From 9dbbb6c41310071725e80db43a15786a0eda271d Mon Sep 17 00:00:00 2001
From: lzq11122 <lzq02303433@alibaba-inc.com>
Date: Wed, 30 Jul 2025 15:33:07 +0800
Subject: [PATCH] add patch fix CVE-2025-6491 and CVE-2025-1735

---
 1000-fix-CVE-2025-6491.patch |  85 +++++++
 1001-fix-CVE-2025-1735.patch | 431 +++++++++++++++++++++++++++++++++++
 php.spec                     |   9 +-
 3 files changed, 524 insertions(+), 1 deletion(-)
 create mode 100644 1000-fix-CVE-2025-6491.patch
 create mode 100644 1001-fix-CVE-2025-1735.patch

diff --git a/1000-fix-CVE-2025-6491.patch b/1000-fix-CVE-2025-6491.patch
new file mode 100644
index 0000000..d87fbfc
--- /dev/null
+++ b/1000-fix-CVE-2025-6491.patch
@@ -0,0 +1,85 @@
+From d9b7cdd87566f610453bd59c74866387bd4be143 Mon Sep 17 00:00:00 2001
+From: lzq11122 <lzq02303433@alibaba-inc.com>
+Date: Tue, 15 Jul 2025 03:16:36 -0400
+Subject: [PATCH 1/1] fix CVE-2025-6491
+
+---
+ ext/soap/soap.c                      |  6 ++--
+ ext/soap/tests/soap_qname_crash.phpt | 48 ++++++++++++++++++++++++++++
+ 2 files changed, 52 insertions(+), 2 deletions(-)
+ create mode 100644 ext/soap/tests/soap_qname_crash.phpt
+
+diff --git a/ext/soap/soap.c b/ext/soap/soap.c
+index 3f8a50ba..87ba0352 100644
+--- a/ext/soap/soap.c
++++ b/ext/soap/soap.c
+@@ -3980,8 +3980,10 @@ static xmlNodePtr serialize_zval(zval *val, sdlParamPtr param, char *paramName,
+ 	}
+ 	xmlParam = master_to_xml(enc, val, style, parent);
+ 	zval_ptr_dtor(&defval);
+-	if (!strcmp((char*)xmlParam->name, "BOGUS")) {
+-		xmlNodeSetName(xmlParam, BAD_CAST(paramName));
++	if (xmlParam != NULL) { 
++		if (xmlParam->name == NULL || strcmp((char*)xmlParam->name, "BOGUS") == 0) {
++			xmlNodeSetName(xmlParam, BAD_CAST(paramName));
++		}	
+ 	}
+ 	return xmlParam;
+ }
+diff --git a/ext/soap/tests/soap_qname_crash.phpt b/ext/soap/tests/soap_qname_crash.phpt
+new file mode 100644
+index 00000000..bcf01d57
+--- /dev/null
++++ b/ext/soap/tests/soap_qname_crash.phpt
+@@ -0,0 +1,48 @@
++--TEST--
++Test SoapClient with excessively large QName prefix in SoapVar
++--EXTENSIONS--
++soap
++--SKIPIF--
++<?php
++if (PHP_INT_SIZE != 8) die("skip: 64-bit only");
++?>
++--INI--
++memory_limit=6144M
++--FILE--
++<?php
++
++class TestSoapClient extends SoapClient {
++    public function __doRequest(
++        $request,
++        $location,
++        $action,
++        $version,
++        $one_way = false,
++    ): ?string {
++        die($request);
++    }
++}
++
++$prefix = str_repeat("A", 2 * 1024 * 1024 * 1024);
++$qname = "{$prefix}:tag";
++
++echo "Attempting to create SoapVar with very large QName\n";
++
++$var = new SoapVar("value", XSD_QNAME, null, null, $qname);
++
++echo "Attempting encoding\n";
++
++$options = [
++    'location' => 'http://127.0.0.1/',
++    'uri' => 'urn:dummy',
++    'trace' => 1,
++    'exceptions' => true,
++];
++$client = new TestSoapClient(null, $options);
++$client->__soapCall("DummyFunction", [$var]);
++?>
++--EXPECT--
++Attempting to create SoapVar with very large QName
++Attempting encoding
++<?xml version="1.0" encoding="UTF-8"?>
++<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="urn:dummy" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:DummyFunction><param0 xsi:type="xsd:QName">value</param0></ns1:DummyFunction></SOAP-ENV:Body></SOAP-ENV:Envelope>
+-- 
+2.47.3
+
diff --git a/1001-fix-CVE-2025-1735.patch b/1001-fix-CVE-2025-1735.patch
new file mode 100644
index 0000000..7a5e7c8
--- /dev/null
+++ b/1001-fix-CVE-2025-1735.patch
@@ -0,0 +1,431 @@
+From a32689ef7d5d9b446c38dca4ddef988d19c4371c Mon Sep 17 00:00:00 2001
+From: lzq11122 <lzq02303433@alibaba-inc.com>
+Date: Wed, 16 Jul 2025 01:14:09 -0400
+Subject: [PATCH 1/1] fix CVE-2025-1735
+
+---
+ ext/pdo_pgsql/pgsql_driver.c                 |  11 +-
+ ext/pdo_pgsql/tests/ghsa-hrwm-9436-5mv3.phpt |  24 ++++
+ ext/pgsql/pgsql.c                            | 118 +++++++++++++++----
+ ext/pgsql/tests/ghsa-hrwm-9436-5mv3.phpt     |  64 ++++++++++
+ 4 files changed, 195 insertions(+), 22 deletions(-)
+ create mode 100644 ext/pdo_pgsql/tests/ghsa-hrwm-9436-5mv3.phpt
+ create mode 100644 ext/pgsql/tests/ghsa-hrwm-9436-5mv3.phpt
+
+diff --git a/ext/pdo_pgsql/pgsql_driver.c b/ext/pdo_pgsql/pgsql_driver.c
+index 46b3f25f..78e3b5c2 100644
+--- a/ext/pdo_pgsql/pgsql_driver.c
++++ b/ext/pdo_pgsql/pgsql_driver.c
+@@ -353,11 +353,14 @@ static zend_string* pgsql_handle_quoter(pdo_dbh_t *dbh, const zend_string *unquo
+ 	zend_string *quoted_str;
+ 	pdo_pgsql_db_handle *H = (pdo_pgsql_db_handle *)dbh->driver_data;
+ 	size_t tmp_len;
+-
++        int err;
+ 	switch (paramtype) {
+ 		case PDO_PARAM_LOB:
+ 			/* escapedlen returned by PQescapeBytea() accounts for trailing 0 */
+ 			escaped = PQescapeByteaConn(H->server, (unsigned char *)ZSTR_VAL(unquoted), ZSTR_LEN(unquoted), &tmp_len);
++			if (escaped == NULL) {
++				return NULL;
++			}
+ 			quotedlen = tmp_len + 1;
+ 			quoted = emalloc(quotedlen + 1);
+ 			memcpy(quoted+1, escaped, quotedlen-2);
+@@ -369,7 +372,11 @@ static zend_string* pgsql_handle_quoter(pdo_dbh_t *dbh, const zend_string *unquo
+ 		default:
+ 			quoted = safe_emalloc(2, ZSTR_LEN(unquoted), 3);
+ 			quoted[0] = '\'';
+-			quotedlen = PQescapeStringConn(H->server, quoted + 1, ZSTR_VAL(unquoted), ZSTR_LEN(unquoted), NULL);
++			quotedlen = PQescapeStringConn(H->server, quoted + 1, ZSTR_VAL(unquoted), ZSTR_LEN(unquoted), &err);
++			if (err) {
++				efree(quoted)
++				return NULL;
++			}
+ 			quoted[quotedlen + 1] = '\'';
+ 			quoted[quotedlen + 2] = '\0';
+ 			quotedlen += 2;
+diff --git a/ext/pdo_pgsql/tests/ghsa-hrwm-9436-5mv3.phpt b/ext/pdo_pgsql/tests/ghsa-hrwm-9436-5mv3.phpt
+new file mode 100644
+index 00000000..8566a267
+--- /dev/null
++++ b/ext/pdo_pgsql/tests/ghsa-hrwm-9436-5mv3.phpt
+@@ -0,0 +1,24 @@
++--TEST--
++#GHSA-hrwm-9436-5mv3: pdo_pgsql extension does not check for errors during escaping
++--EXTENSIONS--
++pdo
++pdo_pgsql
++--SKIPIF--
++<?php
++require_once dirname(__FILE__) . '/../../../ext/pdo/tests/pdo_test.inc';
++require_once dirname(__FILE__) . '/config.inc';
++PDOTest::skip();
++?>
++--FILE--
++<?php
++require_once dirname(__FILE__) . '/../../../ext/pdo/tests/pdo_test.inc';
++require_once dirname(__FILE__) . '/config.inc';
++$db = PDOTest::test_factory(dirname(__FILE__) . '/common.phpt');
++$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
++
++$invalid = "ABC\xff\x30';";
++var_dump($db->quote($invalid));
++
++?>
++--EXPECT--
++bool(false)
+diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c
+index e955eed0..0e6306d8 100644
+--- a/ext/pgsql/pgsql.c
++++ b/ext/pgsql/pgsql.c
+@@ -3269,8 +3269,14 @@ PHP_FUNCTION(pg_escape_string)
+ 
+ 	to = zend_string_safe_alloc(ZSTR_LEN(from), 2, 0, 0);
+ 	if (link) {
++		int err;
+ 		pgsql = link->conn;
+-		ZSTR_LEN(to) = PQescapeStringConn(pgsql, ZSTR_VAL(to), ZSTR_VAL(from), ZSTR_LEN(from), NULL);
++		ZSTR_LEN(to) = PQescapeStringConn(pgsql, ZSTR_VAL(to), ZSTR_VAL(from), ZSTR_LEN(from), &err);
++		if (err) {
++			zend_argument_value_error(ZEND_NUM_ARGS(), "Escaping string failed");
++			zend_string_efree(to);
++			RETURN_THROWS();
++		}	
+ 	} else
+ 	{
+ 		ZSTR_LEN(to) = PQescapeString(ZSTR_VAL(to), ZSTR_VAL(from), ZSTR_LEN(from));
+@@ -3313,7 +3319,10 @@ PHP_FUNCTION(pg_escape_bytea)
+ 	} else {
+ 		to = (char *)PQescapeBytea((unsigned char *)ZSTR_VAL(from), ZSTR_LEN(from), &to_len);
+ 	}
+-
++	if (to == NULL) {
++		zend_argument_value_error(ZEND_NUM_ARGS(), "Escape failure");
++		RETURN_THROWS();
++	}
+ 	RETVAL_STRINGL(to, to_len-1); /* to_len includes additional '\0' */
+ 	PQfreemem(to);
+ }
+@@ -4239,7 +4248,7 @@ PHP_PGSQL_API zend_result php_pgsql_meta_data(PGconn *pg_link, const zend_string
+ 	char *escaped;
+ 	smart_str querystr = {0};
+ 	size_t new_len;
+-	int i, num_rows;
++	int i, num_rows,err;
+ 	zval elem;
+ 
+ 	ZEND_ASSERT(ZSTR_LEN(table_name) != 0);
+@@ -4277,7 +4286,14 @@ PHP_PGSQL_API zend_result php_pgsql_meta_data(PGconn *pg_link, const zend_string
+ 						  "WHERE a.attnum > 0 AND c.relname = '");
+ 	}
+ 	escaped = (char *)safe_emalloc(strlen(tmp_name2), 2, 1);
+-	new_len = PQescapeStringConn(pg_link, escaped, tmp_name2, strlen(tmp_name2), NULL);
++	new_len = PQescapeStringConn(pg_link, escaped, tmp_name2, strlen(tmp_name2), &err);
++	if (err) {
++		php_error_docref(NULL, E_WARNING, "Escaping table name '%s' failed", ZSTR_VAL(table_name));
++		efree(src);
++		efree(escaped);
++		smart_str_free(&querystr);
++		return FAILURE;
++	}
+ 	if (new_len) {
+ 		smart_str_appendl(&querystr, escaped, new_len);
+ 	}
+@@ -4546,7 +4562,7 @@ PHP_PGSQL_API zend_result php_pgsql_convert(PGconn *pg_link, const zend_string *
+ {
+ 	zend_string *field = NULL;
+ 	zval meta, *def, *type, *not_null, *has_default, *is_enum, *val, new_val;
+-	int err = 0, skip_field;
++	int err = 0,escape_err = 0, skip_field;
+ 	php_pgsql_data_type data_type;
+ 
+ 	ZEND_ASSERT(pg_link != NULL);
+@@ -4798,8 +4814,12 @@ PHP_PGSQL_API zend_result php_pgsql_convert(PGconn *pg_link, const zend_string *
+ 							/* PostgreSQL ignores \0 */
+ 							str = zend_string_alloc(Z_STRLEN_P(val) * 2, 0);
+ 							/* better to use PGSQLescapeLiteral since PGescapeStringConn does not handle special \ */
+-							ZSTR_LEN(str) = PQescapeStringConn(pg_link, ZSTR_VAL(str), Z_STRVAL_P(val), Z_STRLEN_P(val), NULL);
+-							ZVAL_STR(&new_val, php_pgsql_add_quotes(str));
++							ZSTR_LEN(str) = PQescapeStringConn(pg_link, ZSTR_VAL(str), Z_STRVAL_P(val), Z_STRLEN_P(val), &err);
++							if (escape_err)  {
++  								err = 1;
++							} else {
++								ZVAL_STR(&new_val, php_pgsql_add_quotes(str));
++							}
+ 							zend_string_release_ex(str, false);
+ 						}
+ 						break;
+@@ -4822,7 +4842,15 @@ PHP_PGSQL_API zend_result php_pgsql_convert(PGconn *pg_link, const zend_string *
+ 				}
+ 				PGSQL_CONV_CHECK_IGNORE();
+ 				if (err) {
+-					zend_type_error("%s(): Field \"%s\" must be of type string|null, %s given", get_active_function_name(), ZSTR_VAL(field), Z_STRVAL_P(type));
++					if (escape_err) {
++						php_error_docref(NULL, E_NOTICE,
++							"String value escaping failed for PostgreSQL '%s' (%s)",
++							Z_STRVAL_P(type), ZSTR_VAL(field));
++					} else {
++						php_error_docref(NULL, E_NOTICE,
++							"Expects NULL, string, long or double value for PostgreSQL '%s' (%s)",
++							Z_STRVAL_P(type), ZSTR_VAL(field));
++					}
+ 				}
+ 				break;
+ 
+@@ -5097,6 +5125,11 @@ PHP_PGSQL_API zend_result php_pgsql_convert(PGconn *pg_link, const zend_string *
+ 							zend_string *tmp_zstr;
+ 
+ 							tmp = PQescapeByteaConn(pg_link, (unsigned char *)Z_STRVAL_P(val), Z_STRLEN_P(val), &to_len);
++							if (tmp == NULL) {
++								php_error_docref(NULL, E_NOTICE, "Escaping value failed for %s field (%s)", Z_STRVAL_P(type), ZSTR_VAL(field));
++								err = 1;
++								break;
++							}
+ 							tmp_zstr = zend_string_init((char *)tmp, to_len - 1, false); /* PQescapeBytea's to_len includes additional '\0' */
+ 							PQfreemem(tmp);
+ 
+@@ -5175,6 +5208,12 @@ PHP_PGSQL_API zend_result php_pgsql_convert(PGconn *pg_link, const zend_string *
+ 				zend_hash_update(Z_ARRVAL_P(result), field, &new_val);
+ 			} else {
+ 				char *escaped = PQescapeIdentifier(pg_link, ZSTR_VAL(field), ZSTR_LEN(field));
++				if (escaped == NULL) {
++					/* This cannot fail because of invalid string but only due to failed memory allocation */
++					php_error_docref(NULL, E_NOTICE, "Escaping field '%s' failed", ZSTR_VAL(field));
++					err = 1;
++					break;
++				}
+ 				add_assoc_zval(result, escaped, &new_val);
+ 				PQfreemem(escaped);
+ 			}
+@@ -5253,7 +5292,7 @@ static bool do_exec(smart_str *querystr, ExecStatusType expect, PGconn *pg_link,
+ }
+ /* }}} */
+ 
+-static inline void build_tablename(smart_str *querystr, PGconn *pg_link, const zend_string *table) /* {{{ */
++static inline zend_result build_tablename(smart_str *querystr, PGconn *pg_link, const zend_string *table) /* {{{ */
+ {
+ 	/* schema.table should be "schema"."table" */
+ 	const char *dot = memchr(ZSTR_VAL(table), '.', ZSTR_LEN(table));
+@@ -5263,6 +5302,10 @@ static inline void build_tablename(smart_str *querystr, PGconn *pg_link, const z
+ 		smart_str_appendl(querystr, ZSTR_VAL(table), len);
+ 	} else {
+ 		char *escaped = PQescapeIdentifier(pg_link, ZSTR_VAL(table), len);
++		if (escaped == NULL) {
++			php_error_docref(NULL, E_NOTICE, "Failed to escape table name '%s'", ZSTR_VAL(table));
++			return FAILURE;
++		}
+ 		smart_str_appends(querystr, escaped);
+ 		PQfreemem(escaped);
+ 	}
+@@ -5275,12 +5318,19 @@ static inline void build_tablename(smart_str *querystr, PGconn *pg_link, const z
+ 			smart_str_appendl(querystr, after_dot, len);
+ 		} else {
+ 			char *escaped = PQescapeIdentifier(pg_link, after_dot, len);
++			if (escaped == NULL) {
++				php_error_docref(NULL, E_NOTICE, "Failed to escape table name '%s'", ZSTR_VAL(table));
++				return FAILURE;
++			}
+ 			smart_str_appendc(querystr, '.');
+ 			smart_str_appends(querystr, escaped);
+ 			PQfreemem(escaped);
+ 		}
+ 	}
++	
++	return SUCCESS;
+ }
++
+ /* }}} */
+ 
+ /* {{{ php_pgsql_insert */
+@@ -5300,7 +5350,9 @@ PHP_PGSQL_API zend_result php_pgsql_insert(PGconn *pg_link, const zend_string *t
+ 	ZVAL_UNDEF(&converted);
+ 	if (zend_hash_num_elements(Z_ARRVAL_P(var_array)) == 0) {
+ 		smart_str_appends(&querystr, "INSERT INTO ");
+-		build_tablename(&querystr, pg_link, table);
++		if (build_tablename(&querystr, pg_link, table) == FAILURE) {
++			goto cleanup;
++		}
+ 		smart_str_appends(&querystr, " DEFAULT VALUES");
+ 
+ 		goto no_values;
+@@ -5316,7 +5368,9 @@ PHP_PGSQL_API zend_result php_pgsql_insert(PGconn *pg_link, const zend_string *t
+ 	}
+ 
+ 	smart_str_appends(&querystr, "INSERT INTO ");
+-	build_tablename(&querystr, pg_link, table);
++	if (build_tablename(&querystr, pg_link, table) == FAILURE) {
++		goto cleanup;
++	}
+ 	smart_str_appends(&querystr, " (");
+ 
+ 	ZEND_HASH_FOREACH_STR_KEY(Z_ARRVAL_P(var_array), fld) {
+@@ -5326,6 +5380,10 @@ PHP_PGSQL_API zend_result php_pgsql_insert(PGconn *pg_link, const zend_string *t
+ 		}
+ 		if (opt & PGSQL_DML_ESCAPE) {
+ 			tmp = PQescapeIdentifier(pg_link, ZSTR_VAL(fld), ZSTR_LEN(fld) + 1);
++			if (tmp == NULL) {
++				php_error_docref(NULL, E_NOTICE, "Failed to escape field '%s'", ZSTR_VAL(fld));
++				goto cleanup;
++			}
+ 			smart_str_appends(&querystr, tmp);
+ 			PQfreemem(tmp);
+ 		} else {
+@@ -5337,15 +5395,19 @@ PHP_PGSQL_API zend_result php_pgsql_insert(PGconn *pg_link, const zend_string *t
+ 	smart_str_appends(&querystr, ") VALUES (");
+ 
+ 	/* make values string */
+-	ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(var_array), val) {
++	ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(var_array), val) {
+ 		/* we can avoid the key_type check here, because we tested it in the other loop */
+ 		switch (Z_TYPE_P(val)) {
+ 			case IS_STRING:
+ 				if (opt & PGSQL_DML_ESCAPE) {
+-					size_t new_len;
+-					char *tmp;
+-					tmp = (char *)safe_emalloc(Z_STRLEN_P(val), 2, 1);
+-					new_len = PQescapeStringConn(pg_link, tmp, Z_STRVAL_P(val), Z_STRLEN_P(val), NULL);
++					int error;
++					char *tmp = safe_emalloc(Z_STRLEN_P(val), 2, 1);
++					size_t new_len = PQescapeStringConn(pg_link, tmp, Z_STRVAL_P(val), Z_STRLEN_P(val), &error);
++					if (error) {
++						php_error_docref(NULL, E_NOTICE, "Failed to escape field '%s' value", ZSTR_VAL(fld));
++						efree(tmp);
++						goto cleanup;
++					}
+ 					smart_str_appendc(&querystr, '\'');
+ 					smart_str_appendl(&querystr, tmp, new_len);
+ 					smart_str_appendc(&querystr, '\'');
+@@ -5501,6 +5563,10 @@ static inline int build_assignment_string(PGconn *pg_link, smart_str *querystr,
+ 		}
+ 		if (opt & PGSQL_DML_ESCAPE) {
+ 			char *tmp = PQescapeIdentifier(pg_link, ZSTR_VAL(fld), ZSTR_LEN(fld) + 1);
++			if (tmp == NULL) {
++				php_error_docref(NULL, E_NOTICE, "Failed to escape field '%s'", ZSTR_VAL(fld));
++				return -1;
++			}
+ 			smart_str_appends(querystr, tmp);
+ 			PQfreemem(tmp);
+ 		} else {
+@@ -5516,8 +5582,14 @@ static inline int build_assignment_string(PGconn *pg_link, smart_str *querystr,
+ 		switch (Z_TYPE_P(val)) {
+ 			case IS_STRING:
+ 				if (opt & PGSQL_DML_ESCAPE) {
++					int error;
+ 					char *tmp = (char *)safe_emalloc(Z_STRLEN_P(val), 2, 1);
+-					size_t new_len = PQescapeStringConn(pg_link, tmp, Z_STRVAL_P(val), Z_STRLEN_P(val), NULL);
++					size_t new_len = PQescapeStringConn(pg_link, tmp, Z_STRVAL_P(val), Z_STRLEN_P(val), &error);
++					if (error) {
++						php_error_docref(NULL, E_NOTICE, "Failed to escape field '%s' value", ZSTR_VAL(fld));
++						efree(tmp);
++						return -1;
++					}
+ 					smart_str_appendc(querystr, '\'');
+ 					smart_str_appendl(querystr, tmp, new_len);
+ 					smart_str_appendc(querystr, '\'');
+@@ -5585,7 +5657,9 @@ PHP_PGSQL_API zend_result php_pgsql_update(PGconn *pg_link, const zend_string *t
+ 	}
+ 
+ 	smart_str_appends(&querystr, "UPDATE ");
+-	build_tablename(&querystr, pg_link, table);
++	if (build_tablename(&querystr, pg_link, table) == FAILURE) {
++		goto cleanup;
++	}
+ 	smart_str_appends(&querystr, " SET ");
+ 
+ 	if (build_assignment_string(pg_link, &querystr, Z_ARRVAL_P(var_array), 0, ",", 1, opt))
+@@ -5688,7 +5762,9 @@ PHP_PGSQL_API zend_result php_pgsql_delete(PGconn *pg_link, const zend_string *t
+ 	}
+ 
+ 	smart_str_appends(&querystr, "DELETE FROM ");
+-	build_tablename(&querystr, pg_link, table);
++	if (build_tablename(&querystr, pg_link, table) == FAILURE) {
++		goto cleanup;
++	}
+ 	smart_str_appends(&querystr, " WHERE ");
+ 
+ 	if (build_assignment_string(pg_link, &querystr, Z_ARRVAL_P(ids_array), 1, " AND ", sizeof(" AND ")-1, opt))
+@@ -5828,7 +5904,9 @@ PHP_PGSQL_API zend_result php_pgsql_select(PGconn *pg_link, const zend_string *t
+ 	}
+ 
+ 	smart_str_appends(&querystr, "SELECT * FROM ");
+-	build_tablename(&querystr, pg_link, table);
++	if (build_tablename(&querystr, pg_link, table) == FAILURE) {
++		goto cleanup;
++	}
+ 	smart_str_appends(&querystr, " WHERE ");
+ 
+ 	if (build_assignment_string(pg_link, &querystr, Z_ARRVAL_P(ids_array), 1, " AND ", sizeof(" AND ")-1, opt))
+diff --git a/ext/pgsql/tests/ghsa-hrwm-9436-5mv3.phpt b/ext/pgsql/tests/ghsa-hrwm-9436-5mv3.phpt
+new file mode 100644
+index 00000000..c1c5e05d
+--- /dev/null
++++ b/ext/pgsql/tests/ghsa-hrwm-9436-5mv3.phpt
+@@ -0,0 +1,64 @@
++--TEST--
++#GHSA-hrwm-9436-5mv3: pgsql extension does not check for errors during escaping
++--EXTENSIONS--
++pgsql
++--SKIPIF--
++<?php include("skipif.inc"); ?>
++--FILE--
++<?php
++
++include 'config.inc';
++define('FILE_NAME', __DIR__ . '/php.gif');
++
++$db = pg_connect($conn_str);
++pg_query($db, "DROP TABLE IF EXISTS ghsa_hrmw_9436_5mv3");
++pg_query($db, "CREATE TABLE ghsa_hrmw_9436_5mv3 (bar text);");
++
++// pg_escape_literal/pg_escape_identifier
++
++$invalid = "ABC\xff\x30';";
++$flags = PGSQL_DML_NO_CONV | PGSQL_DML_ESCAPE;
++
++var_dump(pg_insert($db, $invalid, ['bar' => 'test'])); // table name str escape in php_pgsql_meta_data
++var_dump(pg_insert($db, "$invalid.tbl", ['bar' => 'test'])); // schema name str escape in php_pgsql_meta_data
++var_dump(pg_insert($db, 'ghsa_hrmw_9436_5mv3', ['bar' => $invalid])); // converted value str escape in php_pgsql_convert
++var_dump(pg_insert($db, $invalid, [])); // ident escape in build_tablename
++var_dump(pg_insert($db, 'ghsa_hrmw_9436_5mv3', [$invalid => 'foo'], $flags)); // ident escape for field php_pgsql_insert
++var_dump(pg_insert($db, 'ghsa_hrmw_9436_5mv3', ['bar' => $invalid], $flags)); // str escape for field value in php_pgsql_insert
++var_dump(pg_update($db, 'ghsa_hrmw_9436_5mv3', ['bar' => 'val'], [$invalid => 'test'], $flags)); // ident escape in build_assignment_string
++var_dump(pg_update($db, 'ghsa_hrmw_9436_5mv3', ['bar' => 'val'], ['bar' => $invalid], $flags)); // invalid str escape in build_assignment_string
++var_dump(pg_escape_literal($db, $invalid)); // pg_escape_literal escape
++var_dump(pg_escape_identifier($db, $invalid)); // pg_escape_identifier escape
++
++?>
++--EXPECTF--
++
++Warning: pg_insert(): Escaping table name 'ABC%s';' failed in %s on line %d
++bool(false)
++
++Warning: pg_insert(): Escaping table namespace 'ABC%s';.tbl' failed in %s on line %d
++bool(false)
++
++Notice: pg_insert(): String value escaping failed for PostgreSQL 'text' (bar) in %s on line %d
++bool(false)
++
++Notice: pg_insert(): Failed to escape table name 'ABC%s';' in %s on line %d
++bool(false)
++
++Notice: pg_insert(): Failed to escape field 'ABC%s';' in %s on line %d
++bool(false)
++
++Notice: pg_insert(): Failed to escape field 'bar' value in %s on line %d
++bool(false)
++
++Notice: pg_update(): Failed to escape field 'ABC%s';' in %s on line %d
++bool(false)
++
++Notice: pg_update(): Failed to escape field 'bar' value in %s on line %d
++bool(false)
++
++Warning: pg_escape_literal(): Failed to escape in %s on line %d
++bool(false)
++
++Warning: pg_escape_identifier(): Failed to escape in %s on line %d
++bool(false)
+-- 
+2.47.3
+
diff --git a/php.spec b/php.spec
index 342da89..d0eef88 100644
--- a/php.spec
+++ b/php.spec
@@ -1,4 +1,4 @@
-%define anolis_release 1
+%define anolis_release 2
 
 # API/ABI check
 %global apiver      20230831
@@ -87,6 +87,10 @@ Patch48: php-8.3.0-openssl-ec-param.patch
 Patch49: php-8.3.7-argon2.patch
 
 # Upstream fixes (100+)
+#From https://github.com/php/php-src/commit/9cb3d8d200f0c822b17bda35a2a67a97b039d3e1
+Patch101: 1000-fix-CVE-2025-6491.patch
+#From https://github.com/php/php-src/commit/9376aeef9f8ff81f2705b8016237ec3e30bdee44
+Patch102: 1001-fix-CVE-2025-1735.patch
 
 # Security fixes (200+)
 
@@ -1500,6 +1504,9 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || :
 
 
 %changelog
+* Tue Jul 15 2025 lzq11122 <lzq02303433@alibaba-inc.com> - 8.3.19-2
+- add patch to fix CVE-2025-6491 and  CVE-2025-1735
+
 * Wed Jun 11 2025 wenxin <wx02272781@alibaba-inc.com> - 8.3.19-1
 - Update to 8.3.19 to fix CVE-2024-11235
 
-- 
Gitee