From 44f48dc55d1515dcafa549ba59b533494022fb41 Mon Sep 17 00:00:00 2001
From: Gina Peter Banyard <girgias@php.net>
Date: Sat, 28 Sep 2024 16:07:22 +0100
Subject: [PATCH] ext/ldap: Fix GH-16101 (Segfaults in php_ldap_do_search()
 when LDAPs is not a list)

---
 NEWS                        |  2 ++
 ext/ldap/ldap.c             |  5 +++++
 ext/ldap/tests/gh16101.phpt | 25 +++++++++++++++++++++++++
 3 files changed, 32 insertions(+)
 create mode 100644 ext/ldap/tests/gh16101.phpt

diff --git a/NEWS b/NEWS
index b09b1ea44bd28..caa3228663d08 100644
--- a/NEWS
+++ b/NEWS
@@ -22,6 +22,8 @@ PHP                                                                        NEWS
 - LDAP:
   . Fixed bug GH-16032 (Various NULL pointer dereferencements in
     ldap_modify_batch()). (Girgias)
+  . Fixed bug GH-16101 (Segfault in ldap_list(), ldap_read(), and ldap_search()
+    when LDAPs array is not a list). (Girgias)
 
 - PHPDBG:
   . Fixed bug GH-15901 (phpdbg: Assertion failure on i funcs). (cmb)
diff --git a/ext/ldap/ldap.c b/ext/ldap/ldap.c
index ae65f0258c24b..f0dd3ccb4c47d 100644
--- a/ext/ldap/ldap.c
+++ b/ext/ldap/ldap.c
@@ -1429,6 +1429,11 @@ static void php_ldap_do_search(INTERNAL_FUNCTION_PARAMETERS, int scope)
 			ret = 0;
 			goto cleanup;
 		}
+		if (!zend_array_is_list(Z_ARRVAL_P(link))) {
+			zend_argument_value_error(1, "must be a list");
+			ret = 0;
+			goto cleanup;
+		}
 
 		if (base_dn_ht) {
 			nbases = zend_hash_num_elements(base_dn_ht);
diff --git a/ext/ldap/tests/gh16101.phpt b/ext/ldap/tests/gh16101.phpt
new file mode 100644
index 0000000000000..1e9d57334378b
--- /dev/null
+++ b/ext/ldap/tests/gh16101.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Bug GH-16101: Segfault in ldap_list(), ldap_read(), and ldap_search() when LDAPs array is not a list
+--EXTENSIONS--
+ldap
+--FILE--
+<?php
+
+/* We are assuming 3333 is not connectable */
+$ldap = ldap_connect('ldap://127.0.0.1:3333');
+$valid_dn = "cn=userA,something";
+$valid_filter = "";
+
+$ldaps_dict = [
+    "hello"  => $ldap,
+    "world"  => $ldap,
+];
+try {
+    var_dump(ldap_list($ldaps_dict, $valid_dn, $valid_filter));
+} catch (Throwable $e) {
+    echo $e::class, ': ', $e->getMessage(), PHP_EOL;
+}
+
+?>
+--EXPECT--
+ValueError: ldap_list(): Argument #1 ($ldap) must be a list