From 2aeb356c75e3a25967de6a68c263bcf77185126d Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Thu, 18 Dec 2025 09:25:40 +0100
Subject: Fix Null byte termination in dns_get_record()

  GHSA-www2-q4fc-65wf
Fix Heap buffer overflow in array_merge()
  CVE-2025-14178
Fix Information Leak of Memory in getimagesize
  CVE-2025-14177
---
 php-cve-2025-14178.patch | 63 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)
 create mode 100644 php-cve-2025-14178.patch

(limited to 'php-cve-2025-14178.patch')

diff --git a/php-cve-2025-14178.patch b/php-cve-2025-14178.patch
new file mode 100644
index 0000000..572454b
--- /dev/null
+++ b/php-cve-2025-14178.patch
@@ -0,0 +1,63 @@
+From 84b83e2979bad57618528d4e669636117022f37c Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+ndossche@users.noreply.github.com>
+Date: Sun, 9 Nov 2025 13:23:11 +0100
+Subject: [PATCH 3/5] Fix GHSA-h96m-rvf9-jgm2
+
+(cherry picked from commit 8b801151bd54b36aae4593ed6cfc096e8122b415)
+(cherry picked from commit e4516e52979e8b67d9d35dfdbcc5dc7368263fa2)
+---
+ ext/standard/array.c                             |  7 ++++++-
+ .../tests/array/GHSA-h96m-rvf9-jgm2.phpt         | 16 ++++++++++++++++
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+ create mode 100644 ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt
+
+diff --git a/ext/standard/array.c b/ext/standard/array.c
+index cd2e5287daf..153a4d39d15 100644
+--- a/ext/standard/array.c
++++ b/ext/standard/array.c
+@@ -3813,7 +3813,7 @@ static zend_always_inline void php_array_merge_wrapper(INTERNAL_FUNCTION_PARAMET
+ 	int argc, i;
+ 	zval *src_entry;
+ 	HashTable *src, *dest;
+-	uint32_t count = 0;
++	uint64_t count = 0;
+ 
+ 	ZEND_PARSE_PARAMETERS_START(0, -1)
+ 		Z_PARAM_VARIADIC('+', args, argc)
+@@ -3833,6 +3833,11 @@ static zend_always_inline void php_array_merge_wrapper(INTERNAL_FUNCTION_PARAMET
+ 		count += zend_hash_num_elements(Z_ARRVAL_P(arg));
+ 	}
+ 
++	if (UNEXPECTED(count >= HT_MAX_SIZE)) {
++		zend_throw_error(NULL, "The total number of elements must be lower than %u", HT_MAX_SIZE);
++		return;
++	}
++
+ 	if (argc == 2) {
+ 		zval *ret = NULL;
+ 
+diff --git a/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt
+new file mode 100644
+index 00000000000..2e3e85357e1
+--- /dev/null
++++ b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt
+@@ -0,0 +1,16 @@
++--TEST--
++GHSA-h96m-rvf9-jgm2
++--FILE--
++<?php
++
++$power = 20; // Chosen to be well within a memory_limit
++$arr = range(0, 2**$power);
++try {
++    array_merge(...array_fill(0, 2**(32-$power), $arr));
++} catch (Error $e) {
++    echo $e->getMessage(), "\n";
++}
++
++?>
++--EXPECTF--
++The total number of elements must be lower than %d
+-- 
+2.52.0
+
-- 
cgit