Merge branch 'PHP-8.3' into PHP-8.4

* PHP-8.3:
  Fix GH-18309: ipv6 filter integer overflow
  Fix GH-18304: Changing the properties of a DateInterval through dynamic properties triggers a SegFault

Author: nielsdos

NEWS

@@ -9,10 +9,15 @@ PHP                                                                        NEWS
   . Fixed bug GH-18209 (Use-after-free in extract() with EXTR_REFS). (ilutov)
   . Fixed bug GH-18268 (Segfault in array_walk() on object with added property
     hooks). (ilutov)
+  . Fixed bug GH-18304 (Changing the properties of a DateInterval through
+    dynamic properties triggers a SegFault). (nielsdos)
 
 - DBA:
   . FIxed bug GH-18247 dba_popen() memory leak on invalid path. (David Carlier)
 
+- Filter:
+  . Fixed bug GH-18309 (ipv6 filter integer overflow). (nielsdos)
+
 - GD:
   . Fixed imagecrop() overflow with rect argument with x/width y/heigh usage
     in gdImageCrop(). (David Carlier)

ext/date/php_date.c

@@ -4618,7 +4618,9 @@ static zval *date_interval_get_property_ptr_ptr(zend_object *object, zend_string
 		zend_string_equals_literal(name, "days") ||
 		zend_string_equals_literal(name, "invert") ) {
 		/* Fallback to read_property. */
-		cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
+		if (cache_slot) {
+			cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
+		}
 		ret = NULL;
 	} else {
 		ret = zend_std_get_property_ptr_ptr(object, name, type, cache_slot);

ext/date/tests/gh18304.phpt

@@ -0,0 +1,35 @@
+--TEST--
+GH-18304 (Changing the properties of a DateInterval through dynamic properties triggers a SegFault)
+--CREDITS--
+orose-assetgo
+--FILE--
+<?php
+$di = new \DateInterval('P0Y');
+$field = 'd';
+$i = 1;
+$di->$field += $i;
+var_dump($di);
+?>
+--EXPECT--
+object(DateInterval)#1 (10) {
+  ["y"]=>
+  int(0)
+  ["m"]=>
+  int(0)
+  ["d"]=>
+  int(1)
+  ["h"]=>
+  int(0)
+  ["i"]=>
+  int(0)
+  ["s"]=>
+  int(0)
+  ["f"]=>
+  float(0)
+  ["invert"]=>
+  int(0)
+  ["days"]=>
+  bool(false)
+  ["from_string"]=>
+  bool(false)
+}

ext/dom/php_dom.c

@@ -362,7 +362,9 @@ static zval *dom_get_property_ptr_ptr(zend_object *object, zend_string *name, in
 		return zend_std_get_property_ptr_ptr(object, name, type, cache_slot);
 	}
 
-	cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
+	if (cache_slot) {
+		cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
+	}
 	return NULL;
 }
 

ext/dom/tests/gh18304.phpt

@@ -0,0 +1,15 @@
+--TEST--
+GH-18304 (Changing the properties of a DateInterval through dynamic properties triggers a SegFault)
+--CREDITS--
+orose-assetgo
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+$text = new \DOMText();
+$field = 'textContent';
+$text->$field .= 'hello';
+var_dump($text->$field);
+?>
+--EXPECT--
+string(5) "hello"

ext/filter/logical_filters.c

@@ -762,7 +762,8 @@ static int _php_filter_validate_ipv6(const char *str, size_t str_len, int ip[8])
 {
 	int compressed_pos = -1;
 	int blocks = 0;
-	int num, n, i;
+	unsigned int num, n;
+	int i;
 	char *ipv4;
 	const char *end;
 	int ip4elm[4];

ext/filter/tests/gh18309.phpt

@@ -0,0 +1,10 @@
+--TEST--
+GH-18309 (ipv6 filter integer overflow)
+--EXTENSIONS--
+filter
+--FILE--
+<?php
+var_dump(filter_var('fffffffffffffffffffffffffffffffffffff::', FILTER_VALIDATE_IP, FILTER_FLAG_IPV6));
+?>
+--EXPECT--
+bool(false)

ext/pdo/pdo_stmt.c

@@ -2489,9 +2489,10 @@ static zval *pdo_row_get_property_ptr_ptr(zend_object *object, zend_string *name
 	ZEND_IGNORE_VALUE(object);
 	ZEND_IGNORE_VALUE(name);
 	ZEND_IGNORE_VALUE(type);
-	ZEND_IGNORE_VALUE(cache_slot);
 
-	cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
+	if (cache_slot) {
+		cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
+	}
 	return NULL;
 }
 

ext/simplexml/simplexml.c

@@ -639,7 +639,9 @@ static zval *sxe_property_get_adr(zend_object *object, zend_string *zname, int f
 	SXE_ITER        type;
 	zval            member;
 
-	cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
+	if (cache_slot) {
+		cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
+	}
 
 	sxe = php_sxe_fetch_object(object);
 	GET_NODE(sxe, node);

ext/simplexml/tests/gh18304.phpt

@@ -0,0 +1,18 @@
+--TEST--
+GH-18304 (Changing the properties of a DateInterval through dynamic properties triggers a SegFault)
+--CREDITS--
+orose-assetgo
+--EXTENSIONS--
+simplexml
+--FILE--
+<?php
+$sxe = simplexml_load_string('<root><abc/></root>');
+$field = 'abc';
+$sxe->$field .= 'hello';
+var_dump($sxe->$field);
+?>
+--EXPECT--
+object(SimpleXMLElement)#3 (1) {
+  [0]=>
+  string(5) "hello"
+}

ext/snmp/snmp.c

@@ -1861,7 +1861,9 @@ static zval *php_snmp_get_property_ptr_ptr(zend_object *object, zend_string *nam
 		return zend_std_get_property_ptr_ptr(object, name, type, cache_slot);
 	}
 
-	cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
+	if (cache_slot) {
+		cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
+	}
 	return NULL;
 }
 

ext/snmp/tests/gh18304.phpt

@@ -0,0 +1,15 @@
+--TEST--
+GH-18304 (Changing the properties of a DateInterval through dynamic properties triggers a SegFault)
+--CREDITS--
+orose-assetgo
+--EXTENSIONS--
+snmp
+--FILE--
+<?php
+$snmp = new SNMP(1, '127.0.0.1', 'community');
+$field = 'max_oids';
+$snmp->$field++;
+var_dump($snmp->$field);
+?>
+--EXPECT--
+int(1)

ext/spl/spl_array.c

@@ -863,7 +863,9 @@ static zval *spl_array_get_property_ptr_ptr(zend_object *object, zend_string *na
 
 	if ((intern->ar_flags & SPL_ARRAY_ARRAY_AS_PROPS) != 0
 		&& !zend_std_has_property(object, name, ZEND_PROPERTY_EXISTS, NULL)) {
-		cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
+		if (cache_slot) {
+			cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
+		}
 
 		/* If object has offsetGet() overridden, then fallback to read_property,
 		 * which will call offsetGet(). */

ext/spl/tests/gh18304.phpt

@@ -0,0 +1,14 @@
+--TEST--
+GH-18304 (Changing the properties of a DateInterval through dynamic properties triggers a SegFault)
+--CREDITS--
+orose-assetgo
+--FILE--
+<?php
+$ao = new ArrayObject(['abc' => 1]);
+$ao->setFlags(ArrayObject::ARRAY_AS_PROPS);
+$field = 'abc';
+$ao->$field++;
+var_dump($ao->$field);
+?>
+--EXPECT--
+int(2)

ext/xmlreader/php_xmlreader.c

@@ -117,7 +117,7 @@ zval *xmlreader_get_property_ptr_ptr(zend_object *object, zend_string *name, int
 	xmlreader_prop_handler *hnd = zend_hash_find_ptr(&xmlreader_prop_handlers, name);
 	if (hnd == NULL) {
 		retval = zend_std_get_property_ptr_ptr(object, name, type, cache_slot);
-	} else {
+	} else if (cache_slot) {
 		cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
 	}
 

ext/zip/php_zip.c

@@ -889,8 +889,6 @@ static zval *php_zip_get_property_ptr_ptr(zend_object *object, zend_string *name
 	zval *retval = NULL;
 	zip_prop_handler *hnd = NULL;
 
-	cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
-
 	obj = php_zip_fetch_object(object);
 
 	if (obj->prop_handler != NULL) {
@@ -899,6 +897,8 @@ static zval *php_zip_get_property_ptr_ptr(zend_object *object, zend_string *name
 
 	if (hnd == NULL) {
 		retval = zend_std_get_property_ptr_ptr(object, name, type, cache_slot);
+	} else if (cache_slot) {
+		cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
 	}
 
 	return retval;