[pull] master from php:master

NEWS

@@ -224,6 +224,8 @@ PHP                                                                        NEWS
     null bytes. (Weilin Du)
   . proc_open() now raises a ValueError when the $cwd argument contains
     null bytes. (Weilin Du)
+  . ini_get_all() now includes the built-in default value in the details.
+    (sebastian)
 
 - Streams:
   . Added so_keepalive, tcp_keepidle, tcp_keepintvl and tcp_keepcnt stream
@@ -239,6 +241,12 @@ PHP                                                                        NEWS
   . Fixed bug #49874 (ftell() and fseek() inconsistency when using stream
     filters). (Jakub Zelenka)
 
+- URI:
+  . Added Uri\Rfc3986\Uri:getUriType() and Uri\WhatWg\Url:isSpecialScheme().
+    (kocsismate)
+  . Added Uri\Rfc3986\Uri:getHostType() and Uri\WhatWg\Url:getHostType().
+    (kocsismate)
+
 - Zip:
   . Fixed ZipArchive callback being called after executor has shut down.
     (ilutov)

UPGRADING

@@ -211,6 +211,12 @@ PHP 8.6 UPGRADE NOTES
     options.
   . Allowed casting casting filtered streams as file descriptor for select.
 
+- URI:
+  . Added Uri\Rfc3986\Uri:getUriType() and Uri\WhatWg\Url:isSpecialScheme().
+    RFC: https://wiki.php.net/rfc/uri_followup#uri_type_detection
+  . Added Uri\Rfc3986\Uri:getHostType() and Uri\WhatWg\Url:getHostType().
+    RFC: https://wiki.php.net/rfc/uri_followup#host_type_detection
+
 ========================================
 3. Changes in SAPI modules
 ========================================
@@ -270,6 +276,12 @@ PHP 8.6 UPGRADE NOTES
     when not null, and on failure, gives the error code (one of the EAI_*
     constants).
 
+- Standard:
+  . ini_get_all() now includes a "builtin_default_value" element for each
+    directive when $details is true. It holds the built-in default value of
+    the directive (or null if it has none), independent of values set in
+    php.ini, on the command line, or at runtime.
+
 ========================================
 6. New Functions
 ========================================

ext/gd/libgd/gd.c

@@ -1783,6 +1783,9 @@ void gdImageEllipse(gdImagePtr im, int mx, int my, int w, int h, int c)
 
 	a=w>>1;
 	b=h>>1;
+	if (overflowMul3(a, b, b) || overflowMul3(b, a, a)) {
+		return;
+	}
 	gdImageSetPixel(im,mx+a, my, c);
 	gdImageSetPixel(im,mx-a, my, c);
 	mx1 = mx-a;my1 = my;
@@ -1824,7 +1827,9 @@ void gdImageFilledEllipse (gdImagePtr im, int mx, int my, int w, int h, int c)
 
 	a=w>>1;
 	b=h>>1;
-
+	if (overflowMul3(a, b, b) || overflowMul3(b, a, a)) {
+		return;
+	}
 	for (x = mx-a; x <= mx+a; x++) {
 		gdImageSetPixel(im, x, my, c);
 	}

ext/gd/libgd/gd_security.c

@@ -14,6 +14,7 @@
 
 #include <stdio.h>
 #include <stdlib.h>
+#include <stdint.h>
 #include <limits.h>
 #include "gd.h"
 #include "gd_errors.h"
@@ -30,3 +31,20 @@ int overflow2(int a, int b)
 	}
 	return 0;
 }
+
+int overflowMul3(int a, int b, int c)
+{
+	if (a < 0 || b < 0 || c < 0) {
+		return 1;
+	}
+	if (a == 0 || b == 0 || c == 0) {
+		return 0;
+	}
+	if (a > INT_MAX / b) {
+		return 1;
+	}
+	if ((int64_t)a * b > INT64_MAX / c) {
+		return 1;
+	}
+	return 0;
+}

ext/gd/libgd/gdhelpers.h

@@ -27,6 +27,7 @@ extern char *gd_strtok_r(char *s, char *sep, char **state);
 	netpbm fixes by Alan Cox. */
 
 int overflow2(int a, int b);
+int overflowMul3(int a, int b, int c);
 
 #ifdef ZTS
 #define gdMutexDeclare(x) MUTEX_T x

ext/gd/tests/gh19739.phpt

@@ -0,0 +1,18 @@
+--TEST--
+GH-19739 (integer overflow in imageellipse / imagefilledellipse)
+--EXTENSIONS--
+gd
+--FILE--
+<?php
+$im = imagecreatetruecolor(400, 300);
+$color = imagecolorallocate($im, 150, 255, 0);
+
+var_dump(imageellipse($im, 64, 150, 2147483647, 2147483647, $color));
+var_dump(imagefilledellipse($im, 64, 150, 2147483647, 2147483647, $color));
+
+echo "done" . PHP_EOL;
+?>
+--EXPECT--
+bool(true)
+bool(true)
+done

ext/lexbor/lexbor/url/url.c

@@ -860,7 +860,7 @@ lxb_url_is_url_codepoint(lxb_codepoint_t cp)
     return lxb_url_codepoint_alphanumeric[(lxb_char_t) cp] != 0xFF;
 }
 
-lxb_inline bool
+bool
 lxb_url_is_special(const lxb_url_t *url)
 {
     return url->scheme.type != LXB_URL_SCHEMEL_TYPE__UNKNOWN;

ext/lexbor/lexbor/url/url.h

@@ -763,6 +763,15 @@ LXB_API lxb_status_t
 lxb_url_search_params_serialize(lxb_url_search_params_t *search_params,
                                 lexbor_callback_f cb, void *ctx);
 
+/**
+ * Returns whether the URL is special.
+ *
+ * @param[in] lxb_url_t *. Cannot be NULL.
+ * @return true if URL is special, false otherwise.
+ */
+LXB_API bool
+lxb_url_is_special(const lxb_url_t *url);
+
 /*
  * Inline functions.
  */

ext/lexbor/patches/0007-Add-Is_Special_Url_Support.patch

@@ -0,0 +1,44 @@
+From 9181fce509ab9b37c02994545f3971687433e770 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?M=C3=A1t=C3=A9=20Kocsis?= <kocsismate@woohoolabs.com>
+Date: Sun, 17 May 2026 22:17:14 +0200
+Subject: [PATCH] Add lxb_url_is_special() to the public API (#362)
+
+As https://wiki.php.net/rfc/uri_followup#uri_type_detection relies on this information.
+---
+ source/lexbor/url/url.c | 2 +-
+ source/lexbor/url/url.h | 9 +++++++++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/source/lexbor/url/url.c b/source/lexbor/url/url.c
+index 5a114346..a5b323f2 100644
+--- a/source/lexbor/url/url.c
++++ b/source/lexbor/url/url.c
+@@ -860,7 +860,7 @@ lxb_url_is_url_codepoint(lxb_codepoint_t cp)
+     return lxb_url_codepoint_alphanumeric[(lxb_char_t) cp] != 0xFF;
+ }
+
+-lxb_inline bool
++bool
+ lxb_url_is_special(const lxb_url_t *url)
+ {
+     return url->scheme.type != LXB_URL_SCHEMEL_TYPE__UNKNOWN;
+diff --git a/source/lexbor/url/url.h b/source/lexbor/url/url.h
+index 4ed3f32a..6cc6f108 100644
+--- a/source/lexbor/url/url.h
++++ b/source/lexbor/url/url.h
+@@ -763,6 +763,15 @@ LXB_API lxb_status_t
+ lxb_url_search_params_serialize(lxb_url_search_params_t *search_params,
+                                 lexbor_callback_f cb, void *ctx);
+
++/**
++ * Returns whether the URL is special.
++ *
++ * @param[in] lxb_url_t *. Cannot be NULL.
++ * @return true if URL is special, false otherwise.
++ */
++LXB_API bool
++lxb_url_is_special(const lxb_url_t *url);
++
+ /*
+  * Inline functions.
+  */

ext/standard/basic_functions.c

@@ -1955,6 +1955,12 @@ PHP_FUNCTION(ini_get_all)
 					add_assoc_null(&option, "local_value");
 				}
 
+				if (ini_entry->def->value) {
+					add_assoc_stringl(&option, "builtin_default_value", ini_entry->def->value, ini_entry->def->value_length);
+				} else {
+					add_assoc_null(&option, "builtin_default_value");
+				}
+
 				add_assoc_long(&option, "access", ini_entry->modifiable);
 
 				zend_symtable_update(Z_ARRVAL_P(return_value), ini_entry->name, &option);

ext/standard/tests/general_functions/ini_get_all.phpt

@@ -33,29 +33,35 @@ array(0) {
 }
 array(3) {
   ["pcre.backtrack_limit"]=>
-  array(3) {
+  array(4) {
     ["global_value"]=>
     string(7) "1000000"
     ["local_value"]=>
     string(7) "1000000"
+    ["builtin_default_value"]=>
+    string(7) "1000000"
     ["access"]=>
     int(7)
   }
   ["pcre.jit"]=>
-  array(3) {
+  array(4) {
     ["global_value"]=>
     string(1) "1"
     ["local_value"]=>
     string(1) "1"
+    ["builtin_default_value"]=>
+    string(1) "1"
     ["access"]=>
     int(7)
   }
   ["pcre.recursion_limit"]=>
-  array(3) {
+  array(4) {
     ["global_value"]=>
     string(6) "100000"
     ["local_value"]=>
     string(6) "100000"
+    ["builtin_default_value"]=>
+    string(6) "100000"
     ["access"]=>
     int(7)
   }

ext/standard/tests/general_functions/ini_get_all_builtin_default_value.phpt

@@ -0,0 +1,33 @@
+--TEST--
+ini_get_all() exposes the built-in default value independent of configuration and runtime changes
+--INI--
+precision=8
+--FILE--
+<?php
+
+// precision is configured to 8 above, but its compiled-in default is 14.
+$all = ini_get_all(null, true);
+
+var_dump($all["precision"]["global_value"]);
+var_dump($all["precision"]["local_value"]);
+var_dump($all["precision"]["builtin_default_value"]);
+
+// A runtime change must not affect builtin_default_value.
+ini_set("precision", "3");
+
+$all = ini_get_all(null, true);
+
+var_dump($all["precision"]["global_value"]);
+var_dump($all["precision"]["local_value"]);
+var_dump($all["precision"]["builtin_default_value"]);
+
+echo "Done\n";
+?>
+--EXPECT--
+string(1) "8"
+string(1) "8"
+string(2) "14"
+string(1) "8"
+string(1) "3"
+string(2) "14"
+Done

ext/standard/tests/general_functions/ini_get_all_builtin_default_value_null.phpt

@@ -0,0 +1,33 @@
+--TEST--
+ini_get_all() reports a null built-in default value for a directive that has no compiled-in default
+--INI--
+error_append_string=FOO
+--FILE--
+<?php
+
+// error_append_string is configured above, but it has no compiled-in default,
+// so builtin_default_value must be null regardless of configuration or runtime changes.
+$all = ini_get_all(null, true);
+
+var_dump($all["error_append_string"]["global_value"]);
+var_dump($all["error_append_string"]["local_value"]);
+var_dump($all["error_append_string"]["builtin_default_value"]);
+
+ini_set("error_append_string", "BAR");
+
+$all = ini_get_all(null, true);
+
+var_dump($all["error_append_string"]["global_value"]);
+var_dump($all["error_append_string"]["local_value"]);
+var_dump($all["error_append_string"]["builtin_default_value"]);
+
+echo "Done\n";
+?>
+--EXPECT--
+string(3) "FOO"
+string(3) "FOO"
+NULL
+string(3) "FOO"
+string(3) "BAR"
+NULL
+Done