT enabled).
Fixed bug #80506 (Immediate SIGSEGV upon ini_set("opcache.jit_debug", 1)).
OpenSSL:
Fixed bug #80368 (OpenSSL extension fails to build against LibreSSL due to lack of OCB support).
PDO MySQL:
Fixed bug #80458 (PDOStatement::fetchAll() throws for upsert queries).
Fixed bug #63185 (nextRowset() ignores MySQL errors with native prepared statements).
Fixed bug #78152 (PDO::exec() - Bad error handling with multiple commands).
Fixed bug #66878 (Multiple rowsets not returned unless PDO statement object is unset()).
Fixed bug #70066 (Unexpected "Cannot execute queries while other unbuffered queries").
Fixed bug #71145 (Multiple statements in init command triggers unbuffered query error).
Fixed bug #76815 (PDOStatement cannot be GCed/closeCursor-ed when a PROCEDURE resultset SIGNAL).
Fixed bug #79872 (Can't execute query with pending result sets).
Fixed bug #79131 (PDO does not throw an exception when parameter values are missing).
Fixed bug #72368 (PdoStatement->execute() fails but does not throw an exception).
Fixed bug #62889 (LOAD DATA INFILE broken).
Fixed bug #67004 (Executing PDOStatement::fetch() more than once prevents releasing resultset).
Fixed bug #79132 (PDO re-uses parameter values from earlier calls to execute()).
Phar:
Fixed bug #73809 (Phar Zip parse crash - mmap fail).
Fixed bug #75102 (`PharData` says invalid checksum for valid tar).
Fixed bug #77322 (PharData::addEmptyDir('/') Possible integer overflow).
Phpdbg:
Fixed bug #76813 (Access violation near NULL on source operand).
SPL:
Fixed bug #62004 (SplFileObject: fgets after seek returns wrong line).
Standard:
Fixed bug #80366 (Return Value of zend_fstat() not Checked).
Fixed bug #77423 (FILTER_VALIDATE_URL accepts URLs with invalid userinfo). (CVE-2020-7071)
Tidy:
Fixed bug #77594 (ob_tidyhandler is never reset).
Tokenizer:
Fixed bug #80462 (Nullsafe operator tokenize with TOKEN_PARSE flag fails).
XML:
XmlParser opaque object renamed to XMLParser for consistency with other XML objects.
Zlib:
Fixed bug #48725 (Support for flushing in zlib stream).