Merge branch 'PHP-8.3' into PHP-8.4

Author: devnexen

NEWS

@@ -36,6 +36,8 @@ PHP                                                                        NEWS
 - Standard:
   . Fix misleading errors in printf(). (nielsdos)
   . Fix RCN violations in array functions. (nielsdos)
+  . Fixed GH-18976 pack() overflow with h/H format and INT_MAX repeater value.
+    (David Carlier)
 
 - Streams:
   . Fixed GH-13264 (fgets() and stream_get_line() do not return false on filter

ext/standard/pack.c

@@ -386,7 +386,7 @@ PHP_FUNCTION(pack)
 		switch ((int) code) {
 			case 'h':
 			case 'H':
-				INC_OUTPUTPOS((arg + (arg % 2)) / 2,1)	/* 4 bit per arg */
+				INC_OUTPUTPOS((arg / 2) + (arg % 2),1)	/* 4 bit per arg */
 				break;
 
 			case 'a':

ext/standard/tests/strings/gh18976.phpt

@@ -0,0 +1,14 @@
+--TEST--
+GH-18976 (pack overflow with h/H format)
+--INI--
+memory_limit=-1
+--FILE--
+<?php
+pack('h2147483647', 1);
+pack('H2147483647', 1);
+?>
+--EXPECTF--
+
+Warning: pack(): Type h: not enough characters in string in %s on line %d
+
+Warning: pack(): Type H: not enough characters in string in %s on line %d