Commit 614b22ab465 for php.net

commit 614b22ab465718a57b15736fc9c7b28ffee3c807
Author: ndossche <7771979+ndossche@users.noreply.github.com>
Date:   Sun Mar 15 00:30:00 2026 +0100

    Add array size maximum to array_diff()

    This silences some reports about the equivalence to array_merge()'s
    issue. However, this is different as no packed fill is used in this
    code, so it doesn't have the same bug that array_merge() had.

    Closes GH-21449.

diff --git a/NEWS b/NEWS
index ca6b431d70c..509e5398563 100644
--- a/NEWS
+++ b/NEWS
@@ -134,6 +134,7 @@ PHP                                                                        NEWS
     null destination). (David Carlier)
   . Fixed bug GH-13204 (glob() fails if square bracket is in current directory).
     (ndossche)
+  . Add array size maximum to array_diff(). (ndossche)

 - Streams:
   . Added so_keepalive, tcp_keepidle, tcp_keepintvl and tcp_keepcnt stream
diff --git a/ext/standard/array.c b/ext/standard/array.c
index 640d832dd1d..3ee5afa70f8 100644
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -5741,7 +5741,7 @@ PHP_FUNCTION(array_diff)
 {
 	zval *args;
 	uint32_t argc, i;
-	uint32_t num;
+	uint64_t num;
 	HashTable exclude;
 	zval *value;
 	zend_string *str, *tmp_str, *key;
@@ -5831,6 +5831,11 @@ PHP_FUNCTION(array_diff)
 		return;
 	}

+	if (UNEXPECTED(num >= HT_MAX_SIZE)) {
+		zend_throw_error(NULL, "The total number of elements must be lower than %u", HT_MAX_SIZE);
+		RETURN_THROWS();
+	}
+
 	ZVAL_NULL(&dummy);
 	/* create exclude map */
 	zend_hash_init(&exclude, num, NULL, NULL, 0);