From 5508243bdf95fffba6cf81d8061b3d8a041e0c56 Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <ilia@ilia.ws>
Date: Mon, 15 Jun 2026 17:58:53 -0400
Subject: [PATCH] main/poll: Cap kqueue grouped-event buffer write at runtime

The kqueue grouped-event path bounded the result buffer only with a
ZEND_ASSERT, allowing an out-of-bounds write in release builds when more
distinct descriptors were ready than the caller's maxEvents. Cap the
buffer write at runtime while still running the oneshot bookkeeping so
the backend's tracking stays in sync.

Closes GH-22327
---
 main/poll/poll_backend_kqueue.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/main/poll/poll_backend_kqueue.c b/main/poll/poll_backend_kqueue.c
index 9a654c716d56..9a25788d368f 100644
--- a/main/poll/poll_backend_kqueue.c
+++ b/main/poll/poll_backend_kqueue.c
@@ -382,12 +382,13 @@ static int kqueue_backend_wait(
 
 				if (!found) {
 					/* New FD, create new event */
-					ZEND_ASSERT(unique_events < max_events);
-					events[unique_events].fd = fd;
-					events[unique_events].events = 0;
-					events[unique_events].revents = revents;
-					events[unique_events].data = data;
-					unique_events++;
+					if (unique_events < max_events) {
+						events[unique_events].fd = fd;
+						events[unique_events].events = 0;
+						events[unique_events].revents = revents;
+						events[unique_events].data = data;
+						unique_events++;
+					}
 
 					/* Handle oneshot tracking */
 					if (is_oneshot) {