PHP 8.4.5 has been released, featuring a range of fixes and enhancements. The updates address issues in BCMath, Core, DOM, GD, FFI, FPM, LibXML, MBString, Opcache, Phar, PHPDBG, Reflection, Standard, Streams, Windows, and Zlib.
BCMath has addressed a memory leak issue, Core has resolved a malfunction in stack overflow detection, DOM has corrected a typographical error in error messages, FFI has improved the parsing of pointer declaration lists, FPM has rectified an issue with the PATH_INFO environment variable, GD has resolved a crash related to imagepalette when set to true color, LDAP has fixed a memory leak in ldap_search, LibXML has addressed a recurrence of issue #72714, Opcache has corrected the problem of multiple classes utilizing the same trait, Phar has resolved a bug related to PharFileInfo reference counting, and PHPDBG has made partial progress in fixing a crash when calling registered functions in phpdbg. Reflection has resolved a core dump issue, Standard has addressed bug #72666, and Streams have rectified various bugs, including realloc with a size of 0 in user_filters.c. Windows has addressed the phpize issue for Windows 11 (24H2), ensuring the CURL_STATICLIB flag is set even when linked with a shared library. Additionally, Zlib has resolved a memory leak that occurred when encoding checks failed.
PHP 8.4.5
- BCMath:
. Fixed bug GH-17398 (bcmul memory leak). (SakiTakamachi)
- Core:
. Fixed bug GH-17623 (Broken stack overflow detection for variable compilation). (ilutov)
. Fixed bug GH-17618 (UnhandledMatchError does not take zend.exception_ignore_args=1 into account). (timwolla)
. Fix fallback paths in fast_long_{add,sub}_function. (nielsdos)
. Fixed bug OSS-Fuzz #391975641 (Crash when accessing property backing value by reference). (ilutov)
. Fixed bug GH-17718 (Calling static methods on an interface that has `__callStatic` is allowed). (timwolla)
. Fixed bug GH-17713 (ReflectionProperty::getRawValue() and related methods may call hooks of overridden properties). (Arnaud)
. Fixed bug GH-17916 (Final abstract properties should error). (DanielEScherzer)
. Fixed bug GH-17866 (zend_mm_heap corrupted error after upgrading from 8.4.3 to 8.4.4). (nielsdos)
. Fixed GHSA-rwp7-7vc6-8477 (Reference counting in php_request_shutdown causes Use-After-Free). (CVE-2024-11235) (ilutov)
- DOM:
. Fixed bug GH-17609 (Typo in error message: Dom\NO_DEFAULT_NS instead of Dom\HTML_NO_DEFAULT_NS). (nielsdos)
. Fixed bug GH-17802 (\Dom\HTMLDocument querySelector attribute name is case sensitive in HTML). (nielsdos)
. Fixed bug GH-17847 (xinclude destroys live node). (nielsdos)
. Fix using Dom\Node with Dom\XPath callbacks. (nielsdos)
- GD:
. Fixed bug GH-17703 (imagescale with both width and height negative values triggers only an Exception on width). (David Carlier)
- FFI:
. Fix FFI Parsing of Pointer Declaration Lists. (davnotdev)
- FPM:
. Fixed bug GH-17643 (FPM with httpd ProxyPass encoded PATH_INFO env). (Jakub Zelenka)
- GD:
. Fixed bug GH-17772 (imagepalettetotruecolor crash with memory_limit=2M). (David Carlier)
- LDAP:
. Fixed bug GH-17704 (ldap_search fails when $attributes contains a non-packed array with numerical keys). (nielsdos, 7u83)
- LibXML:
. Fixed GHSA-wg4p-4hqh-c3g9 (Reocurrence of #72714). (nielsdos)
. Fixed GHSA-p3x9-6h7p-cgfc (libxml streams use wrong `content-type` header when requesting a redirected resource). (CVE-2025-1219) (timwolla)
- MBString:
. Fixed bug GH-17503 (Undefined float conversion in mb_convert_variables). (cmb)
- Opcache:
. Fixed bug GH-17654 (Multiple classes using same trait causes function JIT crash). (nielsdos)
. Fixed bug GH-17577 (JIT packed type guard crash). (nielsdos, Dmitry)
. Fixed bug GH-17747 (Exception on reading property in register-based FETCH_OBJ_R breaks JIT). (Dmitry, nielsdos)
. Fixed bug GH-17715 (Null pointer deref in observer API when calling cases() method on preloaded enum). (Bob)
. Fixed bug GH-17868 (Cannot allocate memory with tracing JIT on 8.4.4). (nielsdos)
- PDO_SQLite:
. Fixed GH-17837 ()::getColumnMeta() on unexecuted statement segfaults). (cmb)
. Fix cycle leak in sqlite3 setAuthorizer(). (nielsdos)
. Fix memory leaks in pdo_sqlite callback registration. (nielsdos)
- Phar:
. Fixed bug GH-17808: PharFileInfo refcount bug. (nielsdos)
- PHPDBG:
. Partially fixed bug GH-17387 (Trivial crash in phpdbg lexer). (nielsdos)
. Fix memory leak in phpdbg calling registered function. (nielsdos)
- Reflection:
. Fixed bug GH-15902 (Core dumped in ext/reflection/php_reflection.c). (DanielEScherzer)
. Fixed missing final and abstract flags when dumping properties. (DanielEScherzer)
- Standard:
. Fixed bug #72666 (stat cache clearing inconsistent between file:// paths and plain paths). (Jakub Zelenka)
- Streams:
. Fixed bug GH-17650 (realloc with size 0 in user_filters.c). (nielsdos)
. Fix memory leak on overflow in _php_stream_scandir(). (nielsdos)
. Fixed GHSA-hgf54-96fm-v528 (Stream HTTP wrapper header check might omit basic auth header). (CVE-2025-1736) (Jakub Zelenka)
. Fixed GHSA-52jp-hrpf-2jff (Stream HTTP wrapper truncate redirect location to 1024 bytes). (CVE-2025-1861) (Jakub Zelenka)
. Fixed GHSA-pcmh-g36c-qc44 (Streams HTTP wrapper does not fail for headers without colon). (CVE-2025-1734) (Jakub Zelenka)
. Fixed GHSA-v8xr-gpvj-cx9g (Header parser of `http` stream wrapper does not handle folded headers). (CVE-2025-1217) (Jakub Zelenka)
- Windows:
. Fixed phpize for Windows 11 (24H2). (Bob)
. Fixed GH-17855 (CURL_STATICLIB flag set even if linked with shared lib). (cmb)
- Zlib:
. Fixed bug GH-17745 (zlib extension incorrectly handles object arguments). (nielsdos)
. Fix memory leak when encoding check fails. (nielsdos)
. Fix zlib support for large files. (nielsdos)
