Merge branch 'PHP-8.2' into PHP-8.3

* PHP-8.2: Fix GH-15980: Signed integer overflow in main/streams/streams.c
php · Sep 24, 2024 · acee803 · acee803
2 parents 22d25d2 + 8191675
commit acee803
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 2 deletions.
diff --git a/NEWS b/NEWS
@@ -23,6 +23,8 @@ PHP                                                                        NEWS
 - Streams:
   . Fixed bugs GH-15908 and GH-15026 (leak / assertion failure in streams.c).
     (nielsdos)
+  . Fixed bug GH-15980 (Signed integer overflow in main/streams/streams.c).
+    (cmb)
 
 - TSRM:
   . Prevent closing of unrelated handles. (cmb)

diff --git a/ext/standard/tests/streams/gh15980.phpt b/ext/standard/tests/streams/gh15980.phpt
@@ -0,0 +1,12 @@
+--TEST--
+GH-15980 (Signed integer overflow in main/streams/streams.c)
+--FILE--
+<?php
+$s = fopen(__FILE__, "r");
+fseek($s, 1);
+$seekres = fseek($s, PHP_INT_MAX, SEEK_CUR);
+$tellres = ftell($s);
+var_dump($seekres === -1 || $tellres > 1);
+?>
+--EXPECT--
+bool(true)
diff --git a/main/streams/streams.c b/main/streams/streams.c
@@ -1382,8 +1382,13 @@ PHPAPI int _php_stream_seek(php_stream *stream, zend_off_t offset, int whence)
 
 		switch(whence) {
 			case SEEK_CUR:
-				offset = stream->position + offset;
-				whence = SEEK_SET;
+				ZEND_ASSERT(stream->position >= 0);
+				if (UNEXPECTED(offset > ZEND_LONG_MAX - stream->position)) {
+					offset = ZEND_LONG_MAX;
+				} else {
+					offset = stream->position + offset;
+				}
+ 				whence = SEEK_SET;
 				break;
 		}
 		ret = stream->ops->seek(stream, offset, whence, &stream->position);