1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
From b7702525bc4a540eb36f392a13461971a1bac31a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@tideways-gmbh.com>
Date: Sun, 3 May 2026 20:02:57 +0200
Subject: [PATCH 4/6] GHSA-96wq-48vp-hh57: [metaphone] Fix signed integer
overflow of char array offset
Fixes GHSA-96wq-48vp-hh57
Fixes CVE-2026-7568
(cherry picked from commit 47def8ce1db1fdbffcfc1f5bb11877a0e22d4b32)
(cherry picked from commit e4fc187a011d91f26178f6dfbccdb07041b99153)
(cherry picked from commit 53de456406a6db5a8bcded8a4b242789ae5b2690)
(cherry picked from commit 909c2acc64d72bd57123b30e711c02aef0c08d14)
[skip ci] Adjust credits for GHSA-96wq-48vp-hh57.phpt
As requested by the reporter.
(cherry picked from commit fee84dd8c7699e4e7f9b2e864a393ee5a372f974)
(cherry picked from commit 101e93900888ef43d42ec0e33866bca3824f51a8)
(cherry picked from commit 41134d0746a524d7265b67d3d8d0fd433fd7479a)
(cherry picked from commit b40b656c0fe8080f9cd097bf77b7a3681ea3e7a0)
(cherry picked from commit 9e4b7c856c57deda7b7887da7978328ec8b57187)
---
ext/standard/metaphone.c | 6 +++---
ext/standard/tests/GHSA-96wq-48vp-hh57.phpt | 22 +++++++++++++++++++++
2 files changed, 25 insertions(+), 3 deletions(-)
create mode 100644 ext/standard/tests/GHSA-96wq-48vp-hh57.phpt
diff --git a/ext/standard/metaphone.c b/ext/standard/metaphone.c
index def371b523..70453ee447 100644
--- a/ext/standard/metaphone.c
+++ b/ext/standard/metaphone.c
@@ -124,10 +124,10 @@ char _codes[26] =
/* Allows us to safely look ahead an arbitrary # of letters */
/* I probably could have just used strlen... */
-static char Lookahead(char *word, int how_far)
+static char Lookahead(char *word, size_t how_far)
{
char letter_ahead = '\0'; /* null by default */
- int idx;
+ size_t idx;
for (idx = 0; word[idx] != '\0' && idx < how_far; idx++);
/* Edge forward in the string... */
@@ -169,7 +169,7 @@ static char Lookahead(char *word, int how_far)
*/
static int metaphone(unsigned char *word, size_t word_len, zend_long max_phonemes, zend_string **phoned_word, int traditional)
{
- int w_idx = 0; /* point in the phonization we're at. */
+ size_t w_idx = 0; /* point in the phonization we're at. */
size_t p_idx = 0; /* end of the phoned phrase */
size_t max_buffer_len = 0; /* maximum length of the destination buffer */
diff --git a/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt b/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt
new file mode 100644
index 0000000000..cf9a40062f
--- /dev/null
+++ b/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt
@@ -0,0 +1,22 @@
+--TEST--
+GHSA-96wq-48vp-hh57: signed integer overflow of char array offset
+--CREDITS--
+Aleksey Solovev (Positive Technologies)
+--INI--
+memory_limit=3G
+--SKIPIF--
+<?php
+if (!getenv('RUN_RESOURCE_HEAVY_TESTS')) die('skip resource-heavy test');
+if (getenv('SKIP_SLOW_TESTS')) die('skip slow test');
+if (PHP_INT_SIZE != 8) echo 'skip 64-bit only';
+?>
+--FILE--
+<?php
+
+$str = str_repeat('0', 2 * (1024 ** 3) - 2) . 'AE';
+metaphone($str, 1);
+
+?>
+===DONE===
+--EXPECT--
+===DONE===
--
2.54.0
|
