From c905d5910645b6024faee6ce791ab884e739c767 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Wed, 16 Apr 2025 00:09:35 +0200
Subject: [PATCH] Fix NULL deref on high modification key

We should re-index in the loop.

Closes GH-18331.
---
 NEWS                                        |  1 +
 ext/ldap/ldap.c                             |  8 +++++---
 ext/ldap/tests/ldap_modify_batch_error.phpt | 13 +++++++++++++
 3 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/NEWS b/NEWS
index 22ce2f45ecc..ac31131ea9d 100644
--- a/NEWS
+++ b/NEWS
@@ -17,6 +17,7 @@ PHP                                                                        NEWS
 
 - LDAP:
   . Fixed bug GH-17776 (LDAP_OPT_X_TLS_* options can't be overridden). (Remi)
+  . Fix NULL deref on high modification key. (nielsdos)
 
 - libxml:
   . Fixed custom external entity loader returning an invalid resource leading
diff --git a/ext/ldap/ldap.c b/ext/ldap/ldap.c
index 1a878bfc584..6c005337346 100644
--- a/ext/ldap/ldap.c
+++ b/ext/ldap/ldap.c
@@ -2785,12 +2785,12 @@ PHP_FUNCTION(ldap_modify_batch)
 	ldap_mods = safe_emalloc((num_mods+1), sizeof(LDAPMod *), 0);
 
 	/* for each modification */
-	for (i = 0; i < num_mods; i++) {
+	i = 0;
+	ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(mods), fetched) {
 		/* allocate the modification struct */
 		ldap_mods[i] = safe_emalloc(1, sizeof(LDAPMod), 0);
 
 		/* fetch the relevant data */
-		fetched = zend_hash_index_find(Z_ARRVAL_P(mods), i);
 		mod = fetched;
 
 		_ldap_hash_fetch(mod, LDAP_MODIFY_BATCH_ATTRIB, &attrib);
@@ -2855,7 +2855,9 @@ PHP_FUNCTION(ldap_modify_batch)
 			/* NULL-terminate values */
 			ldap_mods[i]->mod_bvalues[num_modvals] = NULL;
 		}
-	}
+
+		i++;
+	} ZEND_HASH_FOREACH_END();
 
 	/* NULL-terminate modifications */
 	ldap_mods[num_mods] = NULL;
diff --git a/ext/ldap/tests/ldap_modify_batch_error.phpt b/ext/ldap/tests/ldap_modify_batch_error.phpt
index bce62cafb27..0ac093b4a03 100644
--- a/ext/ldap/tests/ldap_modify_batch_error.phpt
+++ b/ext/ldap/tests/ldap_modify_batch_error.phpt
@@ -59,6 +59,16 @@ $mods = array(
     )
 );
 
+var_dump(ldap_modify_batch($link, "dc=my-domain,$base", $mods));
+
+// high key with invalid attribute type
+$mods = [
+    99999 => [
+        "attrib"  => "weirdAttribute",
+        "modtype" => LDAP_MODIFY_BATCH_ADD,
+        "values"  => ["value1"],
+    ],
+];
 var_dump(ldap_modify_batch($link, "dc=my-domain,$base", $mods));
 ?>
 --CLEAN--
@@ -81,3 +91,6 @@ bool(false)
 
 Warning: ldap_modify_batch(): Batch Modify: Undefined attribute type in %s on line %d
 bool(false)
+
+Warning: ldap_modify_batch(): Batch Modify: Undefined attribute type in %s on line %d
+bool(false)