Merge branch 'PHP-8.2' into PHP-8.3

* PHP-8.2: Fix crash when converting array data for array in shm in xxh3
2026-03-24 00:02:20 +01:00 · 2024-08-05 22:07:01 +02:00
parent e681d933d4 ca84662c87
commit c38c6acfa8
3 changed files with 24 additions and 3 deletions
--- a/3
+++ b/3
@@ -23,6 +23,9 @@ PHP                                                                        NEWS
  . Fixed bug GH-14286 (ffi enum type (when enum has no name) make memory
    leak). (nielsdos, dstogov)

+- Hash:
+  . Fix crash when converting array data for array in shm in xxh3. (nielsdos)
+
 - Intl:
  . Fixed bug GH-15087 (IntlChar::foldCase()'s $option is not optional). (cmb)

--- a/ext/hash/hash_xxhash.c
+++ b/ext/hash/hash_xxhash.c
@@ -174,11 +174,14 @@ zend_always_inline static void _PHP_XXH3_Init(PHP_XXH3_64_CTX *ctx, HashTable *a
 			func_init_seed(&ctx->s, (XXH64_hash_t)Z_LVAL_P(_seed));
 			return;
 		} else if (_secret) {
-			if (!try_convert_to_string(_secret)) {
+			zend_string *secret_string = zval_try_get_string(_secret);
+			if (UNEXPECTED(!secret_string)) {
+				ZEND_ASSERT(EG(exception));
 				return;
 			}
-			size_t len = Z_STRLEN_P(_secret);
+			size_t len = ZSTR_LEN(secret_string);
 			if (len < PHP_XXH3_SECRET_SIZE_MIN) {
+				zend_string_release(secret_string);
 				zend_throw_error(NULL, "%s: Secret length must be >= %u bytes, %zu bytes passed", algo_name, XXH3_SECRET_SIZE_MIN, len);
 				return;
 			}
@@ -186,7 +189,8 @@ zend_always_inline static void _PHP_XXH3_Init(PHP_XXH3_64_CTX *ctx, HashTable *a
 				len = sizeof(ctx->secret);
 				php_error_docref(NULL, E_WARNING, "%s: Secret content exceeding %zu bytes discarded", algo_name, sizeof(ctx->secret));
 			}
-			memcpy((unsigned char *)ctx->secret, Z_STRVAL_P(_secret), len);
+			memcpy((unsigned char *)ctx->secret, ZSTR_VAL(secret_string), len);
+			zend_string_release(secret_string);
 			func_init_secret(&ctx->s, ctx->secret, len);
 			return;
 		}
--- a/ext/hash/tests/xxh3_convert_secret_to_string.phpt
+++ b/ext/hash/tests/xxh3_convert_secret_to_string.phpt
@@ -0,0 +1,14 @@
+--TEST--
+xxh3 convert secret to string should not modify (shm) array
+--FILE--
+<?php
+try {
+	hash_init("xxh3", options: $x = ["secret" => 4]);
+} catch (Throwable) {}
+var_dump($x);
+?>
+--EXPECT--
+array(1) {
+  ["secret"]=>
+  int(4)
+}