Merge branch 'PHP-8.1' into PHP-8.2

* PHP-8.1:
  Fix GH-11178: Segmentation fault in spl_array_it_get_current_data (PHP 8.1.18)
  Fix GH-11175 and GH-11177: Stream socket timeout undefined behaviour
  Fix GH-9068: Conditional jump or move depends on uninitialised value(s)

Author: nielsdos

NEWS

@@ -5,6 +5,8 @@ PHP                                                                        NEWS
 - Core:
   . Fixed bug GH-11152 (Unable to alias namespaces containing reserved class
     names). (ilutov)
+  . Fixed bug GH-9068 (Conditional jump or move depends on uninitialised
+    value(s)). (nielsdos)
 
 - Opcache:
   . Fixed bug GH-11134 (Incorrect match default branch optimization). (ilutov)
@@ -13,10 +15,19 @@ PHP                                                                        NEWS
 - PGSQL:
   . Fixed parameter parsing of pg_lo_export(). (kocsismate)
 
+- SPL:
+  . Fixed bug GH-11178 (Segmentation fault in spl_array_it_get_current_data
+    (PHP 8.1.18)). (nielsdos)
+
 - Standard:
   . Fixed bug GH-11138 (move_uploaded_file() emits open_basedir warning for
     source file). (ilutov)
 
+- Streams:
+  . Fixed bug GH-11175 (Stream Socket Timeout). (nielsdos)
+  . Fixed bug GH-11177 (ASAN UndefinedBehaviorSanitizer when timeout = -1
+    passed to stream_socket_accept/stream_socket_client). (nielsdos)
+
 11 May 2023, PHP 8.2.6
 
 - Core:

Zend/zend_string.c

@@ -370,11 +370,28 @@ ZEND_API void zend_interned_strings_switch_storage(bool request)
 # define I_REPLACE_SONAME_FNNAME_ZU(soname, fnname) _vgr00000ZU_ ## soname ## _ ## fnname
 #endif
 
-ZEND_API bool ZEND_FASTCALL I_REPLACE_SONAME_FNNAME_ZU(NONE,zend_string_equal_val)(const zend_string *s1, const zend_string *s2)
+/* See GH-9068 */
+#if defined(__GNUC__) && (__GNUC__ >= 11 || defined(__clang__)) && __has_attribute(no_caller_saved_registers)
+# define NO_CALLER_SAVED_REGISTERS __attribute__((no_caller_saved_registers))
+# ifndef __clang__
+#  pragma GCC push_options
+#  pragma GCC target ("general-regs-only")
+#  define POP_OPTIONS
+# endif
+#else
+# define NO_CALLER_SAVED_REGISTERS
+#endif
+
+ZEND_API bool ZEND_FASTCALL NO_CALLER_SAVED_REGISTERS I_REPLACE_SONAME_FNNAME_ZU(NONE,zend_string_equal_val)(const zend_string *s1, const zend_string *s2)
 {
 	return !memcmp(ZSTR_VAL(s1), ZSTR_VAL(s2), ZSTR_LEN(s1));
 }
 
+#ifdef POP_OPTIONS
+# pragma GCC pop_options
+# undef POP_OPTIONS
+#endif
+
 #if defined(__GNUC__) && defined(__i386__)
 ZEND_API bool ZEND_FASTCALL zend_string_equal_val(const zend_string *s1, const zend_string *s2)
 {

ext/spl/spl_array.c

@@ -989,7 +989,8 @@ static zval *spl_array_it_get_current_data(zend_object_iterator *iter) /* {{{ */
 		zend_hash_get_current_key_ex(aht, &key, NULL, spl_array_get_pos_ptr(aht, object));
 		zend_class_entry *ce = Z_OBJCE(object->array);
 		zend_property_info *prop_info = zend_get_property_info(ce, key, true);
-		if (ZEND_TYPE_IS_SET(prop_info->type)) {
+		ZEND_ASSERT(prop_info != ZEND_WRONG_PROPERTY_INFO);
+		if (EXPECTED(prop_info != NULL) && ZEND_TYPE_IS_SET(prop_info->type)) {
 			if (prop_info->flags & ZEND_ACC_READONLY) {
 				zend_throw_error(NULL,
 					"Cannot acquire reference to readonly property %s::$%s",

ext/spl/tests/gh11178.phpt

@@ -0,0 +1,28 @@
+--TEST--
+GH-11178 (Segmentation fault in spl_array_it_get_current_data (PHP 8.1.18))
+--FILE--
+<?php
+#[AllowDynamicProperties]
+class A implements IteratorAggregate {
+    function __construct() {
+        $this->{'x'} = 1;
+    }
+
+    function getIterator(): Traversable {
+        return new ArrayIterator($this);
+    }
+}
+
+$obj = new A;
+
+foreach ($obj as $k => &$v) {
+    $v = 3;
+}
+
+var_dump($obj);
+?>
+--EXPECT--
+object(A)#1 (1) {
+  ["x"]=>
+  &int(3)
+}

ext/standard/streamsfuncs.c

@@ -33,11 +33,13 @@
 #ifndef PHP_WIN32
 #define php_select(m, r, w, e, t)	select(m, r, w, e, t)
 typedef unsigned long long php_timeout_ull;
+#define PHP_TIMEOUT_ULL_MAX ULLONG_MAX
 #else
 #include "win32/select.h"
 #include "win32/sockets.h"
 #include "win32/console.h"
 typedef unsigned __int64 php_timeout_ull;
+#define PHP_TIMEOUT_ULL_MAX UINT64_MAX
 #endif
 
 #define GET_CTX_OPT(stream, wrapper, name, val) (PHP_STREAM_CONTEXT(stream) && NULL != (val = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), wrapper, name)))
@@ -134,14 +136,21 @@ PHP_FUNCTION(stream_socket_client)
 	}
 
 	/* prepare the timeout value for use */
-	conv = (php_timeout_ull) (timeout * 1000000.0);
+	struct timeval *tv_pointer;
+	if (timeout < 0.0 || timeout >= (double) PHP_TIMEOUT_ULL_MAX / 1000000.0) {
+		tv_pointer = NULL;
+	} else {
+		conv = (php_timeout_ull) (timeout * 1000000.0);
 #ifdef PHP_WIN32
-	tv.tv_sec = (long)(conv / 1000000);
-	tv.tv_usec =(long)(conv % 1000000);
+		tv.tv_sec = (long)(conv / 1000000);
+		tv.tv_usec = (long)(conv % 1000000);
 #else
-	tv.tv_sec = conv / 1000000;
-	tv.tv_usec = conv % 1000000;
+		tv.tv_sec = conv / 1000000;
+		tv.tv_usec = conv % 1000000;
 #endif
+		tv_pointer = &tv;
+	}
+
 	if (zerrno) {
 		ZEND_TRY_ASSIGN_REF_LONG(zerrno, 0);
 	}
@@ -152,7 +161,7 @@ PHP_FUNCTION(stream_socket_client)
 	stream = php_stream_xport_create(ZSTR_VAL(host), ZSTR_LEN(host), REPORT_ERRORS,
 			STREAM_XPORT_CLIENT | (flags & PHP_STREAM_CLIENT_CONNECT ? STREAM_XPORT_CONNECT : 0) |
 			(flags & PHP_STREAM_CLIENT_ASYNC_CONNECT ? STREAM_XPORT_CONNECT_ASYNC : 0),
-			hashkey, &tv, context, &errstr, &err);
+			hashkey, tv_pointer, context, &errstr, &err);
 
 
 	if (stream == NULL) {
@@ -275,19 +284,25 @@ PHP_FUNCTION(stream_socket_accept)
 	php_stream_from_zval(stream, zstream);
 
 	/* prepare the timeout value for use */
-	conv = (php_timeout_ull) (timeout * 1000000.0);
+	struct timeval *tv_pointer;
+	if (timeout < 0.0 || timeout >= (double) PHP_TIMEOUT_ULL_MAX / 1000000.0) {
+		tv_pointer = NULL;
+	} else {
+		conv = (php_timeout_ull) (timeout * 1000000.0);
 #ifdef PHP_WIN32
-	tv.tv_sec = (long)(conv / 1000000);
-	tv.tv_usec = (long)(conv % 1000000);
+		tv.tv_sec = (long)(conv / 1000000);
+		tv.tv_usec = (long)(conv % 1000000);
 #else
-	tv.tv_sec = conv / 1000000;
-	tv.tv_usec = conv % 1000000;
+		tv.tv_sec = conv / 1000000;
+		tv.tv_usec = conv % 1000000;
 #endif
+		tv_pointer = &tv;
+	}
 
 	if (0 == php_stream_xport_accept(stream, &clistream,
 				zpeername ? &peername : NULL,
 				NULL, NULL,
-				&tv, &errstr
+				tv_pointer, &errstr
 				) && clistream) {
 
 		if (peername) {