Merge branch 'PHP-8.4'

* PHP-8.4:
  Fix out of bound writes to SafeArray data

Author: cmb69

ext/com_dotnet/com_variant.c

@@ -26,8 +26,7 @@
 
 /* create an automation SafeArray from a PHP array.
  * Only creates a single-dimensional array of variants.
- * The keys of the PHP hash MUST be numeric.  If the array
- * is sparse, then the gaps will be filled with NULL variants */
+ * The keys of the PHP hash MUST be numeric. */
 static void safe_array_from_zval(VARIANT *v, zval *z, int codepage)
 {
 	SAFEARRAY *sa = NULL;
@@ -71,7 +70,9 @@ static void safe_array_from_zval(VARIANT *v, zval *z, int codepage)
 			break;
 		}
 		zend_hash_get_current_key_ex(Z_ARRVAL_P(z), &strindex, &intindex, &pos);
-		php_com_variant_from_zval(&va[intindex], item, codepage);
+		if (intindex < bound.cElements) {
+			php_com_variant_from_zval(&va[intindex], item, codepage);
+		}
 	}
 
 	/* Unlock it and stuff it into our variant */

ext/com_dotnet/tests/variant_variation.phpt

@@ -0,0 +1,30 @@
+--TEST--
+Testing variant arrays
+--EXTENSIONS--
+com_dotnet
+--FILE--
+<?php
+$arrays = [
+    "order" => [2 => 1, 1 => 2, 0 => 3],
+    "off" => [2 => 1, 1 => 2, 3],
+    "negative" => [-1 => 42],
+];
+foreach ($arrays as $desc => $array) {
+    echo "-- $desc --\n";
+    $v = new variant($array);
+    foreach ($v as $val) {
+        var_dump($val);
+    }
+}
+?>
+--EXPECTF--
+-- order --
+int(3)
+int(2)
+int(1)
+-- off --
+NULL
+int(2)
+int(1)
+-- negative --
+%ANULL