From ed8b11188b0304b76cc832b90089bf22006bc5e3 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Wed, 15 Jan 2025 14:59:56 +0100
Subject: [PATCH] Fix potential OOB when checking for trailing spaces

If `path_len` is zero, we must not access `path`, let alone try to
subtract `-1` from it.

Since `path` and `path_len` are supposed to come from a `zend_string`,
this is not a security issue.

Closes GH-17471.
---
 NEWS            | 1 +
 win32/winutil.c | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index b67570a309a..5de1b803299 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,7 @@ PHP                                                                        NEWS
     inherited final). (ilutov)
   . Fixed NULL arithmetic during system program execution on Windows. (cmb,
     nielsdos)
+  . Fixed potential OOB when checking for trailing spaces on Windows. (cmb)
 
 - Enchant:
   . Fix crashes in enchant when passing null bytes. (nielsdos)
diff --git a/win32/winutil.c b/win32/winutil.c
index e09944d131b..35cc0fc4e2e 100644
--- a/win32/winutil.c
+++ b/win32/winutil.c
@@ -56,7 +56,7 @@ PHP_WINUTIL_API void php_win32_error_msg_free(char *msg)
 
 int php_win32_check_trailing_space(const char * path, const size_t path_len)
 {/*{{{*/
-	if (path_len > MAXPATHLEN - 1) {
+	if (path_len == 0 || path_len > MAXPATHLEN - 1) {
 		return 1;
 	}
 	if (path) {