mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 05:49:57 +00:00
Code Issues Projects Releases Wiki Activity

php 8.2.29: Fix CVE-2025-14178

Browse Source 
Upstream Repository: https://github.com/php/php-src.git

Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14178
Type: Security Fix
CVE: CVE-2025-14178
Score: 8.2
Patch: https://github.com/php/php-src/commit/c4268c15e361

Signed-off-by: Anil Dongare <adongare@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
Anil Dongare
2026-02-04 03:43:00 -08:00
committed by Anuj Mittal
parent 561e0e911f
commit 4750244921
2 changed files with 66 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-oe/recipes-devtools/php/php/CVE-2025-14178.patch
+65
View File
@@ -0,0 +1,65 @@
From a46c3692d37f8c539b3b00ea4ab7ebc2d7db5507 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+ndossche@users.noreply.github.com>
Date: Sun, 9 Nov 2025 13:23:11 +0100
Subject: [PATCH] Fix GHSA-h96m-rvf9-jgm2
CVE: CVE-2025-14178
Upstream-Status: Backport [https://github.com/php/php-src/commit/c4268c15e361]
(cherry picked from commit c4268c15e361ccd79289a3909f332ab2153f72e7)
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
ext/standard/array.c | 7 ++++++-
.../tests/array/GHSA-h96m-rvf9-jgm2.phpt | 16 ++++++++++++++++
2 files changed, 22 insertions(+), 1 deletion(-)
create mode 100644 ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt
diff --git a/ext/standard/array.c b/ext/standard/array.c
index a1a92934084..30b9a425b20 100644
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -3903,7 +3903,7 @@ static zend_always_inline void php_array_merge_wrapper(INTERNAL_FUNCTION_PARAMET
int argc, i;
zval *src_entry;
HashTable *src, *dest;
- uint32_t count = 0;
+ uint64_t count = 0;
ZEND_PARSE_PARAMETERS_START(0, -1)
Z_PARAM_VARIADIC('+', args, argc)
@@ -3923,6 +3923,11 @@ static zend_always_inline void php_array_merge_wrapper(INTERNAL_FUNCTION_PARAMET
count += zend_hash_num_elements(Z_ARRVAL_P(arg));
}
+ if (UNEXPECTED(count >= HT_MAX_SIZE)) {
+ zend_throw_error(NULL, "The total number of elements must be lower than %u", HT_MAX_SIZE);
+ RETURN_THROWS();
+ }
+
if (argc == 2) {
zval *ret = NULL;
diff --git a/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt
new file mode 100644
index 00000000000..2e3e85357e1
--- /dev/null
+++ b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt
@@ -0,0 +1,16 @@
+--TEST--
+GHSA-h96m-rvf9-jgm2
+--FILE--
+<?php
+
+$power = 20; // Chosen to be well within a memory_limit
+$arr = range(0, 2**$power);
+try {
+ array_merge(...array_fill(0, 2**(32-$power), $arr));
+} catch (Error $e) {
+ echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECTF--
+The total number of elements must be lower than %d
--
2.43.7
meta-oe/recipes-devtools/php/php_8.2.29.bb
+1
View File
@@ -21,6 +21,7 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \
file://0010-iconv-fix-detection.patch \
file://0001-Change-whether-to-inline-XXH3_hashLong_withSecret-to.patch \
file://CVE-2025-14177.patch \
file://CVE-2025-14178.patch \
"
SRC_URI:append:class-target = " \