diff --git a/php-7.4.30-svace.patch b/php-7.4.30-svace.patch index 795aba3..23c9b96 100644 --- a/php-7.4.30-svace.patch +++ b/php-7.4.30-svace.patch @@ -1,107 +1,98 @@ -Return value of a function 'xmlNodeGetContent' is -dereferenced at entity.c:109 without checking for NULL, -but it is usually checked for this function (12/13). -diff -ur php-7.4.30/ext/dom/entity.c php-7.4.30_patched/ext/dom/entity.c ---- php-7.4.30/ext/dom/entity.c 2022-06-07 11:38:23.000000000 +0300 -+++ php-7.4.30_patched/ext/dom/entity.c 2023-10-05 16:03:18.936740216 +0300 -@@ -106,8 +106,14 @@ +diff --git a/Zend/zend_builtin_functions.c b/Zend/zend_builtin_functions.c +index 33dfea0..057fe96 100644 +--- a/Zend/zend_builtin_functions.c ++++ b/Zend/zend_builtin_functions.c +@@ -1636,7 +1636,9 @@ ZEND_FUNCTION(set_error_handler) + zend_string *error_handler_name = zend_get_callable_name(error_handler); + zend_error(E_WARNING, "%s() expects the argument (%s) to be a valid callback", + get_active_function_name(), error_handler_name?ZSTR_VAL(error_handler_name):"unknown"); +- zend_string_release_ex(error_handler_name, 0); ++ if (error_handler_name) { ++ zend_string_release_ex(error_handler_name, 0); ++ } + return; + } + } +@@ -1703,7 +1705,9 @@ ZEND_FUNCTION(set_exception_handler) + zend_string *exception_handler_name = zend_get_callable_name(exception_handler); + zend_error(E_WARNING, "%s() expects the argument (%s) to be a valid callback", + get_active_function_name(), exception_handler_name?ZSTR_VAL(exception_handler_name):"unknown"); +- zend_string_release_ex(exception_handler_name, 0); ++ if (exception_handler_name) { ++ zend_string_release_ex(exception_handler_name, 0); ++ } + return; + } + } +diff --git a/Zend/zend_exceptions.c b/Zend/zend_exceptions.c +index 2d52e4e..a1c1022 100644 +--- a/Zend/zend_exceptions.c ++++ b/Zend/zend_exceptions.c +@@ -1040,8 +1040,12 @@ ZEND_API ZEND_COLD void zend_exception_error(zend_object *ex, int severity) /* { + zend_error_va(severity, (file && ZSTR_LEN(file) > 0) ? ZSTR_VAL(file) : NULL, line, + "Uncaught %s\n thrown", ZSTR_VAL(str)); + +- zend_string_release_ex(str, 0); +- zend_string_release_ex(file, 0); ++ if (str) { ++ zend_string_release_ex(str, 0); ++ } ++ if (file) { ++ zend_string_release_ex(file, 0); ++ } + } else { + zend_error(severity, "Uncaught exception '%s'", ZSTR_VAL(ce_exception->name)); + } +diff --git a/Zend/zend_multibyte.c b/Zend/zend_multibyte.c +index 956ffbb..0c7c65e 100644 +--- a/Zend/zend_multibyte.c ++++ b/Zend/zend_multibyte.c +@@ -115,6 +115,9 @@ ZEND_API int zend_multibyte_set_functions(const zend_multibyte_functions *functi + */ + { + const char *value = zend_ini_string("zend.script_encoding", sizeof("zend.script_encoding") - 1, 0); ++ if (!value) { ++ return FAILURE; ++ } + zend_multibyte_set_script_encoding_by_string(value, strlen(value)); + } + return SUCCESS; +diff --git a/ext/dom/entity.c b/ext/dom/entity.c +index b412550..34b83ee 100644 +--- a/ext/dom/entity.c ++++ b/ext/dom/entity.c +@@ -106,6 +106,9 @@ int dom_entity_notation_name_read(dom_object *obj, zval *retval) ZVAL_NULL(retval); } else { content = (char *) xmlNodeGetContent((xmlNodePtr) nodep); -- ZVAL_STRING(retval, content); -- xmlFree(content); + if (!content) { + return FAILURE; + } -+ if (content != NULL && content[0] != '\0') { -+ ZVAL_STRING(retval, content); -+ xmlFree(content); -+ content = NULL; -+ } + ZVAL_STRING(retval, content); + xmlFree(content); } - - return SUCCESS; -After having been compared to a NULL value at -phar.c:2520, pointer 'error' is dereferenced at phar.c:2745. -diff -ur php-7.4.30/ext/phar/phar.c php-7.4.30_patched/ext/phar/phar.c ---- php-7.4.30/ext/phar/phar.c 2022-06-07 11:38:23.000000000 +0300 -+++ php-7.4.30_patched/ext/phar/phar.c 2023-10-05 15:24:55.453002457 +0300 -@@ -2742,9 +2742,11 @@ +diff --git a/ext/phar/phar.c b/ext/phar/phar.c +index ecab916..06bb697 100644 +--- a/ext/phar/phar.c ++++ b/ext/phar/phar.c +@@ -2751,8 +2751,10 @@ int phar_flush(phar_archive_data *phar, char *user_stub, zend_long len, int conv newentry = phar_open_jit(phar, entry, error); if (!newentry) { /* major problem re-opening, so we ignore this file and the error */ - efree(*error); - *error = NULL; -- continue; + if (error) { + efree(*error); + *error = NULL; -+ continue; + } + continue; } entry = newentry; - } -Pointer 'temp', that can have only NULL value (checked at -phar_object.c:3488), is dereferenced at phar_object.c:3488. -https://github.com/php/php-src/commit/7b2c3c11b2c9121421a81e416e893ce6114369d1 -diff -ur php-7.4.30/ext/phar/phar_object.c php-7.4.30_patched/ext/phar/phar_object.c ---- php-7.4.30/ext/phar/phar_object.c 2022-06-07 11:38:23.000000000 +0300 -+++ php-7.4.30_patched/ext/phar/phar_object.c 2023-10-05 20:30:46.577499264 +0300 -@@ -2654,16 +2654,14 @@ - zend_throw_exception_ex(phar_ce_PharException, 0, "phar \"%s\" is persistent, unable to copy on write", phar_obj->archive->fname); - return; - } -- if (zend_hash_str_exists(&phar_obj->archive->manifest, fname, (uint32_t) fname_len)) { -- if (NULL != (entry = zend_hash_str_find_ptr(&phar_obj->archive->manifest, fname, (uint32_t) fname_len))) { -- if (entry->is_deleted) { -- /* entry is deleted, but has not been flushed to disk yet */ -- RETURN_TRUE; -- } else { -- entry->is_deleted = 1; -- entry->is_modified = 1; -- phar_obj->archive->is_modified = 1; -- } -+ if (NULL != (entry = zend_hash_str_find_ptr(&phar_obj->archive->manifest, fname, (uint32_t) fname_len))) { -+ if (entry->is_deleted) { -+ /* entry is deleted, but has not been flushed to disk yet */ -+ RETURN_TRUE; -+ } else { -+ entry->is_deleted = 1; -+ entry->is_modified = 1; -+ phar_obj->archive->is_modified = 1; - } - } else { - zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, "Entry %s does not exist and cannot be deleted", fname); -@@ -3478,18 +3476,16 @@ - RETURN_FALSE; - } - -- if (!zend_hash_str_exists(&phar_obj->archive->manifest, oldfile, (uint32_t) oldfile_len) || NULL == (oldentry = zend_hash_str_find_ptr(&phar_obj->archive->manifest, oldfile, (uint32_t) oldfile_len)) || oldentry->is_deleted) { -+ if (NULL == (oldentry = zend_hash_str_find_ptr(&phar_obj->archive->manifest, oldfile, (uint32_t) oldfile_len)) || oldentry->is_deleted) { - zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0, - "file \"%s\" cannot be copied to file \"%s\", file does not exist in %s", oldfile, newfile, phar_obj->archive->fname); - RETURN_FALSE; - } - -- if (zend_hash_str_exists(&phar_obj->archive->manifest, newfile, (uint32_t) newfile_len)) { -- if (NULL != (temp = zend_hash_str_find_ptr(&phar_obj->archive->manifest, newfile, (uint32_t) newfile_len)) || !temp->is_deleted) { -- zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0, -- "file \"%s\" cannot be copied to file \"%s\", file must not already exist in phar %s", oldfile, newfile, phar_obj->archive->fname); -- RETURN_FALSE; -- } -+ if (NULL != (temp = zend_hash_str_find_ptr(&phar_obj->archive->manifest, newfile, (uint32_t) newfile_len)) && !temp->is_deleted) { -+ zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0, -+ "file \"%s\" cannot be copied to file \"%s\", file must not already exist in phar %s", oldfile, newfile, phar_obj->archive->fname); -+ RETURN_FALSE; - } - - tmp_len = newfile_len; -After having been compared to a NULL value at tar.c:888, -pointer 'buf->s' is dereferenced at tar.c:902. -diff -ur php-7.4.30/ext/phar/tar.c php-7.4.30_patched/ext/phar/tar.c ---- php-7.4.30/ext/phar/tar.c 2022-06-07 11:38:23.000000000 +0300 -+++ php-7.4.30_patched/ext/phar/tar.c 2023-10-05 15:21:28.122687349 +0300 -@@ -899,7 +899,7 @@ +diff --git a/ext/phar/tar.c b/ext/phar/tar.c +index 03e6dd4..52b5c5d 100644 +--- a/ext/phar/tar.c ++++ b/ext/phar/tar.c +@@ -899,7 +899,7 @@ int phar_tar_setmetadata(zval *metadata, phar_entry_info *entry, char **error) / spprintf(error, 0, "phar error: unable to create temporary file"); return -1; } @@ -110,47 +101,39 @@ diff -ur php-7.4.30/ext/phar/tar.c php-7.4.30_patched/ext/phar/tar.c spprintf(error, 0, "phar tar error: unable to write metadata to magic metadata file \"%s\"", entry->filename); zend_hash_str_del(&(entry->phar->manifest), entry->filename, entry->filename_len); return ZEND_HASH_APPLY_STOP; -After having been compared to a NULL value at -sqlite3.c:877, pointer 'agg_context' is dereferenced at -sqlite3.c:880. -diff -ur php-7.4.30/ext/sqlite3/sqlite3.c php-7.4.30_patched/ext/sqlite3/sqlite3.c ---- php-7.4.30/ext/sqlite3/sqlite3.c 2022-06-07 11:38:19.000000000 +0300 -+++ php-7.4.30_patched/ext/sqlite3/sqlite3.c 2023-10-05 15:17:22.836229909 +0300 -@@ -877,8 +877,10 @@ +diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c +index f4d8066..9386c05 100644 +--- a/ext/sqlite3/sqlite3.c ++++ b/ext/sqlite3/sqlite3.c +@@ -877,7 +877,9 @@ static int sqlite3_do_callback(struct php_sqlite3_fci *fc, zval *cb, int argc, s if (agg_context && !Z_ISUNDEF(agg_context->zval_context)) { zval_ptr_dtor(&agg_context->zval_context); } - ZVAL_COPY_VALUE(&agg_context->zval_context, &retval); -- ZVAL_UNDEF(&retval); + if (agg_context) { + ZVAL_COPY_VALUE(&agg_context->zval_context, &retval); -+ ZVAL_UNDEF(&retval); + } + ZVAL_UNDEF(&retval); } - - if (!Z_ISUNDEF(retval)) { -After having been compared to a NULL value at -filters.c:809, pointer 'inst->lbchars' is dereferenced at -filters.c:841. -diff -ur php-7.4.30/ext/standard/filters.c php-7.4.30_patched/ext/standard/filters.c ---- php-7.4.30/ext/standard/filters.c 2022-06-07 11:38:25.000000000 +0300 -+++ php-7.4.30_patched/ext/standard/filters.c 2023-10-05 15:20:01.716639804 +0300 -@@ -766,7 +766,7 @@ + +diff --git a/ext/standard/filters.c b/ext/standard/filters.c +index 018270c..6acce21 100644 +--- a/ext/standard/filters.c ++++ b/ext/standard/filters.c +@@ -766,7 +766,7 @@ static void php_conv_qprint_encode_dtor(php_conv_qprint_encode *inst) } #define NEXT_CHAR(ps, icnt, lb_ptr, lb_cnt, lbchars) \ - ((lb_ptr) < (lb_cnt) ? (lbchars)[(lb_ptr)] : *(ps)) -+ (((lb_ptr) < (lb_cnt)) && (lbchars) ? (lbchars)[(lb_ptr)] : *(ps)) ++ ((lb_ptr) < (lb_cnt) && (lbchars) ? (lbchars)[(lb_ptr)] : ((ps) ? *(ps) : '\0')) #define CONSUME_CHAR(ps, icnt, lb_ptr, lb_cnt) \ if ((lb_ptr) < (lb_cnt)) { \ -Return value of a function 'zend_hash_index_find' is -dereferenced at var.c:1073 without checking for NULL, but -it is usually checked for this function (64/66). -diff -ur php-7.4.30/ext/standard/var.c php-7.4.30_patched/ext/standard/var.c ---- php-7.4.30/ext/standard/var.c 2022-06-07 11:38:28.000000000 +0300 -+++ php-7.4.30_patched/ext/standard/var.c 2023-10-05 16:15:32.104092921 +0300 -@@ -1070,8 +1070,10 @@ +diff --git a/ext/standard/var.c b/ext/standard/var.c +index 37a68bb..ba68cf3 100644 +--- a/ext/standard/var.c ++++ b/ext/standard/var.c +@@ -1070,8 +1070,10 @@ again: /* Mark this value in the var_hash, to avoid creating references to it. */ zval *var_idx = zend_hash_index_find(&var_hash->ht, (zend_ulong) (zend_uintptr_t) Z_COUNTED_P(struc)); @@ -163,26 +146,11 @@ diff -ur php-7.4.30/ext/standard/var.c php-7.4.30_patched/ext/standard/var.c } if (serialized_data) { efree(serialized_data); -Missing break at the end of case at line 884 -diff -ur php-7.4.30/main/streams/plain_wrapper.c php-7.4.30_patched/main/streams/plain_wrapper.c ---- php-7.4.30/main/streams/plain_wrapper.c 2022-06-07 11:38:19.000000000 +0300 -+++ php-7.4.30_patched/main/streams/plain_wrapper.c 2023-10-05 16:18:15.475383413 +0300 -@@ -925,6 +925,7 @@ - #endif - } - } -+ return PHP_STREAM_OPTION_RETURN_NOTIMPL; - - #ifdef PHP_WIN32 - case PHP_STREAM_OPTION_PIPE_BLOCKING: -Pointer '&(*path)[strlen(...)]' is dereferenced at fpm_ -conf.c:724 by calling function 'strdup' after the referenced -memory was deallocated at fpm_conf.c:723 by calling -function 'free'. -diff -ur php-7.4.30/sapi/fpm/fpm/fpm_conf.c php-7.4.30_patched/sapi/fpm/fpm/fpm_conf.c ---- php-7.4.30/sapi/fpm/fpm/fpm_conf.c 2022-06-07 11:38:19.000000000 +0300 -+++ php-7.4.30_patched/sapi/fpm/fpm/fpm_conf.c 2023-10-05 15:12:07.548354240 +0300 -@@ -720,8 +720,8 @@ +diff --git a/sapi/fpm/fpm/fpm_conf.c b/sapi/fpm/fpm/fpm_conf.c +index 7a05286..378c585 100644 +--- a/sapi/fpm/fpm/fpm_conf.c ++++ b/sapi/fpm/fpm/fpm_conf.c +@@ -720,8 +720,8 @@ static int fpm_evaluate_full_path(char **path, struct fpm_worker_pool_s *wp, cha } if (strlen(*path) > strlen("$prefix")) { @@ -192,15 +160,11 @@ diff -ur php-7.4.30/sapi/fpm/fpm/fpm_conf.c php-7.4.30_patched/sapi/fpm/fpm/fpm_ *path = tmp; } else { free(*path); -Uninitialized data is read from local variable 'append' at -zlog.c:403. -Pointer 'stream->msg_suffix' is passed to a function at -zlog.c:647 after the referenced memory was deallocated at -zlog.c:642 by calling function 'free'. -diff -ur php-7.4.30/sapi/fpm/fpm/zlog.c php-7.4.30_patched/sapi/fpm/fpm/zlog.c ---- php-7.4.30/sapi/fpm/fpm/zlog.c 2022-06-07 11:38:19.000000000 +0300 -+++ php-7.4.30_patched/sapi/fpm/fpm/zlog.c 2023-10-05 16:25:22.197680894 +0300 -@@ -348,7 +348,7 @@ +diff --git a/sapi/fpm/fpm/zlog.c b/sapi/fpm/fpm/zlog.c +index 4808447..849370c 100644 +--- a/sapi/fpm/fpm/zlog.c ++++ b/sapi/fpm/fpm/zlog.c +@@ -348,7 +348,7 @@ static ssize_t zlog_stream_direct_write( static inline ssize_t zlog_stream_unbuffered_write( struct zlog_stream *stream, const char *buf, size_t len) /* {{{ */ { @@ -209,7 +173,7 @@ diff -ur php-7.4.30/sapi/fpm/fpm/zlog.c php-7.4.30_patched/sapi/fpm/fpm/zlog.c size_t append_len = 0, required_len, reserved_len; ssize_t written; -@@ -637,10 +637,10 @@ +@@ -637,10 +637,10 @@ zlog_bool zlog_stream_set_msg_suffix( if (suffix != NULL) { stream->msg_suffix_len = strlen(suffix); len = stream->msg_suffix_len + 1; @@ -221,29 +185,20 @@ diff -ur php-7.4.30/sapi/fpm/fpm/zlog.c php-7.4.30_patched/sapi/fpm/fpm/zlog.c if (stream->msg_suffix == NULL) { return ZLOG_FALSE; } -@@ -650,10 +650,10 @@ - if (final_suffix != NULL) { - stream->msg_final_suffix_len = strlen(final_suffix); +@@ -652,7 +652,7 @@ zlog_bool zlog_stream_set_msg_suffix( len = stream->msg_final_suffix_len + 1; -- stream->msg_final_suffix = malloc(len); + stream->msg_final_suffix = malloc(len); if (stream->msg_final_suffix != NULL) { - free(stream->msg_suffix); + free(stream->msg_final_suffix); } -+ stream->msg_final_suffix = malloc(len); if (stream->msg_final_suffix == NULL) { return ZLOG_FALSE; - } -Return value of a function 'zend_hash_find_ptr' is -dereferenced at phpdbg_prompt.c:554 without checking for -NULL, but it is usually checked for this function (127/128). -Pointer 'module_entry', that can have only NULL value -(checked at phpdbg_prompt.c:1351), is dereferenced at -phpdbg_prompt.c:1352. -diff -ur php-7.4.30/sapi/phpdbg/phpdbg_prompt.c php-7.4.30_patched/sapi/phpdbg/phpdbg_prompt.c ---- php-7.4.30/sapi/phpdbg/phpdbg_prompt.c 2022-06-07 11:38:19.000000000 +0300 -+++ php-7.4.30_patched/sapi/phpdbg/phpdbg_prompt.c 2023-10-05 16:14:28.246542871 +0300 -@@ -544,6 +544,9 @@ +diff --git a/sapi/phpdbg/phpdbg_prompt.c b/sapi/phpdbg/phpdbg_prompt.c +index 6b0de5c..0764789 100644 +--- a/sapi/phpdbg/phpdbg_prompt.c ++++ b/sapi/phpdbg/phpdbg_prompt.c +@@ -544,6 +544,9 @@ int phpdbg_compile_stdin(zend_string *code) { /* remove trailing data after zero byte, used for avoiding conflicts in eval()'ed code snippets */ zend_string *source_path = strpprintf(0, "Standard input code%c%p", 0, PHPDBG_G(ops)->opcodes); phpdbg_file_source *data = zend_hash_find_ptr(&PHPDBG_G(file_sources), source_path); @@ -253,78 +208,45 @@ diff -ur php-7.4.30/sapi/phpdbg/phpdbg_prompt.c php-7.4.30_patched/sapi/phpdbg/p dtor_func_t dtor = PHPDBG_G(file_sources).pDestructor; PHPDBG_G(file_sources).pDestructor = NULL; zend_hash_del(&PHPDBG_G(file_sources), source_path); -@@ -1349,7 +1352,7 @@ +@@ -1349,7 +1352,7 @@ PHPDBG_API const char *phpdbg_load_module_or_extension(char **path, char **name) module_entry->handle = handle; if ((module_entry = zend_register_module_ex(module_entry)) == NULL) { - phpdbg_error("dl", "type=\"registerfailure\" module=\"%s\"", "Unable to register module %s", module_entry->name); -+ phpdbg_error("dl", "type=\"registerfailure\" module=\"%s\"", "Unable to register module %s", "Unkonown module"); ++ phpdbg_error("dl", "type=\"registerfailure\" module=\"%s\"", "Unable to register module %s", "Unknown module"); goto quit; } -After having been compared to a NULL value at zend_ -builtin_functions.c:1638, pointer 'error_handler_name' is -passed as 1st parameter in call to function 'zend_string_ -release_ex' at zend_builtin_functions.c:1639, where it is -dereferenced at zend_string.h:291. -diff -ur php-7.4.30/Zend/zend_builtin_functions.c php-7.4.30_patched/Zend/zend_builtin_functions.c ---- php-7.4.30/Zend/zend_builtin_functions.c 2022-06-07 11:38:30.000000000 +0300 -+++ php-7.4.30_patched/Zend/zend_builtin_functions.c 2023-10-05 15:44:19.299611397 +0300 -@@ -1636,7 +1636,9 @@ - zend_string *error_handler_name = zend_get_callable_name(error_handler); - zend_error(E_WARNING, "%s() expects the argument (%s) to be a valid callback", - get_active_function_name(), error_handler_name?ZSTR_VAL(error_handler_name):"unknown"); -- zend_string_release_ex(error_handler_name, 0); -+ if (error_handler_name != NULL) { -+ zend_string_release_ex(error_handler_name, 0); -+ } - return; - } - } -@@ -1703,7 +1705,10 @@ - zend_string *exception_handler_name = zend_get_callable_name(exception_handler); - zend_error(E_WARNING, "%s() expects the argument (%s) to be a valid callback", - get_active_function_name(), exception_handler_name?ZSTR_VAL(exception_handler_name):"unknown"); -- zend_string_release_ex(exception_handler_name, 0); -+ if (exception_handler_name != NULL) { -+ zend_string_release_ex(exception_handler_name, 0); -+ exception_handler_name = NULL; -+ } - return; - } - } -After having been compared to a NULL value at zend_ -exceptions.c:1040, pointer 'file' is passed as 1st parameter -in call to function 'zend_string_release_ex' at zend_ -exceptions.c:1044, where it is dereferenced at zend_ -string.h:291. -diff -ur php-7.4.30/Zend/zend_exceptions.c php-7.4.30_patched/Zend/zend_exceptions.c ---- php-7.4.30/Zend/zend_exceptions.c 2022-06-07 11:38:30.000000000 +0300 -+++ php-7.4.30_patched/Zend/zend_exceptions.c 2023-10-05 15:40:16.354123300 +0300 -@@ -1041,7 +1041,9 @@ - "Uncaught %s\n thrown", ZSTR_VAL(str)); +diff --git a/main/streams/plain_wrapper.c b/main/streams/plain_wrapper.c +index 4d10e68..1acfec6 100644 +--- a/main/streams/plain_wrapper.c ++++ b/main/streams/plain_wrapper.c +@@ -926,6 +926,7 @@ static int php_stdiop_set_option(php_stream *stream, int option, int value, void + } + } - zend_string_release_ex(str, 0); -- zend_string_release_ex(file, 0); -+ if (file != NULL) { -+ zend_string_release_ex(file, 0); -+ } - } else { - zend_error(severity, "Uncaught exception '%s'", ZSTR_VAL(ce_exception->name)); ++ return PHP_STREAM_OPTION_RETURN_NOTIMPL; + #ifdef PHP_WIN32 + case PHP_STREAM_OPTION_PIPE_BLOCKING: + data->is_pipe_blocking = value; +diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c +index b0de6e4..5e3adec 100644 +--- a/ext/phar/phar_object.c ++++ b/ext/phar/phar_object.c +@@ -3484,12 +3484,10 @@ PHP_METHOD(Phar, copy) + RETURN_FALSE; } -Return value of a function 'zend_ini_string' is dereferenced -at zend_multibyte.c:118 without checking for NULL, but it -is usually checked for this function (6/7). -diff -ur php-7.4.30/Zend/zend_multibyte.c php-7.4.30_patched/Zend/zend_multibyte.c ---- php-7.4.30/Zend/zend_multibyte.c 2022-06-07 11:38:30.000000000 +0300 -+++ php-7.4.30_patched/Zend/zend_multibyte.c 2023-10-05 16:07:52.618526000 +0300 -@@ -115,6 +115,9 @@ - */ - { - const char *value = zend_ini_string("zend.script_encoding", sizeof("zend.script_encoding") - 1, 0); -+ if (!value) { -+ return FAILURE; -+ } - zend_multibyte_set_script_encoding_by_string(value, strlen(value)); + +- if (zend_hash_str_exists(&phar_obj->archive->manifest, newfile, (uint32_t) newfile_len)) { +- if (NULL != (temp = zend_hash_str_find_ptr(&phar_obj->archive->manifest, newfile, (uint32_t) newfile_len)) || !temp->is_deleted) { +- zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0, +- "file \"%s\" cannot be copied to file \"%s\", file must not already exist in phar %s", oldfile, newfile, phar_obj->archive->fname); +- RETURN_FALSE; +- } ++ if (!zend_hash_str_exists(&phar_obj->archive->manifest, oldfile, (uint32_t) oldfile_len) || NULL == (oldentry = zend_hash_str_find_ptr(&phar_obj->archive->manifest, oldfile, (uint32_t) oldfile_len)) || oldentry->is_deleted) { ++ zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0, ++ "file \"%s\" cannot be copied to file \"%s\", file must not already exist in phar %s", oldfile, newfile, phar_obj->archive->fname); ++ RETURN_FALSE; } - return SUCCESS; + + tmp_len = newfile_len;