From 24ba4c4a17aecf8259bf6e6633976497810cdd9e Mon Sep 17 00:00:00 2001
From: ndossche <7771979+ndossche@users.noreply.github.com>
Date: Sun, 15 Mar 2026 00:30:00 +0100
Subject: [PATCH] Add array size maximum to array_diff()

This silences some reports about the equivalence to array_merge()'s
issue. However, this is different as no packed fill is used in this
code, so it doesn't have the same bug that array_merge() had.
---
 ext/standard/array.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/ext/standard/array.c b/ext/standard/array.c
index 13731592d836e..e319c0927916d 100644
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -5846,7 +5846,7 @@ PHP_FUNCTION(array_diff)
 {
 	zval *args;
 	uint32_t argc, i;
-	uint32_t num;
+	uint64_t num;
 	HashTable exclude;
 	zval *value;
 	zend_string *str, *tmp_str, *key;
@@ -5936,6 +5936,11 @@ PHP_FUNCTION(array_diff)
 		return;
 	}
 
+	if (UNEXPECTED(num >= HT_MAX_SIZE)) {
+		zend_throw_error(NULL, "The total number of elements must be lower than %u", HT_MAX_SIZE);
+		RETURN_THROWS();
+	}
+
 	ZVAL_NULL(&dummy);
 	/* create exclude map */
 	zend_hash_init(&exclude, num, NULL, NULL, 0);