Skip to content

Commit 2e20771

Browse files
devnexendevnexen
committed
Merge branch 'PHP-8.3' into PHP-8.4
2 parents 42ad1c6 + 8a58585 commit 2e20771

File tree

3 files changed

+50
-6
lines changed

3 files changed

+50
-6
lines changed

NEWS

+4
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,10 @@ PHP NEWS
22
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
33
?? ??? ????, PHP 8.4.8
44

5+
- Core:
6+
. Fixed GH-18480 (array_splice with large values for offset/length arguments).
7+
(nielsdos/David Carlier)
8+
59
- Curl:
610
. Fixed GH-18460 (curl_easy_setopt with CURLOPT_USERPWD/CURLOPT_USERNAME/
711
CURLOPT_PASSWORD set the Authorization header when set to NULL).

ext/standard/array.c

+6-6
Original file line numberDiff line numberDiff line change
@@ -3364,7 +3364,7 @@ static void php_splice(HashTable *in_hash, zend_long offset, zend_long length, H
33643364

33653365
/* If hash for removed entries exists, go until offset+length and copy the entries to it */
33663366
if (removed != NULL) {
3367-
for ( ; pos < offset + length && idx < in_hash->nNumUsed; idx++, entry++) {
3367+
for ( ; pos - offset < length && idx < in_hash->nNumUsed; idx++, entry++) {
33683368
if (Z_TYPE_P(entry) == IS_UNDEF) continue;
33693369
pos++;
33703370
Z_TRY_ADDREF_P(entry);
@@ -3377,9 +3377,9 @@ static void php_splice(HashTable *in_hash, zend_long offset, zend_long length, H
33773377
}
33783378
}
33793379
} else { /* otherwise just skip those entries */
3380-
int pos2 = pos;
3380+
zend_long pos2 = pos;
33813381

3382-
for ( ; pos2 < offset + length && idx < in_hash->nNumUsed; idx++, entry++) {
3382+
for ( ; pos2 - offset < length && idx < in_hash->nNumUsed; idx++, entry++) {
33833383
if (Z_TYPE_P(entry) == IS_UNDEF) continue;
33843384
pos2++;
33853385
zend_hash_packed_del_val(in_hash, entry);
@@ -3438,7 +3438,7 @@ static void php_splice(HashTable *in_hash, zend_long offset, zend_long length, H
34383438

34393439
/* If hash for removed entries exists, go until offset+length and copy the entries to it */
34403440
if (removed != NULL) {
3441-
for ( ; pos < offset + length && idx < in_hash->nNumUsed; idx++, p++) {
3441+
for ( ; pos - offset < length && idx < in_hash->nNumUsed; idx++, p++) {
34423442
if (Z_TYPE(p->val) == IS_UNDEF) continue;
34433443
pos++;
34443444
entry = &p->val;
@@ -3451,9 +3451,9 @@ static void php_splice(HashTable *in_hash, zend_long offset, zend_long length, H
34513451
zend_hash_del_bucket(in_hash, p);
34523452
}
34533453
} else { /* otherwise just skip those entries */
3454-
int pos2 = pos;
3454+
zend_long pos2 = pos;
34553455

3456-
for ( ; pos2 < offset + length && idx < in_hash->nNumUsed; idx++, p++) {
3456+
for ( ; pos2 - offset < length && idx < in_hash->nNumUsed; idx++, p++) {
34573457
if (Z_TYPE(p->val) == IS_UNDEF) continue;
34583458
pos2++;
34593459
zend_hash_del_bucket(in_hash, p);

ext/standard/tests/array/gh18480.phpt

+40
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
--TEST--
2+
GH-18480 (array_splice overflow with large offset / length values)
3+
--FILE--
4+
<?php
5+
6+
foreach ([PHP_INT_MIN, PHP_INT_MAX] as $length) {
7+
$a = [PHP_INT_MAX];
8+
$offset = PHP_INT_MAX;
9+
var_dump(array_splice($a,$offset, $length));
10+
$a = [PHP_INT_MAX];
11+
$offset = PHP_INT_MIN;
12+
var_dump(array_splice($a,$offset, $length));
13+
$a = ["a" => PHP_INT_MAX];
14+
$offset = PHP_INT_MAX;
15+
var_dump(array_splice($a,$offset, $length));
16+
$a = ["a" => PHP_INT_MAX];
17+
$offset = PHP_INT_MIN;
18+
var_dump(array_splice($a,$offset, $length));
19+
}
20+
--EXPECTF--
21+
array(0) {
22+
}
23+
array(0) {
24+
}
25+
array(0) {
26+
}
27+
array(0) {
28+
}
29+
array(0) {
30+
}
31+
array(1) {
32+
[0]=>
33+
int(%d)
34+
}
35+
array(0) {
36+
}
37+
array(1) {
38+
["a"]=>
39+
int(%d)
40+
}

0 commit comments

Comments
 (0)