File php74-CVE-2024-2756.patch of Package php74.34258

Index: php-7.4.33/main/php_variables.c
===================================================================
--- php-7.4.33.orig/main/php_variables.c
+++ php-7.4.33/main/php_variables.c
@@ -65,6 +65,21 @@ static zend_always_inline void php_regis
 	zend_string_release_ex(key, 0);
 }
 
+/* Discard variable if mangling made it start with __Host-, where pre-mangling it did not start with __Host-
+ * Discard variable if mangling made it start with __Secure-, where pre-mangling it did not start with __Secure- */
+static int php_is_forbidden_variable_name(const char *mangled_name, size_t mangled_name_len, const char *pre_mangled_name)
+{
+	if (mangled_name_len >= sizeof("__Host-")-1 && strncmp(mangled_name, "__Host-", sizeof("__Host-")-1) == 0 && strncmp(pre_mangled_name, "__Host-", sizeof("__Host-")-1) != 0) {
+		return 1;
+	}
+
+	if (mangled_name_len >= sizeof("__Secure-")-1 && strncmp(mangled_name, "__Secure-", sizeof("__Secure-")-1) == 0 && strncmp(pre_mangled_name, "__Secure-", sizeof("__Secure-")-1) != 0) {
+		return 1;
+	}
+
+	return 0;
+}
+
 PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars_array)
 {
 	char *p = NULL;
@@ -115,20 +130,6 @@ PHPAPI void php_register_variable_ex(cha
 	}
 	var_len = p - var;
 
-	/* Discard variable if mangling made it start with __Host-, where pre-mangling it did not start with __Host- */
-	if (strncmp(var, "__Host-", sizeof("__Host-")-1) == 0 && strncmp(var_name, "__Host-", sizeof("__Host-")-1) != 0) {
-		zval_ptr_dtor_nogc(val);
-		free_alloca(var_orig, use_heap);
-		return;
-	}
-
-	/* Discard variable if mangling made it start with __Secure-, where pre-mangling it did not start with __Secure- */
-	if (strncmp(var, "__Secure-", sizeof("__Secure-")-1) == 0 && strncmp(var_name, "__Secure-", sizeof("__Secure-")-1) != 0) {
-		zval_ptr_dtor_nogc(val);
-		free_alloca(var_orig, use_heap);
-		return;
-	}
-
 	if (var_len==0) { /* empty variable name, or variable name with a space in it */
 		zval_ptr_dtor_nogc(val);
 		free_alloca(var_orig, use_heap);
@@ -226,6 +227,12 @@ PHPAPI void php_register_variable_ex(cha
 					return;
 				}
 			} else {
+				if (php_is_forbidden_variable_name(index, index_len, var_name)) {
+					zval_ptr_dtor_nogc(val);
+					free_alloca(var_orig, use_heap);
+					return;
+				}
+
 				gpc_element_p = zend_symtable_str_find(symtable1, index, index_len);
 				if (!gpc_element_p) {
 					zval tmp;
@@ -263,6 +270,12 @@ plain_var:
 				zval_ptr_dtor_nogc(val);
 			}
 		} else {
+			if (php_is_forbidden_variable_name(index, index_len, var_name)) {
+				zval_ptr_dtor_nogc(val);
+				free_alloca(var_orig, use_heap);
+				return;
+			}
+
 			zend_ulong idx;
 
 			/*