From f674d3db0f54737f8ef358b08fdf8a8bfc45e205 Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Wed, 4 Mar 2026 08:51:21 -0800
Subject: [PATCH] ext/snmp: fix infinite loop in snprint_value retry when
 val_len is zero

When an SNMP variable has val_len == 0 (valid for empty strings),
the snprint_value retry loop doubles val_len on each iteration
(val_len *= 2). Since 0 * 2 == 0, val_len never grows, the
allocated buffer stays at 1 byte, and the 512k break condition is
never reached.

Fix by clamping val_len to at least sizeof(sbuf) before the loop,
ensuring the doubling produces meaningful growth past the initial
stack buffer size.

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
---
 ext/snmp/snmp.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/ext/snmp/snmp.c b/ext/snmp/snmp.c
index 0ff8d41c1e6ce..950de00ab3a35 100644
--- a/ext/snmp/snmp.c
+++ b/ext/snmp/snmp.c
@@ -243,6 +243,15 @@ static void php_snmp_getvalue(struct variable_list *vars, zval *snmpval, int val
 
 	/* use emalloc() for large values, use static array otherwise */
 
+	/* Ensure val_len is at least sizeof(sbuf) so doubling will grow beyond
+	 * the initial stack buffer. Without this, a zero val_len would cause
+	 * val_len *= 2 to remain zero indefinitely, never reaching the 512k
+	 * break condition.
+	 */
+	if (val_len < (int)sizeof(sbuf)) {
+		val_len = sizeof(sbuf);
+	}
+
 	/* There is no way to know the size of buffer snprint_value() needs in order to print a value there.
 	 * So we are forced to probe it
 	 */