From bcd7352b0c06b7fd41622789e6821bbabb968a8e Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Fri, 26 Jun 2020 09:36:17 +0200
Subject: [PATCH] Fix uninitialized reads in min/max

We need to use the unstable comparison function here, the fallback
order is not initialized in this context.
---
 ext/standard/array.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/ext/standard/array.c b/ext/standard/array.c
index 9b0efaf301..8f326f38d8 100644
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -1297,13 +1297,12 @@ PHP_FUNCTION(min)
 
 	/* mixed min ( array $values ) */
 	if (argc == 1) {
-		zval *result;
-
 		if (Z_TYPE(args[0]) != IS_ARRAY) {
 			zend_argument_type_error(1, "must be of type array, %s given", zend_zval_type_name(&args[0]));
 			RETURN_THROWS();
 		} else {
-			if ((result = zend_hash_minmax(Z_ARRVAL(args[0]), php_array_data_compare, 0)) != NULL) {
+			zval *result = zend_hash_minmax(Z_ARRVAL(args[0]), php_array_data_compare_unstable, 0);
+			if (result) {
 				ZVAL_COPY_DEREF(return_value, result);
 			} else {
 				zend_argument_value_error(1, "must contain at least one element");
@@ -1344,13 +1343,12 @@ PHP_FUNCTION(max)
 
 	/* mixed max ( array $values ) */
 	if (argc == 1) {
-		zval *result;
-
 		if (Z_TYPE(args[0]) != IS_ARRAY) {
 			zend_argument_type_error(1, "must be of type array, %s given", zend_zval_type_name(&args[0]));
 			RETURN_THROWS();
 		} else {
-			if ((result = zend_hash_minmax(Z_ARRVAL(args[0]), php_array_data_compare, 1)) != NULL) {
+			zval *result = zend_hash_minmax(Z_ARRVAL(args[0]), php_array_data_compare_unstable, 1);
+			if (result) {
 				ZVAL_COPY_DEREF(return_value, result);
 			} else {
 				zend_argument_value_error(1, "must contain at least one element");
-- 
2.40.0