Merge branch 'PHP-8.3' into PHP-8.4

* PHP-8.3: Fix GH-16357: openssl may modify member types of certificate arrays
2026-03-24 00:02:20 +01:00 · 2024-10-12 16:07:37 +02:00
parent 42f877659d 76a819e7d1
commit 33fab73730
3 changed files with 31 additions and 3 deletions
--- a/4
+++ b/4
@@ -30,6 +30,10 @@ PHP                                                                        NEWS
  . Fixed bug GH-16361 (mb_substr overflow on start/length arguments).
    (David Carlier)

+- OpenSSL:
+  . Fixed bug GH-16357 (openssl may modify member types of certificate arrays).
+    (cmb)
+
 - PHPDBG:
  . Fixed bug GH-16174 (Empty string is an invalid expression for ev). (cmb)

--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -1524,11 +1524,13 @@ static X509 *php_openssl_x509_from_zval(

 	*free_cert = 1;

-	if (!try_convert_to_string(val)) {
+	zend_string *str = zval_try_get_string(val);
+	if (str == NULL) {
 		return NULL;
 	}
-
-	return php_openssl_x509_from_str(Z_STR_P(val), arg_num, is_from_array, option_name);
+	X509 *cert = php_openssl_x509_from_str(str, arg_num, is_from_array, option_name);
+	zend_string_release(str);
+	return cert;
 }
 /* }}} */

--- a/ext/openssl/tests/gh16357.phpt
+++ b/ext/openssl/tests/gh16357.phpt
@@ -0,0 +1,22 @@
+--TEST--
+GH-16357 (openssl may modify member types of certificate arrays)
+--EXTENSIONS--
+openssl
+--FILE--
+<?php
+$infile = __DIR__ . "/cert.crt";
+$outfile = __DIR__ . "/gh16357.txt";
+$certs = [123];
+var_dump(openssl_pkcs7_encrypt($infile, $outfile, $certs, null));
+var_dump($certs);
+?>
+--CLEAN--
+<?php
+unlink(__DIR__ . "/gh16357.txt");
+?>
+--EXPECT--
+bool(false)
+array(1) {
+  [0]=>
+  int(123)
+}