Merge branch 'PHP-8.3' into PHP-8.4

devnexen · devnexen · commit 10dbdc56081a · 2024-10-12T15:23:48.000+01:00
diff --git a/NEWS b/NEWS
@@ -41,6 +41,9 @@ PHP                                                                        NEWS
   . Fixed bug GH-16385 (Unexpected null returned by session_set_cookie_params).
     (nielsdos)
 
+- Sockets:
+  . Fixed bug with overflow socket_recvfrom $length argument. (David Carlier)
+
 - SPL:
   . Fixed bug GH-16337 (Use-after-free in SplHeap). (nielsdos)
 
diff --git a/ext/sockets/sockets.c b/ext/sockets/sockets.c
@@ -1452,7 +1452,8 @@ PHP_FUNCTION(socket_recvfrom)
 
 	/* overflow check */
 	/* Shouldthrow ? */
-	if ((arg3 + 2) < 3) {
+
+	if (arg3 <= 0 || arg3 > ZEND_LONG_MAX - 1) {
 		RETURN_FALSE;
 	}
 
diff --git a/ext/sockets/tests/socket_recv_overflow.phpt b/ext/sockets/tests/socket_recv_overflow.phpt
@@ -0,0 +1,19 @@
+--TEST--
+socket_recvfrom overflow on length argument
+--EXTENSIONS--
+sockets
+--SKIPIF--
+<?php
+if (strtolower(substr(PHP_OS, 0, 3)) === 'win') {
+    die('skip not valid for Windows.');
+}
+--FILE--
+<?php
+$s = socket_create(AF_UNIX, SOCK_DGRAM, 0);
+$buf = $end = "";
+var_dump(socket_recvfrom($s, $buf, PHP_INT_MAX, 0, $end));
+var_dump(socket_recvfrom($s, $buf, -1, 0, $end));
+?>
+--EXPECT--
+bool(false)
+bool(false)

Original file line number	Diff line number	Diff line change
`@@ -1452,7 +1452,8 @@ PHP_FUNCTION(socket_recvfrom)`
`1452`	`1452`
`1453`	`1453`	`/* overflow check */`
`1454`	`1454`	`/* Shouldthrow ? */`
`1455`		`- if ((arg3 + 2) < 3) {`
	`1455`	`+`
	`1456`	`+ if (arg3 <= 0 \|\| arg3 > ZEND_LONG_MAX - 1) {`
`1456`	`1457`	`RETURN_FALSE;`
`1457`	`1458`	`}`
`1458`	`1459`