SUSE-SU-2026:0086-1

This update for php8 fixes the following issues:

Security fixes:

• CVE-2025-14177: getimagesize() function may leak uninitialized heap memory into the APPn segments when reading images in multi-chunk mode (bsc#1255710).
• CVE-2025-14178: heap buffer overflow occurs in arraymerge() when the total element count of packed arrays exceeds 32-bit limits or HTMAX_SIZE (bsc#1255711).
• CVE-2025-14180: null pointer dereference in pdoparseparams() function when using the PDO PostgreSQL driver with PDO::ATTREMULATEPREPARES enabled (bsc#1255712).

Other fixes:

Version 8.3.29 Core: Sync all boost.context files with release 1.86.0. Fixed bug GH-20435 (SensitiveParameter doesn't work for named argument passing to variadic parameter). Fixed bug GH-20286 (use-after-destroy during userland streamclose()). Bz2: Fix assertion failures resulting in crashes with stream filter object parameters. Date: Fix crashes when trying to instantiate uninstantiable classes via date static constructors. DOM: Fix missing NUL byte check on C14NFile(). Fibers: Fixed bug GH-20483 (ASAN stack overflow with fiber.stacksize INI small value). FTP: Fixed bug GH-20601 (ftpconnect overflow on timeout). GD: Fixed bug GH-20511 (imagegammacorrect out of range input/output values). Fixed bug GH-20602 (imagescale overflow with large height values). Intl: Fixed bug GH-20426 (Spoofchecker::setRestrictionLevel() error message suggests missing constants). LibXML: Fix some deprecations on newer libxml versions regarding input buffer/parser handling. MbString: Fixed bug GH-20491 (SLES15 compile error with mbstring oniguruma). Fixed bug GH-20492 (mbstring compile warning due to non-strings). MySQLnd: Fixed bug GH-20528 (Regression breaks mysql connexion using an IPv6 address enclosed in square brackets). Opcache: Fixed bug GH-20329 (opcache.filecache broken with full interned string buffer). PDO: Fixed GHSA-8xr5-qppj-gvwj (PDO quoting result null deref). (CVE-2025-14180) Phar: Fixed bug GH-20442 (Phar does not respect case-insensitiveness of haltcompiler() when reading stub). Fix broken return value of fflush() for phar file entries. Fix assertion failure when fseeking a phar file out of bounds. PHPDBG: Fixed ZPP type violation in phpdbggetexecutable() and phpdbgendoplog(). SPL: Fixed bug GH-20614 (SplFixedArray incorrectly handles references in deserialization). Standard: Fix memory leak in arraydiff() with custom type checks. Fixed bug GH-20583 (Stack overflow in httpbuildquery via deep structures). Fixed GHSA-www2-q4fc-65wf (Null byte termination in dnsgetrecord()). Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in arraymerge()). (CVE-2025-14178) Fixed GHSA-3237-qqm7-mfv7 (Information Leak of Memory in getimagesize). (CVE-2025-14177) Tidy: Fixed bug GH-20374 (PHP with tidy and custom-tags). XML: Fixed bug GH-20439 (xmlsetdefaulthandler() does not properly handle special characters in attributes when passing data to callback). Zip: Fix crash in property existence test. Don't truncate return value of zipfread() with user sizes. Zlib: Fix assertion failures resulting in crashes with stream filter object parameters. Version 8.3.28 Core: Fixed bug GH-19934 (CGI with autoglobalsjit=0 causes uouv). Fixed bug GH-20073 (Assertion failure in WeakMap offset operations on reference). Fixed bug GH-19844 (Don't bail when closing resources on shutdown). Fixed bug GH-20177 (Accessing overridden private property in getobjectvars() triggers assertion error). Fixed bug GH-20183 (Stale EG(oplinebeforeexception) pointer through eval). DOM: Partially fixed bug GH-16317 (DOM classes do not allow _debugInfo() overrides to work). Exif: Fix possible memory leak when tag is empty. FPM: Fixed bug GH-19974 (fpmstatusexporttozval segfault for parallel execution). FTP: Fixed bug GH-20240 (FTP with SSL: ftpfput(): Connection timed out on successful writes). GD: Fixed bug GH-20070 (Return type violation in imagefilter when an invalid filter is provided). Intl: Fix memory leak on error in localefiltermatches(). LibXML: Fix not thread safe schema/relaxng calls. MySQLnd: Fixed bug GH-8978 (SSL certificate verification fails (port doubled)). Fixed bug GH-20122 (getColumnMeta() for JSON-column in MySQL). Opcache: Fixed bug GH-20081 (access to uninitialized vars in preloadload()). Fixed bug GH-20121 (JIT broken in ZTS builds on MacOS 15). PgSql: Fix memory leak when first string conversion fails. Fix segfaults when attempting to fetch row into a non-instantiable class name. Phar: Fix memory leak of argument in webPhar. Fix memory leak when setAlias() fails. Fix a bunch of memory leaks in pharparsezipfile() error handling. Fix file descriptor/memory leak when opening central fp fails. Fix memleak+UAF when opening temp stream in buildFromDirectory() fails. Fix potential buffer length truncation due to usage of type int instead of type sizet. Fix memory leak when openssl polyfill returns garbage. Fix file descriptor leak in pharzipflush() on failure. Fix memory leak when opening temp file fails while trying to open gzip-compressed archive. Fixed bug GH-20302 (Freeing a phar alias may invalidate PharFileInfo objects). Random: Fix Randomizer::serialize() w.r.t. INDIRECTs. SimpleXML: Partially fixed bug GH-16317 (SimpleXML does not allow _debugInfo() overrides to work). Standard: Fix shm corruption with coercion in options of unserialize(). Streams: Fixed bug GH-19798: XPSOCKET XPSSL (Socket stream modules): Incorrect condition for Win32/Win64. Tidy: Fixed GH-19021 (improved tidyOptGetCategory detection). Fix UAF in tidy when tidySetErrorBuffer() fails. XMLReader: Fix arginfo/zpp violations when LIBXMLSCHEMASENABLED is not available. Windows: Fix GH-19722 (getosfhandle asserts in debug mode when given a socket). Zip: Fix memory leak when passing encmethod/encpassword is passed as option for ZipArchive::addGlob()/addPattern() and with consecutive calls. Version 8.3.27 Core: Fixed bug GH-19765 (objectpropertiesload() bypasses readonly property checks). Fixed hardtimeout with --enable-zend-max-execution-timers. Fixed bug GH-19792 (SCCP causes UAF for return value if both warning and exception are triggered). Fixed bug GH-19653 (Closure named argument unpacking between temporary closures can cause a crash). Fixed bug GH-19839 (Incorrect HASHFLAGHASEMPTYIND flag on userland array). Fixed bug GH-19480 (errorlog php.ini cannot be unset when openbasedir is configured). Fixed bug GH-20002 (Broken build on *BSD with MSAN). CLI: Fix useless 'Failed to poll event' error logs due to EAGAIN in CLI server with PHPCLISERVERWORKERS. Curl: Fix cloning of CURLOPTPOSTFIELDS when using the clone operator instead of the curlcopyhandle() function to clone a CurlHandle. Fix curl build and test failures with version 8.16. Date: Fixed GH-17159: 'P' format for ::createFromFormat swallows string literals. DBA: Fixed GH-19885 (dbafetch() overflow on skip argument). GD: Fixed GH-19955 (imagefttext() memory leak). MySQLnd: Fixed bug #67563 (mysqli compiled with mysqlnd does not take ipv6 adress as parameter). Phar: Fix memory leak and invalid continuation after tar header writing fails. Fix memory leaks when creating temp file fails when applying zip signature. SimpleXML: Fixed bug GH-19988 (zendstringinit with NULL pointer in simplexml (UB)). Soap: Fixed bug GH-19784 (SoapServer memory leak). Fixed bug GH-20011 (Array of SoapVar of unknown type causes crash). Standard: Fixed bug GH-12265 (Cloning an object breaks serialization recursion). Fixed bug GH-19701 (Serialize/deserialize loses some data). Fixed bug GH-19801 (leaks in vardump() and debugzvaldump()). Fixed bug GH-20043 (arrayunique assertion failure with RC1 array causing an exception on sort). Fixed bug GH-19926 (reset internal pointer earlier while splicing array while COW violation flag is still set). Fixed bug GH-19570 (unable to fseek in /dev/zero and /dev/null). Streams: Fixed bug GH-19248 (Use strerrorr instead of strerror in main). Fixed bug GH-17345 (Bug #35916 was not completely fixed). Fixed bug GH-19705 (segmentation when attempting to flush on non seekable stream. XMLReader: Fixed bug GH-20009 (XMLReader leak on RelaxNG schema failure). Zip: Fixed bug GH-19688 (Remove pattern overflow in zip addGlob()). Fixed bug GH-19932 (Memory leak in zip setEncryptionName()/setEncryptionIndex()). Zlib: Fixed bug GH-19922 (Double free on gzopen). Version 8.3.26 Core: Fixed bug GH-18850 (Repeated inclusion of file with _haltcompiler() triggers 'Constant already defined' warning). Partially fixed bug GH-19542 (Scanning of string literals >=2GB will fail due to signed int overflow). Fixed bug GH-19544 (GC treats ZENDWEAKREFTAGMAP references as WeakMap references). Fixed bug GH-19613 (Stale array iterator pointer). Fixed bug GH-19679 (zendssarangewidening may fail to converge). Fixed bug GH-19681 (PHPEXPANDPATH broken with bash 5.3.0). Fixed bug GH-19720 (Assertion failure when error handler throws when accessing a deprecated constant). CLI: Fixed bug GH-19461 (Improve error message on listening error with IPv6 address). Date: Fixed datesunrise() and datesunset() with partial-hour UTC offset. DOM: Fixed bug GH-19612 (Mitigate libxml2 tree dictionary bug). FPM: Fixed failed debug assertion when phpadminvalue setting fails. GD: Fixed bug GH-19579 (imagefilledellipse underflow on width argument). Intl: Fixed bug GH-11952 (Fix locale strings canonicalization for IntlDateFormatter and NumberFormatter). OpenSSL: Fixed bug GH-19245 (Success error message on TLS stream accept failure). PGSQL: Fixed bug GH-19485 (potential use after free when using persistent pgsql connections). Phar: Fixed memory leaks when verifying OpenSSL signature. Fix memory leak in phar tar temporary file error handling code. Fix metadata leak when phar convert logic fails. Fix memory leak on failure in pharconverttoother(). Fixed bug GH-19752 (Phar decompression with invalid extension can cause UAF). Standard: Fixed bug GH-16649 (UAF during arraysplice). Fixed bug GH-19577 (Avoid integer overflow when using a small offset and PHPINTMAX with LimitIterator). Streams: Remove incorrect call to zvalptrdtor() in userwrappermetadata(). Fix OSS-Fuzz #385993744. Tidy: Fixed GH-19021 build issue with libtidy in regard of tidyOptIsReadonly deprecation and TidyInternalCategory being available later than tidyOptGetCategory. Zip: Fix memory leak in zip when encountering empty glob result. Version 8.3.25 Core: Fixed GH-19169 build issue with C++17 and ZENDSTATICASSERT macro. Fixed bug GH-18581 (Coerce numeric string keys from iterators when argument unpacking). Fixed OSS-Fuzz #434346548 (Failed assertion with throwing _toString in binary const expr). Fixed bug GH-19305 (Operands may be being released during comparison). Fixed bug GH-19303 (Unpacking empty packed array into uninitialized array causes assertion failure). Fixed bug GH-19306 (Generator can be resumed while fetching next value from delegated Generator). Fixed bug GH-19326 (Calling Generator::throw() on a running generator with a non-Generator delegate crashes). Fixed bug GH-18736 (Circumvented type check with return by ref + finally). Fixed zend call stack size for macOs/arm64. Fixed bug GH-19065 (Long match statement can segfault compiler during recursive SSA renaming). Calendar: Fixed bug GH-19371 (integer overflow in calendar.c). FTP: Fix theoretical issues with hrtime() not being available. GD: Fix incorrect comparison with result of phpstreamcancast(). Hash: Fix crash on clone failure. Intl: Fixed GH-19261: msgfmtparsemessage leaks on message creation failure. Fix return value on failure for resourcebundle count handler. LDAP: Fixed bug GH-18529 (additional inheriting of TLS int options). LibXML: Fixed bug GH-19098 (libxml<2.13 segmentation fault caused by phplibxmlnodefree). MbString: Fixed bug GH-19397 (mblistencodings() can cause crashes on shutdown). Opcache: Reset global pointers to prevent use-after-free in zendjitstatus(). OpenSSL: Fixed bug GH-18986 (OpenSSL backend: incorrect RAND{load,write}file() return value check). Fix error return check of EVPCIPHERCTXctrl(). Fixed bug GH-19428 (opensslpkeyderive segfaults for DH derive with low keylength param). PDO Pgsql: Fixed dangling pointer access on pdopgsqltrimmessage helper. Readline: Fixed bug GH-19250 and bug #51360 (Invalid conftest for rlpendinginput). SOAP: Fixed bug GH-18640 (heap-use-after-free ext/soap/phpencoding.c:299:32 in soapcheckzvalref). Sockets: Fix some potential crashes on incorrect argument value. Standard: Fixed OSS Fuzz #433303828 (Leak in failed unserialize() with opcache). Fix theoretical issues with hrtime() not being available. Fixed bug GH-19300 (Nested arraymultisort invocation with error breaks). Windows: Free openedpath when openedpathlen >= MAXPATHLEN. Version 8.3.24 Calendar: Fixed jewishtojd overflow on year argument. Core: Fixed bug GH-18833 (Use after free with weakmaps dependent on destruction order). Fix OSS-Fuzz #427814456. Fix OSS-Fuzz #428983568 and #428760800. Fixed bug GH-17204 -Wuseless-escape warnings emitted by re2c. Curl: Fix memory leaks when returning refcounted value from curl callback. Remove incorrect string release. LDAP: Fixed GH-18902 ldapexop/ldapexopsync assert triggered on empty request OID. MbString: Fixed bug GH-18901 (integer overflow mbsplit). OCI8: Fixed bug GH-18873 (OCIRETURNLOBS flag causes oci8 to leak memory). Opcache: Fixed bug GH-18639 (Internal class aliases can break preloading + JIT). Fixed bug GH-14082 (Segmentation fault on unknown address 0x600000000018 in ext/opcache/jit/zendjit.c). OpenSSL: Fixed bug #80770 (It is not possible to get client peer certificate with streamsocketserver). PCNTL: Fixed bug GH-18958 (Fatal error during shutdown after pcntlrfork() or pcntlforkx() with zend-max-execution-timers). Phar: Fix stream double free in phar. Fix phar crash and file corruption with SplFileObject. SOAP: Fixed bug GH-18990, bug #81029, bug #47314 (SOAP HTTP socket not closing on object destruction). Fix memory leak when URL parsing fails in redirect. SPL: Fixed bug GH-19094 (Attaching class with no Iterator implementation to MultipleIterator causes crash). Standard: Fix misleading errors in printf(). Fix RCN violations in array functions. Fixed GH-18976 pack() overflow with h/H format and INTMAX repeater value. Streams: Fixed GH-13264 (fgets() and streamgetline() do not return false on filter fatal error). Zip: Fix leak when path is too long in ZipArchive::extractTo().