ZendPHP September 2025 Releases

Community Changes

PHP Version 8.4.13 Changes

  • Core

    • Fixed bug GH-18850: Repeated inclusion of file with __halt_compiler() triggers "Constant already defined" warning.
    • Partially fixed bug GH-19542: Scanning of string literals >=2GB will fail due to signed int overflow.
    • Fixed bug GH-19544: GC treats ZEND_WEAKREF_TAG_MAP references as WeakMap references.
    • Fixed bug GH-19613: Stale array iterator pointer.
    • Fixed bug GH-19679: zend_ssa_range_widening may fail to converge.
    • Fixed bug GH-19681: PHP_EXPAND_PATH broken with bash 5.3.0.
    • Fixed bug GH-19720: Assertion failure when error handler throws when accessing a deprecated constant.

  • CLI

    • Fixed bug GH-19461: Improve error message on listening error with IPv6 address.

  • Date

    • Fixed date_sunrise() and date_sunset() with partial-hour UTC offset.

  • DBA

    • Fixed bug GH-19706: dba stream resource mismanagement.

  • DOM

    • Fixed bug GH-19612: Mitigate libxml2 tree dictionary bug.

  • FPM

    • Fixed failed debug assertion when php_admin_value setting fails.

  • Intl

    • Fixed bug GH-11952: Fix locale strings canonicalization for IntlDateFormatter and NumberFormatter.

  • Opcache

    • Fixed bug GH-19493: JIT variable not stored before YIELD.

  • OpenSSL

    • Fixed bug GH-19245: Success error message on TLS stream accept failure.

  • PGSQL

    • Fixed bug GH-19485: potential use after free when using persistent pgsql connections.

  • Phar

    • Fixed memory leaks when verifying OpenSSL signature.
    • Fix memory leak in phar tar temporary file error handling code.
    • Fix metadata leak when phar convert logic fails.
    • Fix memory leak on failure in phar_convert_to_other().
    • Fixed bug GH-19752: Phar decompression with invalid extension can cause UAF.

  • Standard

    • Fixed bug GH-16649: UAF during array_splice.
    • Fixed bug GH-19577: Avoid integer overflow when using a small offset and PHP_INT_MAX with LimitIterator.

  • Streams

    • Remove incorrect call to zval_ptr_dtor() in user_wrapper_metadata().
    • Fix OSS-Fuzz #385993744.

  • Zip

    • Fix memory leak in zip when encountering empty glob result.

PHP Version 8.3.25 Changes

  • Core

    • Fixed GH-19169 build issue with C++17 and ZEND_STATIC_ASSERT macro.
    • Fixed bug GH-18581: Coerce numeric string keys from iterators when argument unpacking.
    • Fixed OSS-Fuzz #434346548: Failed assertion with throwing __toString in binary const expr.
    • Fixed bug GH-19305: Operands may be being released during comparison.
    • Fixed bug GH-19303: Unpacking empty packed array into uninitialized array causes assertion failure.
    • Fixed bug GH-19306: Generator can be resumed while fetching next value from delegated Generator.
    • Fixed bug GH-19326: Calling Generator::throw() on a running generator with a non-Generator delegate crashes.
    • Fixed bug GH-18736: Circumvented type check with return by ref + finally.
    • Fixed zend call stack size for macOs/arm64.
    • Fixed bug GH-19065: Long match statement can segfault compiler during recursive SSA renaming.

  • Calendar

    • Fixed bug GH-19371: integer overflow in calendar.c.

  • FTP

    • Fix theoretical issues with hrtime() not being available.

  • GD

    • Fix incorrect comparison with result of php_stream_can_cast().

  • Hash

    • Fix crash on clone failure.

  • Intl

    • Fixed GH-19261: msgfmt_parse_message leaks on message creation failure.
    • Fix return value on failure for resourcebundle count handler.

  • LDAP

    • Fixed bug GH-18529: additional inheriting of TLS int options.

  • LibXML

    • Fixed bug GH-19098: libxml2.13 segmentation fault caused by php_libxml_node_free.

  • MbString

    • Fixed bug GH-19397: mb_list_encodings() can cause crashes on shutdown.

  • Opcache

    • Reset global pointers to prevent use-after-free in zend_jit_status().

  • OpenSSL

    • Fixed bug GH-18986: OpenSSL backend: incorrect RAND_{load,write}_file() return value check.
    • Fix error return check of EVP_CIPHER_CTX_ctrl().
    • Fixed bug GH-19428: openssl_pkey_derive segfaults for DH derive with low key_length param.

  • PDO Pgsql

    • Fixed dangling pointer access on _pdo_pgsql_trim_message helper.

  • Readline

    • Fixed bug GH-19250 and bug #51360: Invalid conftest for rl_pending_input.

  • SOAP

    • Fixed bug GH-18640: heap-use-after-free ext/soap/php_encoding.c:299:32 in soap_check_zval_ref.

  • Sockets:

    • Fix some potential crashes on incorrect argument value.

  • Standard

    • Fixed OSS Fuzz #433303828: Leak in failed unserialize() with opcache.
    • Fix theoretical issues with hrtime() not being available.
    • Fixed bug GH-19300: Nested array_multisort invocation with error breaks.

  • Windows

    • Free opened_path when opened_path_len >= MAXPATHLEN.