From 36d9ae73cac97d9452e793276f7bf7cdeb406c72 Mon Sep 17 00:00:00 2001
From: Gina Peter Banyard <girgias@php.net>
Date: Wed, 6 Nov 2024 17:13:10 +0000
Subject: [PATCH 1/2] ext/hash: Add failing tests for GH-16711

---
 ext/hash/tests/gh16711_1.phpt | 100 ++++++++++++++++++++++++++++++++++
 ext/hash/tests/gh16711_2.phpt | 100 ++++++++++++++++++++++++++++++++++
 2 files changed, 200 insertions(+)
 create mode 100644 ext/hash/tests/gh16711_1.phpt
 create mode 100644 ext/hash/tests/gh16711_2.phpt

diff --git a/ext/hash/tests/gh16711_1.phpt b/ext/hash/tests/gh16711_1.phpt
new file mode 100644
index 0000000000000..937a276f88f67
--- /dev/null
+++ b/ext/hash/tests/gh16711_1.phpt
@@ -0,0 +1,100 @@
+--TEST--
+GH-16711: Segmentation fault in mhash()
+--SKIPIF--
+<?php if(!function_exists('mhash')) { die('skip mhash compatibility layer not available'); } ?>
+--XFAIL--
+SEGFAULT
+--FILE--
+<?php
+
+$re = new ReflectionExtension("hash");
+var_dump($re->getConstants());
+
+var_dump(mhash(133, 1086849124, 133));
+?>
+--EXPECTF--
+array(40) {
+  ["HASH_HMAC"]=>
+  int(1)
+  ["MHASH_CRC32"]=>
+  int(0)
+  ["MHASH_MD5"]=>
+  int(1)
+  ["MHASH_SHA1"]=>
+  int(2)
+  ["MHASH_HAVAL256"]=>
+  int(3)
+  ["MHASH_RIPEMD160"]=>
+  int(5)
+  ["MHASH_TIGER"]=>
+  int(7)
+  ["MHASH_GOST"]=>
+  int(8)
+  ["MHASH_CRC32B"]=>
+  int(9)
+  ["MHASH_HAVAL224"]=>
+  int(10)
+  ["MHASH_HAVAL192"]=>
+  int(11)
+  ["MHASH_HAVAL160"]=>
+  int(12)
+  ["MHASH_HAVAL128"]=>
+  int(13)
+  ["MHASH_TIGER128"]=>
+  int(14)
+  ["MHASH_TIGER160"]=>
+  int(15)
+  ["MHASH_MD4"]=>
+  int(16)
+  ["MHASH_SHA256"]=>
+  int(17)
+  ["MHASH_ADLER32"]=>
+  int(18)
+  ["MHASH_SHA224"]=>
+  int(19)
+  ["MHASH_SHA512"]=>
+  int(20)
+  ["MHASH_SHA384"]=>
+  int(21)
+  ["MHASH_WHIRLPOOL"]=>
+  int(22)
+  ["MHASH_RIPEMD128"]=>
+  int(23)
+  ["MHASH_RIPEMD256"]=>
+  int(24)
+  ["MHASH_RIPEMD320"]=>
+  int(25)
+  ["MHASH_SNEFRU256"]=>
+  int(27)
+  ["MHASH_MD2"]=>
+  int(28)
+  ["MHASH_FNV132"]=>
+  int(29)
+  ["MHASH_FNV1A32"]=>
+  int(30)
+  ["MHASH_FNV164"]=>
+  int(31)
+  ["MHASH_FNV1A64"]=>
+  int(32)
+  ["MHASH_JOAAT"]=>
+  int(33)
+  ["MHASH_CRC32C"]=>
+  int(34)
+  ["MHASH_MURMUR3A"]=>
+  int(35)
+  ["MHASH_MURMUR3C"]=>
+  int(36)
+  ["MHASH_MURMUR3F"]=>
+  int(37)
+  ["MHASH_XXH32"]=>
+  int(38)
+  ["MHASH_XXH64"]=>
+  int(39)
+  ["MHASH_XXH3"]=>
+  int(40)
+  ["MHASH_XXH128"]=>
+  int(41)
+}
+
+Deprecated: Function mhash() is deprecated in %s on line %d
+SEGFAULT
diff --git a/ext/hash/tests/gh16711_2.phpt b/ext/hash/tests/gh16711_2.phpt
new file mode 100644
index 0000000000000..058fbc476f7de
--- /dev/null
+++ b/ext/hash/tests/gh16711_2.phpt
@@ -0,0 +1,100 @@
+--TEST--
+GH-16711: Segmentation fault in mhash()
+--SKIPIF--
+<?php if(!function_exists('mhash')) { die('skip mhash compatibility layer not available'); } ?>
+--XFAIL--
+SEGFAULT
+--FILE--
+<?php
+
+$re = new ReflectionExtension("hash");
+var_dump($re->getConstants());
+
+var_dump(mhash(4, 1086849124, 133));
+?>
+--EXPECTF--
+array(40) {
+  ["HASH_HMAC"]=>
+  int(1)
+  ["MHASH_CRC32"]=>
+  int(0)
+  ["MHASH_MD5"]=>
+  int(1)
+  ["MHASH_SHA1"]=>
+  int(2)
+  ["MHASH_HAVAL256"]=>
+  int(3)
+  ["MHASH_RIPEMD160"]=>
+  int(5)
+  ["MHASH_TIGER"]=>
+  int(7)
+  ["MHASH_GOST"]=>
+  int(8)
+  ["MHASH_CRC32B"]=>
+  int(9)
+  ["MHASH_HAVAL224"]=>
+  int(10)
+  ["MHASH_HAVAL192"]=>
+  int(11)
+  ["MHASH_HAVAL160"]=>
+  int(12)
+  ["MHASH_HAVAL128"]=>
+  int(13)
+  ["MHASH_TIGER128"]=>
+  int(14)
+  ["MHASH_TIGER160"]=>
+  int(15)
+  ["MHASH_MD4"]=>
+  int(16)
+  ["MHASH_SHA256"]=>
+  int(17)
+  ["MHASH_ADLER32"]=>
+  int(18)
+  ["MHASH_SHA224"]=>
+  int(19)
+  ["MHASH_SHA512"]=>
+  int(20)
+  ["MHASH_SHA384"]=>
+  int(21)
+  ["MHASH_WHIRLPOOL"]=>
+  int(22)
+  ["MHASH_RIPEMD128"]=>
+  int(23)
+  ["MHASH_RIPEMD256"]=>
+  int(24)
+  ["MHASH_RIPEMD320"]=>
+  int(25)
+  ["MHASH_SNEFRU256"]=>
+  int(27)
+  ["MHASH_MD2"]=>
+  int(28)
+  ["MHASH_FNV132"]=>
+  int(29)
+  ["MHASH_FNV1A32"]=>
+  int(30)
+  ["MHASH_FNV164"]=>
+  int(31)
+  ["MHASH_FNV1A64"]=>
+  int(32)
+  ["MHASH_JOAAT"]=>
+  int(33)
+  ["MHASH_CRC32C"]=>
+  int(34)
+  ["MHASH_MURMUR3A"]=>
+  int(35)
+  ["MHASH_MURMUR3C"]=>
+  int(36)
+  ["MHASH_MURMUR3F"]=>
+  int(37)
+  ["MHASH_XXH32"]=>
+  int(38)
+  ["MHASH_XXH64"]=>
+  int(39)
+  ["MHASH_XXH3"]=>
+  int(40)
+  ["MHASH_XXH128"]=>
+  int(41)
+}
+
+Deprecated: Function mhash() is deprecated in %s on line %d
+SEGFAULT

From 7fa674bf47cbd014bed08a2afb76f32d175a45ba Mon Sep 17 00:00:00 2001
From: Gina Peter Banyard <girgias@php.net>
Date: Wed, 6 Nov 2024 17:21:57 +0000
Subject: [PATCH 2/2] ext/hash: Fix GH-16711: Segfault in mhash()

---
 ext/hash/hash.c               | 4 ++++
 ext/hash/tests/gh16711_1.phpt | 4 +---
 ext/hash/tests/gh16711_2.phpt | 4 +---
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/ext/hash/hash.c b/ext/hash/hash.c
index 47c5cb42f9f00..4fdecfca79fb9 100644
--- a/ext/hash/hash.c
+++ b/ext/hash/hash.c
@@ -1213,7 +1213,11 @@ PHP_FUNCTION(mhash)
 		struct mhash_bc_entry algorithm_lookup = mhash_to_hash[algorithm];
 		if (algorithm_lookup.hash_name) {
 			algo = zend_string_init(algorithm_lookup.hash_name, strlen(algorithm_lookup.hash_name), 0);
+		} else {
+			RETURN_FALSE;
 		}
+	} else {
+		RETURN_FALSE;
 	}
 
 	if (key) {
diff --git a/ext/hash/tests/gh16711_1.phpt b/ext/hash/tests/gh16711_1.phpt
index 937a276f88f67..be4257cbfc708 100644
--- a/ext/hash/tests/gh16711_1.phpt
+++ b/ext/hash/tests/gh16711_1.phpt
@@ -2,8 +2,6 @@
 GH-16711: Segmentation fault in mhash()
 --SKIPIF--
 <?php if(!function_exists('mhash')) { die('skip mhash compatibility layer not available'); } ?>
---XFAIL--
-SEGFAULT
 --FILE--
 <?php
 
@@ -97,4 +95,4 @@ array(40) {
 }
 
 Deprecated: Function mhash() is deprecated in %s on line %d
-SEGFAULT
+bool(false)
diff --git a/ext/hash/tests/gh16711_2.phpt b/ext/hash/tests/gh16711_2.phpt
index 058fbc476f7de..c48137958ed6d 100644
--- a/ext/hash/tests/gh16711_2.phpt
+++ b/ext/hash/tests/gh16711_2.phpt
@@ -2,8 +2,6 @@
 GH-16711: Segmentation fault in mhash()
 --SKIPIF--
 <?php if(!function_exists('mhash')) { die('skip mhash compatibility layer not available'); } ?>
---XFAIL--
-SEGFAULT
 --FILE--
 <?php
 
@@ -97,4 +95,4 @@ array(40) {
 }
 
 Deprecated: Function mhash() is deprecated in %s on line %d
-SEGFAULT
+bool(false)