Fixed bug #69893

2 files changed, 11 insertions, 5 deletions

diff --git a/NEWS b/NEWS
index 3558a6a7cc..1ffee63ecf 100644
--- a/NEWS
+++ b/NEWS
@@ -26,6 +26,8 @@ PHP                                                                        NEWS
     (Nikita)
   . Fixed bug #69892 (Different arrays compare indentical due to integer key
     truncation). (Nikita)
+  . Fixed bug #69893 (Strict comparison between integer and empty string keys
+    crashes). (Nikita)
 
 - DOM:
   . Fixed bug #69846 (Segmenation fault (access violation) when iterating over
diff --git a/Zend/zend_hash.c b/Zend/zend_hash.c
index 239fb0bb6b..cea57f6901 100644
--- a/Zend/zend_hash.c
+++ b/Zend/zend_hash.c
@@ -2248,20 +2248,24 @@ ZEND_API int zend_hash_compare(HashTable *ht1, HashTable *ht2, compare_func_t co
 					HASH_UNPROTECT_RECURSION(ht2);
 					return p1->h > p2->h ? 1 : -1;
 				}
-			} else { /* string indices */
-				size_t len0 = (p1->key ? p1->key->len : 0);
-				size_t len1 = (p2->key ? p2->key->len : 0);
-				if (len0 != len1) {
+			} else if (p1->key != NULL && p2->key != NULL) { /* string indices */
+				if (p1->key->len != p2->key->len) {
 					HASH_UNPROTECT_RECURSION(ht1);
 					HASH_UNPROTECT_RECURSION(ht2);
-					return len0 > len1 ? 1 : -1;
+					return p1->key->len > p2->key->len ? 1 : -1;
 				}
+
 				result = memcmp(p1->key->val, p2->key->val, p1->key->len);
 				if (result != 0) {
 					HASH_UNPROTECT_RECURSION(ht1);
 					HASH_UNPROTECT_RECURSION(ht2);
 					return result;
 				}
+			} else {
+				/* Mixed key types: A string key is considered as larger */
+				HASH_UNPROTECT_RECURSION(ht1);
+				HASH_UNPROTECT_RECURSION(ht2);
+				return p1->key != NULL ? 1 : -1;
 			}
 			pData2 = &p2->val;
 		} else {