Merge branch 'PHP-8.5'

iluuu1994 · iluuu1994 · commit 63dcfb4eaa30 · 2026-05-06T13:06:54.000+02:00
* PHP-8.5: GHSA-96wq-48vp-hh57: [metaphone] Fix signed integer overflow of char array offset
diff --git a/ext/standard/metaphone.c b/ext/standard/metaphone.c
@@ -126,9 +126,9 @@ static zend_always_inline char encode(char c) {
 
 /* Allows us to safely look ahead an arbitrary # of letters */
 /* I probably could have just used strlen... */
-static char Lookahead(char *word, int how_far)
+static char Lookahead(char *word, size_t how_far)
 {
-	int idx;
+	size_t idx;
 	for (idx = 0; word[idx] != '\0' && idx < how_far; idx++);
 	/* Edge forward in the string... */
 
@@ -168,7 +168,7 @@ static char Lookahead(char *word, int how_far)
 /* {{{ metaphone */
 static void metaphone(unsigned char *word, size_t word_len, zend_long max_phonemes, zend_string **phoned_word, int traditional)
 {
-	int w_idx = 0;				/* point in the phonization we're at. */
+	size_t w_idx = 0;				/* point in the phonization we're at. */
 	size_t p_idx = 0;				/* end of the phoned phrase */
 	size_t max_buffer_len = 0;		/* maximum length of the destination buffer */
 	char curr_letter;
diff --git a/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt b/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt
@@ -0,0 +1,22 @@
+--TEST--
+GHSA-96wq-48vp-hh57: signed integer overflow of char array offset
+--CREDITS--
+012git012
+--INI--
+memory_limit=3G
+--SKIPIF--
+<?php
+if (!getenv('RUN_RESOURCE_HEAVY_TESTS')) die('skip resource-heavy test');
+if (getenv('SKIP_SLOW_TESTS')) die('skip slow test');
+if (PHP_INT_SIZE != 8) echo 'skip 64-bit only';
+?>
+--FILE--
+<?php
+
+$str = str_repeat('0', 2 * (1024 ** 3) - 2) . 'AE';
+metaphone($str, 1);
+
+?>
+===DONE===
+--EXPECT--
+===DONE===
