Commit 64cf7b2dbad for php.net

commit 64cf7b2dbade0d3001d79be3a49e42d9dbc1aa66
Author: Ilia Alshanetsky <ilia@ilia.ws>
Date:   Sun Jun 21 08:04:23 2026 -0400

    Fix int truncation of read length in shmop_read()

    shmop_read() held the read length in an int while count and shmop->size
    are zend_long and the bounds checks above validate against the full
    64-bit size. On a shared-memory segment larger than INT_MAX a read whose
    length sets the int sign bit was sign-extended into the size_t length
    argument of zend_string_init(), requesting a near-SIZE_MAX allocation;
    other truncated lengths silently returned a wrong-sized string. Hold the
    length in a zend_long, matching the zend_long writesize already used in
    shmop_write().

    Closes GH-22425

diff --git a/ext/shmop/shmop.c b/ext/shmop/shmop.c
index 67f060f3c82..640f595ea6e 100644
--- a/ext/shmop/shmop.c
+++ b/ext/shmop/shmop.c
@@ -224,7 +224,6 @@ PHP_FUNCTION(shmop_read)
 	zend_long start, count;
 	php_shmop *shmop;
 	char *startaddr;
-	int bytes;
 	zend_string *return_string;

 	if (zend_parse_parameters(ZEND_NUM_ARGS(), "Oll", &shmid, shmop_ce, &start, &count) == FAILURE) {
@@ -244,7 +243,7 @@ PHP_FUNCTION(shmop_read)
 	}

 	startaddr = shmop->addr + start;
-	bytes = count ? count : shmop->size - start;
+	zend_long bytes = count ? count : shmop->size - start;

 	return_string = zend_string_init(startaddr, bytes, 0);