From c8c9ff6d0490afff5d9693268eced5c49a3a6ab2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= Date: Fri, 23 Jan 2026 13:17:49 +0100 Subject: [PATCH 1/3] Add `ZEND_TYPE_ASSERT` to UPGRADING.INTERNALS (#21014) Following php/php-src#20934 which introduced the OPcode. --- UPGRADING.INTERNALS | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/UPGRADING.INTERNALS b/UPGRADING.INTERNALS index 1b041da5affed..f23a610b84992 100644 --- a/UPGRADING.INTERNALS +++ b/UPGRADING.INTERNALS @@ -88,6 +88,10 @@ PHP 8.6 INTERNALS UPGRADE NOTES 4. OpCode changes ======================== +- Added ZEND_TYPE_ASSERT to check a value's type against the parameter + type of a function, throwing a TypeError on failure as if the function + was called. Used in optimizations that elide function calls. + ======================== 5. SAPI changes ======================== From c2eadb4922979d0c9074a0f139bbb3a89b32898b Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+ndossche@users.noreply.github.com> Date: Thu, 22 Jan 2026 22:16:02 +0100 Subject: [PATCH 2/3] Fix crash when in openssl_x509_parse() when i2s_ASN1_INTEGER() fails The X509_NAME_oneline() function can return NULL, which will cause a crash when the string length is computed via add_assoc_string(). Closes GH-21011. --- NEWS | 2 ++ ext/openssl/openssl.c | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/NEWS b/NEWS index 89d5bc0f884ad..ecc0aaee31691 100644 --- a/NEWS +++ b/NEWS @@ -32,6 +32,8 @@ PHP NEWS - OpenSSL: . Fix memory leaks when sk_X509_new_null() fails. (ndossche) + . Fix crash when in openssl_x509_parse() when i2s_ASN1_INTEGER() fails. + (ndossche) - Phar: . Fixed bug GH-20882 (buildFromIterator breaks with missing base directory). diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 2a502f20688cc..415974f2fa761 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -2166,6 +2166,12 @@ PHP_FUNCTION(openssl_x509_parse) } str_serial = i2s_ASN1_INTEGER(NULL, asn1_serial); + /* Can return NULL on error or memory allocation failure */ + if (!str_serial) { + php_openssl_store_errors(); + goto err; + } + add_assoc_string(return_value, "serialNumber", str_serial); OPENSSL_free(str_serial); From 62afc7a2fa93f2d8e8dc2c98fa25bfc56c7e0508 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+ndossche@users.noreply.github.com> Date: Thu, 22 Jan 2026 22:09:40 +0100 Subject: [PATCH 3/3] Fix crash in openssl_x509_parse() when X509_NAME_oneline() fails The X509_NAME_oneline() function can return NULL, which will cause a crash when the string length is computed via add_assoc_string(). Closes GH-21010. --- NEWS | 2 ++ ext/openssl/openssl.c | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/NEWS b/NEWS index ecc0aaee31691..e229b4aaec3c2 100644 --- a/NEWS +++ b/NEWS @@ -34,6 +34,8 @@ PHP NEWS . Fix memory leaks when sk_X509_new_null() fails. (ndossche) . Fix crash when in openssl_x509_parse() when i2s_ASN1_INTEGER() fails. (ndossche) + . Fix crash in openssl_x509_parse() when X509_NAME_oneline() fails. + (ndossche) - Phar: . Fixed bug GH-20882 (buildFromIterator breaks with missing base directory). diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 415974f2fa761..12383ac8c2c80 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -2134,6 +2134,11 @@ PHP_FUNCTION(openssl_x509_parse) subject_name = X509_get_subject_name(cert); cert_name = X509_NAME_oneline(subject_name, NULL, 0); + if (cert_name == NULL) { + php_openssl_store_errors(); + goto err; + } + add_assoc_string(return_value, "name", cert_name); OPENSSL_free(cert_name);