From 4bbbe6d6525165f6fd74b7ae59fdf5ec08278816 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Sat, 14 Jan 2023 21:01:22 +0100
Subject: [PATCH 1/3] Fix substr_replace with slots in repl_ht being UNDEF

The check that was supposed to check whether the array slot was UNDEF
was wrong and never triggered. This resulted in a replacement with the
empty string or the wrong string instead of the correct one. The correct
check pattern can be observed higher up in the function's code.

Closes GH-10323

Signed-off-by: George Peter Banyard <girgias@php.net>
---
 NEWS                                          |  1 +
 ext/standard/string.c                         |  2 +-
 .../strings/substr_replace_array_unset.phpt   | 27 +++++++++++++++++++
 3 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 ext/standard/tests/strings/substr_replace_array_unset.phpt

diff --git a/NEWS b/NEWS
index 4145102b338..9b57198a8db 100644
--- a/NEWS
+++ b/NEWS
@@ -48,6 +48,7 @@ PHP                                                                        NEWS
 
 - Standard:
   . Fix GH-10187 (Segfault in stripslashes() with arm64). (nielsdos)
+  . Fix substr_replace with slots in repl_ht being UNDEF. (nielsdos)
 
 - TSRM:
   . Fixed Windows shmget() wrt. IPC_PRIVATE. (Tyson Andre)
diff --git a/ext/standard/string.c b/ext/standard/string.c
index e171448f243..643094263bf 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -2472,7 +2472,7 @@ PHP_FUNCTION(substr_replace)
 			if (repl_ht) {
 				while (repl_idx < repl_ht->nNumUsed) {
 					tmp_repl = &repl_ht->arData[repl_idx].val;
-					if (repl_ht != IS_UNDEF) {
+					if (Z_TYPE_P(tmp_repl) != IS_UNDEF) {
 						break;
 					}
 					repl_idx++;
diff --git a/ext/standard/tests/strings/substr_replace_array_unset.phpt b/ext/standard/tests/strings/substr_replace_array_unset.phpt
new file mode 100644
index 00000000000..ff253d39844
--- /dev/null
+++ b/ext/standard/tests/strings/substr_replace_array_unset.phpt
@@ -0,0 +1,27 @@
+--TEST--
+substr_replace() function - array with unset
+--FILE--
+<?php
+
+$replacement = ['A', 'C', 'B'];
+unset($replacement[1]);
+$newarr = substr_replace(['1 string', '2 string'], $replacement, 0);
+print_r($newarr);
+
+$replacement = ['foo', 42 => 'bar', 'baz'];
+unset($replacement[42]);
+$newarr = substr_replace(['1 string', '2 string'], $replacement, 0);
+print_r($newarr);
+
+?>
+--EXPECT--
+Array
+(
+    [0] => A
+    [1] => B
+)
+Array
+(
+    [0] => foo
+    [1] => baz
+)

From 11a1feb0d767ecd3946fcf361185fe04c1b7a135 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Sat, 14 Jan 2023 23:38:38 +0100
Subject: [PATCH 2/3] Fix missing check for xmlTextWriterEndElement

xmlTextWriterEndElement returns -1 if the call fails. There was already
a check for retval, but the return value wasn't assigned to retval. The
other caller of xmlTextWriterEndElement is in
xmlwriter_write_element_ns, which does the check correctly.

Closes GH-10324

Signed-off-by: George Peter Banyard <girgias@php.net>
---
 NEWS                          | 3 +++
 ext/xmlwriter/php_xmlwriter.c | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 9b57198a8db..88c58842899 100644
--- a/NEWS
+++ b/NEWS
@@ -53,6 +53,9 @@ PHP                                                                        NEWS
 - TSRM:
   . Fixed Windows shmget() wrt. IPC_PRIVATE. (Tyson Andre)
 
+- XMLWriter
+  . Fix missing check for xmlTextWriterEndElement (nielsdos)
+
 05 Jan 2023, PHP 8.1.14
 
 - Core:
diff --git a/ext/xmlwriter/php_xmlwriter.c b/ext/xmlwriter/php_xmlwriter.c
index e9a3dff2781..24ce414034a 100644
--- a/ext/xmlwriter/php_xmlwriter.c
+++ b/ext/xmlwriter/php_xmlwriter.c
@@ -449,7 +449,7 @@ PHP_FUNCTION(xmlwriter_write_element)
 			if (retval == -1) {
 				RETURN_FALSE;
 			}
-			xmlTextWriterEndElement(ptr);
+			retval = xmlTextWriterEndElement(ptr);
 			if (retval == -1) {
 				RETURN_FALSE;
 			}

From 347b7c3628e0d2be87a05d8760124c9c71f29d51 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Sun, 15 Jan 2023 15:05:36 +0100
Subject: [PATCH 3/3] Fix wrong flags check for compression method in
 phar_object.c

I found this issue using static analysis tools, it reported that the condition was always false.
We can see that flags is assigned in the switch statement above, but a mistake was made in the comparison.

Closes GH-10328

Signed-off-by: George Peter Banyard <girgias@php.net>
---
 NEWS                   | 3 +++
 ext/phar/phar_object.c | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 88c58842899..5c5cd7e73a1 100644
--- a/NEWS
+++ b/NEWS
@@ -38,6 +38,9 @@ PHP                                                                        NEWS
   . Fix zend_jit_find_trace() crashes. (Max Kellermann)
   . Added missing lock for EXIT_INVALIDATE in zend_jit_trace_exit. (Max Kellermann)
 
+- Phar:
+  . Fix wrong flags check for compression method in phar_object.c (nielsdos)
+
 - PHPDBG:
   . Fix undefined behaviour in phpdbg_load_module_or_extension(). (nielsdos)
   . Fix NULL pointer dereference in phpdbg_create_conditional_breal(). (nielsdos)
diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
index 448d03b7cc7..e32b530b822 100644
--- a/ext/phar/phar_object.c
+++ b/ext/phar/phar_object.c
@@ -3312,7 +3312,7 @@ PHP_METHOD(Phar, compressFiles)
 	}
 
 	if (!pharobj_cancompress(&phar_obj->archive->manifest)) {
-		if (flags == PHAR_FILE_COMPRESSED_GZ) {
+		if (flags == PHAR_ENT_COMPRESSED_GZ) {
 			zend_throw_exception_ex(spl_ce_BadMethodCallException, 0,
 				"Cannot compress all files as Gzip, some are compressed as bzip2 and cannot be decompressed");
 		} else {