Fix socket_sendmsg() sending wrong fd for Socket objects in SCM_RIGHTS

from_array_iterate() yields a 1-based index. The Socket-object branch of
from_zval_write_fd_array_aux() wrote iarr[i] while the resource branch
correctly used iarr[i - 1], so the first descriptor slot was left zeroed
and every object descriptor was shifted up by one, with the last
truncated by cmsg_len. socket_sendmsg() therefore transmitted the wrong
descriptors (the first always fd 0) whenever a Socket object was passed
in an SCM_RIGHTS control message.

Closes GH-22338

Author: iliaal

ext/sockets/conversions.c

@@ -1385,7 +1385,7 @@ static void from_zval_write_fd_array_aux(zval *elem, unsigned i, void **args, se
 			return;
 		}
 
-		iarr[i] = sock->bsd_socket;
+		iarr[i - 1] = sock->bsd_socket;
 		return;
 	}
 

ext/sockets/tests/socket_cmsg_rights.phpt

@@ -58,7 +58,7 @@ if ($data["control"]) {
     if ($control["level"] == SOL_SOCKET &&
         $control["type"]  == SCM_RIGHTS) {
         foreach ($control["data"] as $resource) {
-            if (!is_resource($resource)) {
+            if (!is_resource($resource) && !($resource instanceof Socket)) {
                 echo "FAIL RES\n";
                 var_dump($data);
                 exit;

ext/sockets/tests/socket_sendmsg_scm_rights_object.phpt

@@ -0,0 +1,65 @@
+--TEST--
+socket_sendmsg(): SCM_RIGHTS transfers a Socket object with the correct fd
+--EXTENSIONS--
+sockets
+--SKIPIF--
+<?php
+if (strtolower(substr(PHP_OS, 0, 3)) == 'win') {
+    die('skip not for Microsoft Windows');
+}
+if (strtolower(substr(PHP_OS, 0, 3)) == 'aix') {
+    die('skip not for AIX');
+}
+if (!defined('SCM_RIGHTS')) {
+    die('skip SCM_RIGHTS not available');
+}
+?>
+--FILE--
+<?php
+$dir = sys_get_temp_dir();
+$rpath = $dir . "/socket_sendmsg_scm_rights_object_r.sock";
+$ppath = $dir . "/socket_sendmsg_scm_rights_object_p.sock";
+@unlink($rpath);
+@unlink($ppath);
+
+$recv = socket_create(AF_UNIX, SOCK_DGRAM, 0);
+socket_bind($recv, $rpath);
+
+$send = socket_create(AF_UNIX, SOCK_DGRAM, 0);
+socket_connect($send, $rpath);
+
+// Pass a single Socket object, bound to a known path so the received fd
+// can be identified via getsockname().
+$payload = socket_create(AF_UNIX, SOCK_DGRAM, 0);
+socket_bind($payload, $ppath);
+
+socket_sendmsg($send, [
+    'iov' => ['x'],
+    'control' => [[
+        'level' => SOL_SOCKET,
+        'type' => SCM_RIGHTS,
+        'data' => [$payload],
+    ]],
+], 0);
+
+$data = [
+    'name' => [],
+    'buffer_size' => 64,
+    'controllen' => socket_cmsg_space(SOL_SOCKET, SCM_RIGHTS, 1),
+];
+socket_recvmsg($recv, $data, 0);
+
+$got = $data['control'][0]['data'][0];
+var_dump($got instanceof Socket);
+socket_getsockname($got, $addr);
+var_dump($addr === $ppath);
+?>
+--CLEAN--
+<?php
+$dir = sys_get_temp_dir();
+@unlink($dir . "/socket_sendmsg_scm_rights_object_r.sock");
+@unlink($dir . "/socket_sendmsg_scm_rights_object_p.sock");
+?>
+--EXPECT--
+bool(true)
+bool(true)