Merge branch 'PHP-8.2' into PHP-8.3

* PHP-8.2:
  Fix out of bound writes to SafeArray data

NEWS

@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.3.14
 
+- COM:
+  . Fixed out of bound writes to SafeArray data. (cmb)
+
 - Curl:
   . Fixed bug GH-16302 (CurlMultiHandle holds a reference to CurlHandle if
     curl_multi_add_handle fails). (timwolla)

ext/com_dotnet/com_variant.c

@@ -26,8 +26,7 @@
 
 /* create an automation SafeArray from a PHP array.
  * Only creates a single-dimensional array of variants.
- * The keys of the PHP hash MUST be numeric.  If the array
- * is sparse, then the gaps will be filled with NULL variants */
+ * The keys of the PHP hash MUST be numeric. */
 static void safe_array_from_zval(VARIANT *v, zval *z, int codepage)
 {
 	SAFEARRAY *sa = NULL;
@@ -71,8 +70,10 @@ static void safe_array_from_zval(VARIANT *v, zval *z, int codepage)
 			break;
 		}
 		zend_hash_get_current_key_ex(Z_ARRVAL_P(z), &strindex, &intindex, &pos);
+		if (intindex < bound.cElements) {
 			php_com_variant_from_zval(&va[intindex], item, codepage);
 		}
+	}
 
 	/* Unlock it and stuff it into our variant */
 	SafeArrayUnaccessData(sa);

ext/com_dotnet/tests/variant_variation.phpt

@@ -0,0 +1,30 @@
+--TEST--
+Testing variant arrays
+--EXTENSIONS--
+com_dotnet
+--FILE--
+<?php
+$arrays = [
+    "order" => [2 => 1, 1 => 2, 0 => 3],
+    "off" => [2 => 1, 1 => 2, 3],
+    "negative" => [-1 => 42],
+];
+foreach ($arrays as $desc => $array) {
+    echo "-- $desc --\n";
+    $v = new variant($array);
+    foreach ($v as $val) {
+        var_dump($val);
+    }
+}
+?>
+--EXPECTF--
+-- order --
+int(3)
+int(2)
+int(1)
+-- off --
+NULL
+int(2)
+int(1)
+-- negative --
+%ANULL