From 1d6f344bea49ccad82b9a95a80ed9fdc39e260a1 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Tue, 9 Jan 2024 20:13:22 +0100
Subject: [PATCH] Fix GH-13094: range(9.9, '0') causes segmentation fault

`start_type + end_type < 2*IS_STRING` is not right, in this test case
the types are start_type==5 (IS_DOUBLE), end_type==7 (IS_ARRAY).
The IS_ARRAY type is a sentinel to disambiguate single-byte strings.
The path must be taken when one of the types is not a string nor a
single-byte string. Therefore, use < IS_STRING with an OR condition.

Closes GH-13105.
---
 NEWS                                        |  4 +++
 ext/standard/array.c                        |  4 +--
 ext/standard/tests/array/range/gh13094.phpt | 29 +++++++++++++++++++++
 3 files changed, 35 insertions(+), 2 deletions(-)
 create mode 100644 ext/standard/tests/array/range/gh13094.phpt

diff --git a/NEWS b/NEWS
index acb5462c57d83..07378d091d346 100644
--- a/NEWS
+++ b/NEWS
@@ -4,9 +4,13 @@ PHP                                                                        NEWS
 
 - Core:
   . Fixed timer leak in zend-max-execution-timers builds. (withinboredom)
+
 - Phar:
   . Fixed bug #71465 (PHAR doesn't know about litespeed). (nielsdos)
 
+- Standard:
+  . Fixed bug GH-13094 (range(9.9, '0') causes segmentation fault). (nielsdos)
+
 18 Jan 2024, PHP 8.3.2
 
 - Core:
diff --git a/ext/standard/array.c b/ext/standard/array.c
index eee260f224319..76e33e9868aa8 100644
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -2924,8 +2924,8 @@ PHP_FUNCTION(range)
 
 	/* If the range is given as strings, generate an array of characters. */
 	if (start_type >= IS_STRING || end_type >= IS_STRING) {
-		/* If one of the inputs is NOT a string */
-		if (UNEXPECTED(start_type + end_type < 2*IS_STRING)) {
+		/* If one of the inputs is NOT a string nor single-byte string */
+		if (UNEXPECTED(start_type < IS_STRING || end_type < IS_STRING)) {
 			if (start_type < IS_STRING) {
 				if (end_type != IS_ARRAY) {
 					php_error_docref(NULL, E_WARNING, "Argument #1 ($start) must be a single byte string if"
diff --git a/ext/standard/tests/array/range/gh13094.phpt b/ext/standard/tests/array/range/gh13094.phpt
new file mode 100644
index 0000000000000..2e70adb65da72
--- /dev/null
+++ b/ext/standard/tests/array/range/gh13094.phpt
@@ -0,0 +1,29 @@
+--TEST--
+GH-13094 (range(9.9, '0') causes segmentation fault)
+--FILE--
+<?php
+var_dump(range(9.9, '0'));
+?>
+--EXPECT--
+array(10) {
+  [0]=>
+  float(9.9)
+  [1]=>
+  float(8.9)
+  [2]=>
+  float(7.9)
+  [3]=>
+  float(6.9)
+  [4]=>
+  float(5.9)
+  [5]=>
+  float(4.9)
+  [6]=>
+  float(3.9000000000000004)
+  [7]=>
+  float(2.9000000000000004)
+  [8]=>
+  float(1.9000000000000004)
+  [9]=>
+  float(0.9000000000000004)
+}