diff options
| author | Remi Collet <remi@remirepo.net> | 2025-12-18 09:25:40 +0100 |
|---|---|---|
| committer | Remi Collet <remi@php.net> | 2025-12-18 09:25:40 +0100 |
| commit | 2aeb356c75e3a25967de6a68c263bcf77185126d (patch) | |
| tree | 077b46bf467c88fa692ce5994408377530395dfe /php-cve-2025-14178.patch | |
| parent | 0a0d5b048d0376fbd73096b0c08426a6a52c9991 (diff) | |
GHSA-www2-q4fc-65wf
Fix Heap buffer overflow in array_merge()
CVE-2025-14178
Fix Information Leak of Memory in getimagesize
CVE-2025-14177
Diffstat (limited to 'php-cve-2025-14178.patch')
| -rw-r--r-- | php-cve-2025-14178.patch | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/php-cve-2025-14178.patch b/php-cve-2025-14178.patch new file mode 100644 index 0000000..572454b --- /dev/null +++ b/php-cve-2025-14178.patch @@ -0,0 +1,63 @@ +From 84b83e2979bad57618528d4e669636117022f37c Mon Sep 17 00:00:00 2001 +From: Niels Dossche <7771979+ndossche@users.noreply.github.com> +Date: Sun, 9 Nov 2025 13:23:11 +0100 +Subject: [PATCH 3/5] Fix GHSA-h96m-rvf9-jgm2 + +(cherry picked from commit 8b801151bd54b36aae4593ed6cfc096e8122b415) +(cherry picked from commit e4516e52979e8b67d9d35dfdbcc5dc7368263fa2) +--- + ext/standard/array.c | 7 ++++++- + .../tests/array/GHSA-h96m-rvf9-jgm2.phpt | 16 ++++++++++++++++ + 2 files changed, 22 insertions(+), 1 deletion(-) + create mode 100644 ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt + +diff --git a/ext/standard/array.c b/ext/standard/array.c +index cd2e5287daf..153a4d39d15 100644 +--- a/ext/standard/array.c ++++ b/ext/standard/array.c +@@ -3813,7 +3813,7 @@ static zend_always_inline void php_array_merge_wrapper(INTERNAL_FUNCTION_PARAMET + int argc, i; + zval *src_entry; + HashTable *src, *dest; +- uint32_t count = 0; ++ uint64_t count = 0; + + ZEND_PARSE_PARAMETERS_START(0, -1) + Z_PARAM_VARIADIC('+', args, argc) +@@ -3833,6 +3833,11 @@ static zend_always_inline void php_array_merge_wrapper(INTERNAL_FUNCTION_PARAMET + count += zend_hash_num_elements(Z_ARRVAL_P(arg)); + } + ++ if (UNEXPECTED(count >= HT_MAX_SIZE)) { ++ zend_throw_error(NULL, "The total number of elements must be lower than %u", HT_MAX_SIZE); ++ return; ++ } ++ + if (argc == 2) { + zval *ret = NULL; + +diff --git a/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt +new file mode 100644 +index 00000000000..2e3e85357e1 +--- /dev/null ++++ b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt +@@ -0,0 +1,16 @@ ++--TEST-- ++GHSA-h96m-rvf9-jgm2 ++--FILE-- ++<?php ++ ++$power = 20; // Chosen to be well within a memory_limit ++$arr = range(0, 2**$power); ++try { ++ array_merge(...array_fill(0, 2**(32-$power), $arr)); ++} catch (Error $e) { ++ echo $e->getMessage(), "\n"; ++} ++ ++?> ++--EXPECTF-- ++The total number of elements must be lower than %d +-- +2.52.0 + |