PHP 7.4.4 Released on 19 March 2020

The PHP development team released PHP 7.4.4 on 19 March 2020 and it’s immediate availability due to security release which also contains several bug fixes. Whoever using PHP 7.4 must upgrade into PHP 7.4.4 without delay.

Version 7.4.4 Changelog

Core

Fixed bug #79329 (get_headers() silently truncates after a null byte) (CVE-2020-7066)

get_headers() silently truncates anything after a null byte in the URL it uses. This was tested on PHP 7.3, but the function has always had this bug.

$headers = get_headers("http://testscript\5.gtechhub.com");
var_dump($headers);

The above mentioned code snippet shows that this can cause well-written scripts to get headers for an unexpected domain. These headers could leak sensitive information or unexpectedly contain attacker-controlled data.

Expected result:

Warning: get_headers() expects parameter 1 to be a valid path, string given in php shell code on line 1
NULL

Actual result:

http://testscript

Fixed bug #79244 (php crashes during parsing INI file)

php crashes during parsing INI file with function parse_ini_file() or parse_ini_string(). Both CLI and CGI versions are affected. The crash occurs only if there is a section with integer name.

$string=<<<__INI__
[9]

__INI__;

var_dump(parse_ini_string($string, TRUE, INI_SCANNER_TYPED));

The above mentioned code snippet results the error message as “PHP crashed”

Fixed bug #63206 (restore_error_handler does not restore previous errors mask)

COM:

Fixed bug #66322 (COMPersistHelper::SaveToFile can save to wrong location)

The problem exist in function COMPersistHelper::SaveToFile which check fullpath, but call php_com_string_to_olestring with filename from args and fullpath’s length. Because fullpath’s length may less than filename’s length, with ‘/../’ skill, it’s safe-mode bypass.

Fixed bug #79242 (COM error constants don’t match com_exception codes on x86)

All four available COM error constants actually have the value -1, what makes them indistinguishable, but more importantly makes them useless for checking com_exception codes; the latter can be seen when running 27974.phpt, which fails due to this mismatch.

<?php
var_dump(
    DISP_E_DIVBYZERO,
    DISP_E_OVERFLOW,
    DISP_E_BADINDEX,
    MK_E_UNAVAILABLE
);
?>

Expected result:

int(-2147352558)
int(-2147352566)
int(-2147352565)
int(-2147221021)

Actual result:

int(-1)
int(-1)
int(-1)
int(-1)

Fixed bug #79247 (Garbage collecting variant objects segfaults)

As of PHP 7.4.0, running the cyclic garbage collector on variant objects segfaults.

<?php
$keep = new variant(null);
var_dump(gc_collect_cycles());
?>

Expected result:

int(0)

Actual result:

php7_debug.dll!gc_mark_grey(_zend_refcounted * ref, _gc_stack * stack) Line 837 (c:\php-sdk\phpdev\vc15\x86\php-src-7.4\Zend\zend_gc.c:837)
php7_debug.dll!gc_mark_roots(_gc_stack * stack) Line 977 (c:\php-sdk\phpdev\vc15\x86\php-src-7.4\Zend\zend_gc.c:977)
php7_debug.dll!zend_gc_collect_cycles() Line 1452 (c:\php-sdk\phpdev\vc15\x86\php-src-7.4\Zend\zend_gc.c:1452)
php7_debug.dll!zif_gc_collect_cycles(_zend_execute_data * execute_data, _zval_struct * return_value) Line 375 (c:\php-sdk\phpdev\vc15\x86\php-src-7.4\Zend\zend_builtin_functions.c:375)
php7_debug.dll!ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER(_zend_execute_data * execute_data) Line 1314 (c:\php-sdk\phpdev\vc15\x86\php-src-7.4\Zend\zend_vm_execute.h:1314)
php7_debug.dll!execute_ex(_zend_execute_data * ex) Line 53611 (c:\php-sdk\phpdev\vc15\x86\php-src-7.4\Zend\zend_vm_execute.h:53611)
php7_debug.dll!zend_execute(_zend_op_array * op_array, _zval_struct * return_value) Line 57913 (c:\php-sdk\phpdev\vc15\x86\php-src-7.4\Zend\zend_vm_execute.h:57913)
php7_debug.dll!zend_execute_scripts(int type, _zval_struct * retval, int file_count, ...) Line 1665 (c:\php-sdk\phpdev\vc15\x86\php-src-7.4\Zend\zend.c:1665)
php7_debug.dll!php_execute_script(_zend_file_handle * primary_file) Line 2617 (c:\php-sdk\phpdev\vc15\x86\php-src-7.4\main\main.c:2617)
php.exe!do_cli(int argc, char * * argv) Line 961 (c:\php-sdk\phpdev\vc15\x86\php-src-7.4\sapi\cli\php_cli.c:961)
php.exe!main(int argc, char * * argv) Line 1356 (c:\php-sdk\phpdev\vc15\x86\php-src-7.4\sapi\cli\php_cli.c:1356)

Fixed bug #79248 (Traversing empty VT_ARRAY throws com_exception)

When an empty VT_ARRAY (i.e. a VT_ARRAY without any elements) is traversed via foreach, a com_exception (“index out of bounds”) is thrown, what does not match the usual semantics of traversing empty collections.

<?php
$v = new variant([], VT_ARRAY);
foreach ($v as $el) {
    var_dump($el);
}
echo "done\n";
?>

Expected result

done

Actual result

Fatal error: Uncaught com_exception: index out of bounds in C:\php-sdk\phpdev\vc15\x64\com.php:3
Stack trace:
#0 {main}
  thrown in C:\php-sdk\phpdev\vc15\x64\com.php on line 3

Fixed bug #79299 (com_print_typeinfo prints duplicate variables)

Fixed bug #79332 (php_istreams are never freed)

Whenever COMPersistHelper::LoadFromStream() and ::SaveToStream() are called, an php_istream is allocated, but is never freed.

<?php
$ph = new COMPersistHelper(null);
var_dump($ph->LoadFromStream(fopen(__FILE__, 'r')));
?>

Expected result

no memory leak

Actual result

memory leak

Fixed bug #79333 (com_print_typeinfo() leaks memory)

com_print_typeinfo() forgets to free the names of properties and methods, what can be seen, for instance, when running bug79299.phpt with a leak checker.

php run-tests.php ext/com_dotnet/tests/bug79299.phpt

Expected result

no memory leaks

Actual result

memory leaks

CURL:

Fixed bug #79019 (Copied cURL handles upload empty file).

Fixed bug #79013 (Content-Length missing when posting a curlFile with curl).

DOM:

Fixed bug #77569: (Write Access Violation in DomImplementation).

Fixed bug #79271 (DOMDocumentType::$childNodes is NULL).

Enchant:

Fixed bug #79311 (enchant_dict_suggest() fails on big endian architecture).

EXIF:

Fixed bug #79282 (Use-of-uninitialized-value in exif) (CVE-2020-7064).

Fileinfo:

Fixed bug #79283 (Segfault in libmagic patch contains a buffer overflow).

FPM:

Fixed bug #77653 (operator displayed instead of the real error message).

Fixed bug #79014 (PHP-FPM & Primary script unknown).

MBstring:

Fixed bug #79371 (mb_strtolower (UTF-32LE): stack-buffer-overflow at php_unicode_tolower_full) (CVE-2020-7065).

MySQLi:

Fixed bug #64032 (mysqli reports different client_version).

MySQLnd:

Implemented FR #79275 (Support auth_plugin_caching_sha2_password on Windows).

Opcache:

Fixed bug #79252 (preloading causes php-fpm to segfault during exit).

PCRE:

Fixed bug #79188 (Memory corruption in reg_replace/preg_replace_callback and unicode).

Fixed bug #79241 (Segmentation fault on preg_match()).

Fixed bug #79257 (Duplicate named groups (?J) prefer last alternative even if not matched).

PDO_ODBC:

Fixed bug #79038 (PDOStatement::nextRowset() leaks column values).

Reflection:

Fixed bug #79062 (Property with heredoc default value returns false for getDocComment).

SQLite3:

Fixed bug #79294 (::columnType() may fail after SQLite3Stmt::reset()).

Standard:

Fixed bug #79254 (getenv() w/o arguments not showing changes).

Fixed bug #79265 (Improper injection of Host header when using fopen for http requests).

Zip:

Fixed bug #79315 (ZipArchive::addFile doesn’t honor start/length parameters).

You Might Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *