Merge branch 'PHP-8.3' into PHP-8.4

ndossche · ndossche · commit dabcd7452479 · 2025-12-28T00:21:56.000+01:00
* PHP-8.3:
  Fix OOB gzseek() causing assertion failure
diff --git a/NEWS b/NEWS
@@ -62,6 +62,9 @@ PHP                                                                        NEWS
   . Fix memory leak in mail() when header key is numeric. (Girgias)
   . Fixed bug GH-20582 (Heap Buffer Overflow in iptcembed). (ndossche)
 
+- Zlib:
+  . Fix OOB gzseek() causing assertion failure. (ndossche)
+
 18 Dec 2025, PHP 8.4.16
 
 - Core:
diff --git a/ext/zlib/tests/gzseek_seek_oob.phpt b/ext/zlib/tests/gzseek_seek_oob.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Test function gzseek() by seeking out of bounds
+--EXTENSIONS--
+zlib
+--FILE--
+<?php
+$f = __DIR__."/004.txt.gz";
+$h = gzopen($f, 'r');
+
+var_dump(gzseek($h, -100, SEEK_CUR));
+var_dump(gzseek($h, 0, SEEK_CUR));
+var_dump(gztell($h));
+
+gzclose($h);
+?>
+--EXPECT--
+int(-1)
+int(0)
+int(0)
diff --git a/ext/zlib/zlib_fopen_wrapper.c b/ext/zlib/zlib_fopen_wrapper.c
@@ -94,9 +94,14 @@ static int php_gziop_seek(php_stream *stream, zend_off_t offset, int whence, zen
 		php_error_docref(NULL, E_WARNING, "SEEK_END is not supported");
 		return -1;
 	}
-	*newoffs = gzseek(self->gz_file, offset, whence);
 
-	return (*newoffs < 0) ? -1 : 0;
+	z_off_t new_offset = gzseek(self->gz_file, offset, whence);
+	if (new_offset < 0) {
+		return -1;
+	}
+
+	*newoffs = new_offset;
+	return 0;
 }
 
 static int php_gziop_close(php_stream *stream, int close_handle)
