Merge branch 'PHP-8.4'

* PHP-8.4: Fix out of bound writes to SafeArray data
2025-08-16 05:58:45 +02:00 · 2024-10-09 21:16:52 +02:00 · 2024-10-09 21:16:52 +02:00 · 8ca1313e38
commit 8ca1313e38
parent 41996e8d4f 42a2b046fe
2 changed files with 34 additions and 3 deletions
--- a/ext/com_dotnet/com_variant.c
+++ b/ext/com_dotnet/com_variant.c
@ -26,8 +26,7 @@

 /* create an automation SafeArray from a PHP array.
 * Only creates a single-dimensional array of variants.
- * The keys of the PHP hash MUST be numeric.  If the array
- * is sparse, then the gaps will be filled with NULL variants */
+ * The keys of the PHP hash MUST be numeric. */
 static void safe_array_from_zval(VARIANT *v, zval *z, int codepage)
 {
 	SAFEARRAY *sa = NULL;
@ -71,8 +70,10 @@ static void safe_array_from_zval(VARIANT *v, zval *z, int codepage)
 			break;
 		}
 		zend_hash_get_current_key_ex(Z_ARRVAL_P(z), &strindex, &intindex, &pos);
+		if (intindex < bound.cElements) {
 			php_com_variant_from_zval(&va[intindex], item, codepage);
 		}
+	}

 	/* Unlock it and stuff it into our variant */
 	SafeArrayUnaccessData(sa);
--- a/ext/com_dotnet/tests/variant_variation.phpt
+++ b/ext/com_dotnet/tests/variant_variation.phpt
@ -0,0 +1,30 @@
+--TEST--
+Testing variant arrays
+--EXTENSIONS--
+com_dotnet
+--FILE--
+<?php
+$arrays = [
+    "order" => [2 => 1, 1 => 2, 0 => 3],
+    "off" => [2 => 1, 1 => 2, 3],
+    "negative" => [-1 => 42],
+];
+foreach ($arrays as $desc => $array) {
+    echo "-- $desc --\n";
+    $v = new variant($array);
+    foreach ($v as $val) {
+        var_dump($val);
+    }
+}
+?>
+--EXPECTF--
+-- order --
+int(3)
+int(2)
+int(1)
+-- off --
+NULL
+int(2)
+int(1)
+-- negative --
+%ANULL