diff --git a/NEWS b/NEWS index c25f71fa0b4..55ffb0a1e1a 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,9 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? ????, PHP 8.2.26 +- COM: + . Fixed out of bound writes to SafeArray data. (cmb) + - Curl: . Fixed bug GH-16302 (CurlMultiHandle holds a reference to CurlHandle if curl_multi_add_handle fails). (timwolla) diff --git a/ext/com_dotnet/com_variant.c b/ext/com_dotnet/com_variant.c index b40ac6a5c31..edb9d771aea 100644 --- a/ext/com_dotnet/com_variant.c +++ b/ext/com_dotnet/com_variant.c @@ -26,8 +26,7 @@ /* create an automation SafeArray from a PHP array. * Only creates a single-dimensional array of variants. - * The keys of the PHP hash MUST be numeric. If the array - * is sparse, then the gaps will be filled with NULL variants */ + * The keys of the PHP hash MUST be numeric. */ static void safe_array_from_zval(VARIANT *v, zval *z, int codepage) { SAFEARRAY *sa = NULL; @@ -71,7 +70,9 @@ static void safe_array_from_zval(VARIANT *v, zval *z, int codepage) break; } zend_hash_get_current_key_ex(Z_ARRVAL_P(z), &strindex, &intindex, &pos); - php_com_variant_from_zval(&va[intindex], item, codepage); + if (intindex < bound.cElements) { + php_com_variant_from_zval(&va[intindex], item, codepage); + } } /* Unlock it and stuff it into our variant */ diff --git a/ext/com_dotnet/tests/variant_variation.phpt b/ext/com_dotnet/tests/variant_variation.phpt new file mode 100644 index 00000000000..c1f821715a1 --- /dev/null +++ b/ext/com_dotnet/tests/variant_variation.phpt @@ -0,0 +1,30 @@ +--TEST-- +Testing variant arrays +--EXTENSIONS-- +com_dotnet +--FILE-- + [2 => 1, 1 => 2, 0 => 3], + "off" => [2 => 1, 1 => 2, 3], + "negative" => [-1 => 42], +]; +foreach ($arrays as $desc => $array) { + echo "-- $desc --\n"; + $v = new variant($array); + foreach ($v as $val) { + var_dump($val); + } +} +?> +--EXPECTF-- +-- order -- +int(3) +int(2) +int(1) +-- off -- +NULL +int(2) +int(1) +-- negative -- +%ANULL