From ff51ac161d6ccf088f5d434f914619506b8ab2b6 Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Tue, 2 Dec 2025 19:04:36 +0000
Subject: [PATCH 1/3] Fix GH-20603 issue on windows 32 bits.

the timeout needed to be unsigned.

close GH-20634
---
 ext/ftp/php_ftp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ext/ftp/php_ftp.c b/ext/ftp/php_ftp.c
index 0df3aa6e7552..f47fe5988176 100644
--- a/ext/ftp/php_ftp.c
+++ b/ext/ftp/php_ftp.c
@@ -158,7 +158,7 @@ PHP_FUNCTION(ftp_connect)
 		RETURN_THROWS();
 	}
 
-	const zend_long timeoutmax = (zend_long)((double) PHP_TIMEOUT_ULL_MAX / 1000000.0);
+	const uint64_t timeoutmax = (uint64_t)((double) PHP_TIMEOUT_ULL_MAX / 1000000.0);
 
 	if (timeout_sec <= 0) {
 		zend_argument_value_error(3, "must be greater than 0");
@@ -166,7 +166,7 @@ PHP_FUNCTION(ftp_connect)
 	}
 
 	if (timeout_sec >= timeoutmax) {
-		zend_argument_value_error(3, "must be less than " ZEND_LONG_FMT, timeoutmax);
+		zend_argument_value_error(3, "must be less than " ZEND_ULONG_FMT, timeoutmax);
 		RETURN_THROWS();
 	}
 

From d635c8788b2a97b37c7799593223110a4bf8d7a9 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+ndossche@users.noreply.github.com>
Date: Wed, 3 Dec 2025 22:16:54 +0100
Subject: [PATCH 2/3] xml: Fix deprecation properly by backporting the
 modern-but-actually-old implementation

---
 ext/xml/compat.c | 19 ++-----------------
 1 file changed, 2 insertions(+), 17 deletions(-)

diff --git a/ext/xml/compat.c b/ext/xml/compat.c
index db01141bbda5..3de77d0723e5 100644
--- a/ext/xml/compat.c
+++ b/ext/xml/compat.c
@@ -711,23 +711,8 @@ XML_GetCurrentColumnNumber(XML_Parser parser)
 PHP_XML_API int
 XML_GetCurrentByteIndex(XML_Parser parser)
 {
-	/* We have to temporarily disable the encoder to satisfy the note from the manual:
-	 * "This function returns byte index according to UTF-8 encoded text disregarding if input is in another encoding."
-	 * Although that should probably be corrected at one point? (TODO) */
-	xmlCharEncodingHandlerPtr encoder = NULL;
-	xmlParserInputPtr input = parser->parser->input;
-	ZEND_DIAGNOSTIC_IGNORED_START("-Wdeprecated-declarations")
-	if (input->buf) {
-		encoder = input->buf->encoder;
-		input->buf->encoder = NULL;
-	}
-	long result = xmlByteConsumed(parser->parser);
-	if (encoder) {
-		input->buf->encoder = encoder;
-	}
-	ZEND_DIAGNOSTIC_IGNORED_END
-	/* TODO: at one point this should return long probably to make sure that files greater than 2 GiB are handled correctly. */
-	return (int) result;
+	return parser->parser->input->consumed +
+			(parser->parser->input->cur - parser->parser->input->base);
 }
 
 PHP_XML_API int

From 6a0da6dc2e53875ee98edfa4ec89a76585897a78 Mon Sep 17 00:00:00 2001
From: Oblivionsage <cookieandcream560@gmail.com>
Date: Tue, 2 Dec 2025 18:57:05 +0100
Subject: [PATCH 3/3] Fix GH-20631: Integer underflow in exif HEIF parsing

When pos.size is less than 2, the subtraction pos.size - 2 causes
an unsigned integer underflow, resulting in a ~4GB allocation attempt.

Add minimum size check (pos.size >= 2) to prevent the underflow.

Closes GH-20630.
---
 NEWS                                    |  3 +++
 ext/exif/exif.c                         |  2 +-
 ext/exif/tests/heic_iloc_underflow.phpt | 19 +++++++++++++++++++
 3 files changed, 23 insertions(+), 1 deletion(-)
 create mode 100644 ext/exif/tests/heic_iloc_underflow.phpt

diff --git a/NEWS b/NEWS
index 7863b56edaad..7dc690d67583 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.5.2
 
+- EXIF:
+  . Fixed bug GH-20631 (Integer underflow in exif HEIF parsing
+    when pos.size < 2). (Oblivionsage)
 
 18 Dec 2025, PHP 8.5.1
 
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index d0c16413062a..6ed86c88e562 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -4421,7 +4421,7 @@ static bool exif_scan_HEIF_header(image_info_type *ImageInfo, unsigned char *buf
 			if (exif_read_from_stream_file_looped(ImageInfo->infile, (char*)(data + remain), limit - remain) == limit - remain) {
 				exif_isobmff_parse_meta(data, data + limit, &pos);
 			}
-			if ((pos.size) &&
+			if ((pos.size >= 2) &&
 				(pos.size < ImageInfo->FileSize) &&
 				(ImageInfo->FileSize - pos.size >= pos.offset) &&
 				(php_stream_seek(ImageInfo->infile, pos.offset + 2, SEEK_SET) >= 0)) {
diff --git a/ext/exif/tests/heic_iloc_underflow.phpt b/ext/exif/tests/heic_iloc_underflow.phpt
new file mode 100644
index 000000000000..9dd1878b60dd
--- /dev/null
+++ b/ext/exif/tests/heic_iloc_underflow.phpt
@@ -0,0 +1,19 @@
+--TEST--
+HEIC iloc extent_length underflow
+--EXTENSIONS--
+exif
+--FILE--
+<?php
+// Read valid HEIC file and patch iloc extent_length to 1
+$data = file_get_contents(__DIR__."/image029.heic");
+$data = substr_replace($data, "\x00\x00\x00\x01", 0x4f8, 4);
+file_put_contents(__DIR__."/heic_iloc_underflow.heic", $data);
+var_dump(exif_read_data(__DIR__."/heic_iloc_underflow.heic"));
+?>
+--CLEAN--
+<?php
+@unlink(__DIR__."/heic_iloc_underflow.heic");
+?>
+--EXPECTF--
+Warning: exif_read_data(heic_iloc_underflow.heic): Invalid HEIF file in %s on line %d
+bool(false)