Fix GH-16357: openssl may modify member types of certificate arrays

We must not use `try_convert_to_string()` on members of unseparated
array arguments; instead of separating, we use `zval_try_get_string()`.

Closes GH-16370.

Author: cmb69

NEWS

@@ -25,6 +25,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-16361 (mb_substr overflow on start/length arguments).
     (David Carlier)
 
+- OpenSSL:
+  . Fixed bug GH-16357 (openssl may modify member types of certificate arrays).
+    (cmb)
+
 - PHPDBG:
   . Fixed bug GH-16174 (Empty string is an invalid expression for ev). (cmb)
 

ext/openssl/openssl.c

@@ -1457,11 +1457,13 @@ static X509 *php_openssl_x509_from_zval(
 
 	*free_cert = 1;
 
-	if (!try_convert_to_string(val)) {
+	zend_string *str = zval_try_get_string(val);
+	if (str == NULL) {
 		return NULL;
 	}
-
-	return php_openssl_x509_from_str(Z_STR_P(val), arg_num, is_from_array, option_name);
+	X509 *cert = php_openssl_x509_from_str(str, arg_num, is_from_array, option_name);
+	zend_string_release(str);
+	return cert;
 }
 /* }}} */
 

ext/openssl/tests/gh16357.phpt

@@ -0,0 +1,22 @@
+--TEST--
+GH-16357 (openssl may modify member types of certificate arrays)
+--EXTENSIONS--
+openssl
+--FILE--
+<?php
+$infile = __DIR__ . "/cert.crt";
+$outfile = __DIR__ . "/gh16357.txt";
+$certs = [123];
+var_dump(openssl_pkcs7_encrypt($infile, $outfile, $certs, null));
+var_dump($certs);
+?>
+--CLEAN--
+<?php
+unlink(__DIR__ . "/gh16357.txt");
+?>
+--EXPECT--
+bool(false)
+array(1) {
+  [0]=>
+  int(123)
+}