Fix NULL deref on high modification key

We should re-index in the loop.

Closes GH-18331.

NEWS

@@ -17,6 +17,7 @@ PHP                                                                        NEWS
 
 - LDAP:
   . Fixed bug GH-17776 (LDAP_OPT_X_TLS_* options can't be overridden). (Remi)
+  . Fix NULL deref on high modification key. (nielsdos)
 
 - libxml:
   . Fixed custom external entity loader returning an invalid resource leading

ext/ldap/ldap.c

@@ -2785,12 +2785,12 @@ PHP_FUNCTION(ldap_modify_batch)
 	ldap_mods = safe_emalloc((num_mods+1), sizeof(LDAPMod *), 0);
 
 	/* for each modification */
-	for (i = 0; i < num_mods; i++) {
+	i = 0;
+	ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(mods), fetched) {
 		/* allocate the modification struct */
 		ldap_mods[i] = safe_emalloc(1, sizeof(LDAPMod), 0);
 
 		/* fetch the relevant data */
-		fetched = zend_hash_index_find(Z_ARRVAL_P(mods), i);
 		mod = fetched;
 
 		_ldap_hash_fetch(mod, LDAP_MODIFY_BATCH_ATTRIB, &attrib);
@@ -2855,7 +2855,9 @@ PHP_FUNCTION(ldap_modify_batch)
 			/* NULL-terminate values */
 			ldap_mods[i]->mod_bvalues[num_modvals] = NULL;
 		}
-	}
+
+		i++;
+	} ZEND_HASH_FOREACH_END();
 
 	/* NULL-terminate modifications */
 	ldap_mods[num_mods] = NULL;

ext/ldap/tests/ldap_modify_batch_error.phpt

@@ -59,6 +59,16 @@ $mods = array(
     )
 );
 
+var_dump(ldap_modify_batch($link, "dc=my-domain,$base", $mods));
+
+// high key with invalid attribute type
+$mods = [
+    99999 => [
+        "attrib"  => "weirdAttribute",
+        "modtype" => LDAP_MODIFY_BATCH_ADD,
+        "values"  => ["value1"],
+    ],
+];
 var_dump(ldap_modify_batch($link, "dc=my-domain,$base", $mods));
 ?>
 --CLEAN--
@@ -81,3 +91,6 @@ bool(false)
 
 Warning: ldap_modify_batch(): Batch Modify: Undefined attribute type in %s on line %d
 bool(false)
+
+Warning: ldap_modify_batch(): Batch Modify: Undefined attribute type in %s on line %d
+bool(false)