diff mbox series

[meta-oe,scarthgap,1/2] php 8.2.29: Fix CVE-2025-14178

Message ID 20260204114302.440004-1-adongare@cisco.com
State New
Headers show
Series [meta-oe,scarthgap,1/2] php 8.2.29: Fix CVE-2025-14178 | expand

Commit Message

Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) Feb. 4, 2026, 11:43 a.m. UTC 
From: Anil Dongare <adongare@cisco.com>

Upstream Repository: https://github.com/php/php-src.git

Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14178
Type: Security Fix
CVE: CVE-2025-14178
Score: 8.2
Patch: https://github.com/php/php-src/commit/c4268c15e361

Signed-off-by: Anil Dongare <adongare@cisco.com>
---
 .../php/php/CVE-2025-14178.patch              | 65 +++++++++++++++++++
 meta-oe/recipes-devtools/php/php_8.2.29.bb    |  1 +
 2 files changed, 66 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2025-14178.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-devtools/php/php/CVE-2025-14178.patch b/meta-oe/recipes-devtools/php/php/CVE-2025-14178.patch
new file mode 100644
index 0000000000..46fa8679e8
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php/CVE-2025-14178.patch
@@ -0,0 +1,65 @@ 
+From a46c3692d37f8c539b3b00ea4ab7ebc2d7db5507 Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+ndossche@users.noreply.github.com>
+Date: Sun, 9 Nov 2025 13:23:11 +0100
+Subject: [PATCH] Fix GHSA-h96m-rvf9-jgm2
+
+CVE: CVE-2025-14178
+Upstream-Status: Backport [https://github.com/php/php-src/commit/c4268c15e361]
+
+(cherry picked from commit c4268c15e361ccd79289a3909f332ab2153f72e7)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ ext/standard/array.c                             |  7 ++++++-
+ .../tests/array/GHSA-h96m-rvf9-jgm2.phpt         | 16 ++++++++++++++++
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+ create mode 100644 ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt
+
+diff --git a/ext/standard/array.c b/ext/standard/array.c
+index a1a92934084..30b9a425b20 100644
+--- a/ext/standard/array.c
++++ b/ext/standard/array.c
+@@ -3903,7 +3903,7 @@ static zend_always_inline void php_array_merge_wrapper(INTERNAL_FUNCTION_PARAMET
+	int argc, i;
+	zval *src_entry;
+	HashTable *src, *dest;
+-	uint32_t count = 0;
++	uint64_t count = 0;
+
+	ZEND_PARSE_PARAMETERS_START(0, -1)
+		Z_PARAM_VARIADIC('+', args, argc)
+@@ -3923,6 +3923,11 @@ static zend_always_inline void php_array_merge_wrapper(INTERNAL_FUNCTION_PARAMET
+		count += zend_hash_num_elements(Z_ARRVAL_P(arg));
+	}
+
++	if (UNEXPECTED(count >= HT_MAX_SIZE)) {
++		zend_throw_error(NULL, "The total number of elements must be lower than %u", HT_MAX_SIZE);
++		RETURN_THROWS();
++	}
++
+	if (argc == 2) {
+		zval *ret = NULL;
+
+diff --git a/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt
+new file mode 100644
+index 00000000000..2e3e85357e1
+--- /dev/null
++++ b/ext/standard/tests/array/GHSA-h96m-rvf9-jgm2.phpt
+@@ -0,0 +1,16 @@
++--TEST--
++GHSA-h96m-rvf9-jgm2
++--FILE--
++<?php
++
++$power = 20; // Chosen to be well within a memory_limit
++$arr = range(0, 2**$power);
++try {
++    array_merge(...array_fill(0, 2**(32-$power), $arr));
++} catch (Error $e) {
++    echo $e->getMessage(), "\n";
++}
++
++?>
++--EXPECTF--
++The total number of elements must be lower than %d
+--
+2.43.7
diff --git a/meta-oe/recipes-devtools/php/php_8.2.29.bb b/meta-oe/recipes-devtools/php/php_8.2.29.bb
index 015d83c291..aa2244ce96 100644
--- a/meta-oe/recipes-devtools/php/php_8.2.29.bb
+++ b/meta-oe/recipes-devtools/php/php_8.2.29.bb
@@ -21,6 +21,7 @@  SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \
            file://0010-iconv-fix-detection.patch \
            file://0001-Change-whether-to-inline-XXH3_hashLong_withSecret-to.patch \
            file://CVE-2025-14177.patch \
+           file://CVE-2025-14178.patch \
           "
 
 SRC_URI:append:class-target = " \