Fix GH-13094: range(9.9, '0') causes segmentation fault

`start_type + end_type < 2*IS_STRING` is not right, in this test case
the types are start_type==5 (IS_DOUBLE), end_type==7 (IS_ARRAY).
The IS_ARRAY type is a sentinel to disambiguate single-byte strings.
The path must be taken when one of the types is not a string nor a
single-byte string. Therefore, use < IS_STRING with an OR condition.

Closes GH-13105.

NEWS

@@ -4,9 +4,13 @@ PHP                                                                        NEWS
 
 - Core:
   . Fixed timer leak in zend-max-execution-timers builds. (withinboredom)
+
 - Phar:
   . Fixed bug #71465 (PHAR doesn't know about litespeed). (nielsdos)
 
+- Standard:
+  . Fixed bug GH-13094 (range(9.9, '0') causes segmentation fault). (nielsdos)
+
 18 Jan 2024, PHP 8.3.2
 
 - Core:

ext/standard/array.c

@@ -2924,8 +2924,8 @@ PHP_FUNCTION(range)
 
 	/* If the range is given as strings, generate an array of characters. */
 	if (start_type >= IS_STRING || end_type >= IS_STRING) {
-		/* If one of the inputs is NOT a string */
-		if (UNEXPECTED(start_type + end_type < 2*IS_STRING)) {
+		/* If one of the inputs is NOT a string nor single-byte string */
+		if (UNEXPECTED(start_type < IS_STRING || end_type < IS_STRING)) {
 			if (start_type < IS_STRING) {
 				if (end_type != IS_ARRAY) {
 					php_error_docref(NULL, E_WARNING, "Argument #1 ($start) must be a single byte string if"

ext/standard/tests/array/range/gh13094.phpt

@@ -0,0 +1,29 @@
+--TEST--
+GH-13094 (range(9.9, '0') causes segmentation fault)
+--FILE--
+<?php
+var_dump(range(9.9, '0'));
+?>
+--EXPECT--
+array(10) {
+  [0]=>
+  float(9.9)
+  [1]=>
+  float(8.9)
+  [2]=>
+  float(7.9)
+  [3]=>
+  float(6.9)
+  [4]=>
+  float(5.9)
+  [5]=>
+  float(4.9)
+  [6]=>
+  float(3.9000000000000004)
+  [7]=>
+  float(2.9000000000000004)
+  [8]=>
+  float(1.9000000000000004)
+  [9]=>
+  float(0.9000000000000004)
+}