From 6fdf09d727881f1fcc5950e3d3b1ba07c8dc6bbf Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Fri, 11 Oct 2024 14:39:26 +0200
Subject: [PATCH] Fix GH-16357: openssl may modify member types of certificate
 arrays

We must not use `try_convert_to_string()` on members of unseparated
array arguments; instead of separating, we use `zval_try_get_string()`.
---
 ext/openssl/openssl.c          |  8 +++++---
 ext/openssl/tests/gh16357.phpt | 22 ++++++++++++++++++++++
 2 files changed, 27 insertions(+), 3 deletions(-)
 create mode 100644 ext/openssl/tests/gh16357.phpt

diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index f6ed67b805b6..7cf7b1cc043f 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -1457,11 +1457,13 @@ static X509 *php_openssl_x509_from_zval(
 
 	*free_cert = 1;
 
-	if (!try_convert_to_string(val)) {
+	zend_string *str = zval_try_get_string(val);
+	if (str == NULL) {
 		return NULL;
 	}
-
-	return php_openssl_x509_from_str(Z_STR_P(val), arg_num, is_from_array, option_name);
+	X509 *cert = php_openssl_x509_from_str(str, arg_num, is_from_array, option_name);
+	zend_string_release(str);
+	return cert;
 }
 /* }}} */
 
diff --git a/ext/openssl/tests/gh16357.phpt b/ext/openssl/tests/gh16357.phpt
new file mode 100644
index 000000000000..32a76167a0e3
--- /dev/null
+++ b/ext/openssl/tests/gh16357.phpt
@@ -0,0 +1,22 @@
+--TEST--
+GH-16357 (openssl may modify member types of certificate arrays)
+--EXTENSIONS--
+openssl
+--FILE--
+<?php
+$infile = __DIR__ . "/cert.crt";
+$outfile = __DIR__ . "/gh16357.txt";
+$certs = [123];
+var_dump(openssl_pkcs7_encrypt($infile, $outfile, $certs, null));
+var_dump($certs);
+?>
+--CLEAN--
+<?php
+unlink(__DIR__ . "/gh16357.txt");
+?>
+--EXPECT--
+bool(false)
+array(1) {
+  [0]=>
+  int(123)
+}