php-cve-2025-14178.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92

From d8f3aac707341374fa8bffc90b76c0c8b0f6d1b0 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+ndossche@users.noreply.github.com>
Date: Sun, 9 Nov 2025 13:23:11 +0100
Subject: [PATCH 1/2] Fix GHSA-h96m-rvf9-jgm2

(cherry picked from commit 8b801151bd54b36aae4593ed6cfc096e8122b415)
(cherry picked from commit e4516e52979e8b67d9d35dfdbcc5dc7368263fa2)
(cherry picked from commit 84b83e2979bad57618528d4e669636117022f37c)
---
 ext/standard/array.c                             |  7 ++++++-
 .../tests/array/GHSA-h96m-rvf9-jgm2.phpt         | 16 ++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100644 ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt

diff --git a/ext/standard/array.c b/ext/standard/array.c
index 09c3a9f256..fd92ef0e8d 100644
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -3778,7 +3778,7 @@ static inline void php_array_merge_or_replace_wrapper(INTERNAL_FUNCTION_PARAMETE
 	} else {
 		zval *src_entry;
 		HashTable *src, *dest;
-		uint32_t count = 0;
+		uint64_t count = 0;
 
 		for (i = 0; i < argc; i++) {
 			zval *arg = args + i;
@@ -3790,6 +3790,11 @@ static inline void php_array_merge_or_replace_wrapper(INTERNAL_FUNCTION_PARAMETE
 			count += zend_hash_num_elements(Z_ARRVAL_P(arg));
 		}
 
+		if (UNEXPECTED(count >= HT_MAX_SIZE)) {
+			zend_throw_error(NULL, "The total number of elements must be lower than %u", HT_MAX_SIZE);
+			return;
+		}
+
 		arg = args;
 		src  = Z_ARRVAL_P(arg);
 		/* copy first array */
diff --git a/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt
new file mode 100644
index 0000000000..2e3e85357e
--- /dev/null
+++ b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt
@@ -0,0 +1,16 @@
+--TEST--
+GHSA-h96m-rvf9-jgm2
+--FILE--
+<?php
+
+$power = 20; // Chosen to be well within a memory_limit
+$arr = range(0, 2**$power);
+try {
+    array_merge(...array_fill(0, 2**(32-$power), $arr));
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECTF--
+The total number of elements must be lower than %d
-- 
2.53.0

From 143f4339e80c13ffa1b11aae7f629807c9442edc Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 17 Feb 2026 15:48:22 +0100
Subject: [PATCH 2/2] NEWS

---
 NEWS | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/NEWS b/NEWS
index 342c184c30..464f4b55f4 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,11 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 
+Backported from 8.1.34
+
+  . Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()).
+    (CVE-2025-14178) (ndossche)
+
 Backported from 8.1.31
 
 - CLI:
-- 
2.53.0