From 443927e3e8a5473b5cea4921f55cddc74fd8d0ee Mon Sep 17 00:00:00 2001
From: Alex Dowad <alexinbeijing@gmail.com>
Date: Mon, 19 Jun 2023 21:50:30 +0200
Subject: [PATCH] Fix GH-11476: crash with count_demerits negative-size-param

Co-authored-by: Ilija Tovilo <ilija.tovilo@me.com>
Co-authored-by: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
---
 ext/mbstring/mbstring.c         |  6 ++++--
 ext/mbstring/tests/gh11476.phpt | 12 ++++++++++++
 2 files changed, 16 insertions(+), 2 deletions(-)
 create mode 100644 ext/mbstring/tests/gh11476.phpt

diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c
index 758c00b4261..e052d8e2078 100644
--- a/ext/mbstring/mbstring.c
+++ b/ext/mbstring/mbstring.c
@@ -3083,8 +3083,9 @@ try_next_encoding:
 						if (strict) {
 							/* This candidate encoding is not valid, eliminate it from consideration */
 							length--;
-							if (length == 0) {
-								return 0;
+							if (i == length) {
+								/* The eliminated candidate was the last valid one in the list */
+								goto next_iteration;
 							}
 							memmove(&array[i], &array[i+1], (length - i) * sizeof(struct candidate));
 							goto try_next_encoding;
@@ -3100,6 +3101,7 @@ try_next_encoding:
 				}
 			}
 		}
+next_iteration: ;
 	}
 
 	for (size_t i = 0; i < length; i++) {
diff --git a/ext/mbstring/tests/gh11476.phpt b/ext/mbstring/tests/gh11476.phpt
new file mode 100644
index 00000000000..eb1b66aa6b1
--- /dev/null
+++ b/ext/mbstring/tests/gh11476.phpt
@@ -0,0 +1,12 @@
+--TEST--
+GH-11476: count_demerits negative-size-param
+--EXTENSIONS--
+mbstring
+--FILE--
+<?php
+$str = str_repeat('a', 250) . chr(246) . str_repeat('a', 9) . chr(246) . str_repeat('a', 6);
+$detectedEncoding = mb_detect_encoding($str, mb_list_encodings(), true);
+var_dump($detectedEncoding);
+?>
+--EXPECT--
+string(12) "Windows-1252"