1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
From e4fc187a011d91f26178f6dfbccdb07041b99153 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@tideways-gmbh.com>
Date: Sun, 3 May 2026 20:02:57 +0200
Subject: [PATCH 06/10] GHSA-96wq-48vp-hh57: [metaphone] Fix signed integer
overflow of char array offset
Fixes GHSA-96wq-48vp-hh57
Fixes CVE-2026-7568
(cherry picked from commit 47def8ce1db1fdbffcfc1f5bb11877a0e22d4b32)
---
ext/standard/metaphone.c | 6 +++---
ext/standard/tests/GHSA-96wq-48vp-hh57.phpt | 22 +++++++++++++++++++++
2 files changed, 25 insertions(+), 3 deletions(-)
create mode 100644 ext/standard/tests/GHSA-96wq-48vp-hh57.phpt
diff --git a/ext/standard/metaphone.c b/ext/standard/metaphone.c
index 2ba7a839c88..7affde44de1 100644
--- a/ext/standard/metaphone.c
+++ b/ext/standard/metaphone.c
@@ -117,10 +117,10 @@ static const char _codes[26] =
/* Allows us to safely look ahead an arbitrary # of letters */
/* I probably could have just used strlen... */
-static char Lookahead(char *word, int how_far)
+static char Lookahead(char *word, size_t how_far)
{
char letter_ahead = '\0'; /* null by default */
- int idx;
+ size_t idx;
for (idx = 0; word[idx] != '\0' && idx < how_far; idx++);
/* Edge forward in the string... */
@@ -161,7 +161,7 @@ static char Lookahead(char *word, int how_far)
/* {{{ metaphone */
static void metaphone(unsigned char *word, size_t word_len, zend_long max_phonemes, zend_string **phoned_word, int traditional)
{
- int w_idx = 0; /* point in the phonization we're at. */
+ size_t w_idx = 0; /* point in the phonization we're at. */
size_t p_idx = 0; /* end of the phoned phrase */
size_t max_buffer_len = 0; /* maximum length of the destination buffer */
ZEND_ASSERT(word != NULL);
diff --git a/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt b/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt
new file mode 100644
index 00000000000..79c6b656733
--- /dev/null
+++ b/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt
@@ -0,0 +1,22 @@
+--TEST--
+GHSA-96wq-48vp-hh57: signed integer overflow of char array offset
+--CREDITS--
+012git012
+--INI--
+memory_limit=3G
+--SKIPIF--
+<?php
+if (!getenv('RUN_RESOURCE_HEAVY_TESTS')) die('skip resource-heavy test');
+if (getenv('SKIP_SLOW_TESTS')) die('skip slow test');
+if (PHP_INT_SIZE != 8) echo 'skip 64-bit only';
+?>
+--FILE--
+<?php
+
+$str = str_repeat('0', 2 * (1024 ** 3) - 2) . 'AE';
+metaphone($str, 1);
+
+?>
+===DONE===
+--EXPECT--
+===DONE===
--
2.54.0
From 101e93900888ef43d42ec0e33866bca3824f51a8 Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Wed, 6 May 2026 16:33:44 +0200
Subject: [PATCH 09/10] [skip ci] Adjust credits for GHSA-96wq-48vp-hh57.phpt
As requested by the reporter.
(cherry picked from commit fee84dd8c7699e4e7f9b2e864a393ee5a372f974)
---
ext/standard/tests/GHSA-96wq-48vp-hh57.phpt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt b/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt
index 79c6b656733..cf9a40062f8 100644
--- a/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt
+++ b/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt
@@ -1,7 +1,7 @@
--TEST--
GHSA-96wq-48vp-hh57: signed integer overflow of char array offset
--CREDITS--
-012git012
+Aleksey Solovev (Positive Technologies)
--INI--
memory_limit=3G
--SKIPIF--
--
2.54.0
|
