Fix GH-16809: fopen HTTP wrapper timeout stream context option overflow.

close GH-16810

NEWS

@@ -14,6 +14,8 @@ PHP                                                                        NEWS
 - Streams:
   . Fixed bug GH-17037 (UAF in user filter when adding existing filter name due
     to incorrect error handling). (nielsdos)
+  . Fixed bug GH-16810 (overflow on fopen HTTP wrapper timeout value).
+    (David Carlier)
 
 - Windows:
   . Hardened proc_open() against cmd.exe hijacking. (cmb)

ext/standard/http_fopen_wrapper.c

@@ -216,6 +216,18 @@ static php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper,
 
 	if (context && (tmpzval = php_stream_context_get_option(context, wrapper->wops->label, "timeout")) != NULL) {
 		double d = zval_get_double(tmpzval);
+#ifndef PHP_WIN32
+		const double timeoutmax = (double) PHP_TIMEOUT_ULL_MAX / 1000000.0;
+#else
+		const double timeoutmax = (double) LONG_MAX / 1000000.0;
+#endif
+
+		if (d > timeoutmax) {
+			php_stream_wrapper_log_error(wrapper, options, "timeout must be lower than " ZEND_ULONG_FMT, (zend_ulong)timeoutmax);
+			zend_string_release(transport_string);
+			php_url_free(resource);
+			return NULL;
+		}
 #ifndef PHP_WIN32
 		timeout.tv_sec = (time_t) d;
 		timeout.tv_usec = (size_t) ((d - timeout.tv_sec) * 1000000);

ext/standard/tests/http/gh16810.phpt

@@ -0,0 +1,26 @@
+--TEST--
+Bug #79265 variation: "host:" not at start of header
+--INI--
+allow_url_fopen=1
+--SKIPIF--
+<?php if (PHP_INT_SIZE != 8) die("skip this test is for 64bit platform only"); ?>
+--FILE--
+<?php
+$uri = "http://www.example.com";
+$config = [
+'http' => [
+'timeout' => PHP_INT_MIN,
+],
+];
+$ctx = stream_context_create($config);
+var_dump(fopen($uri, "r", false, $ctx));
+
+$config['http']['timeout'] = PHP_INT_MAX;
+$ctx = stream_context_create($config);
+var_dump(fopen($uri, "r", false, $ctx));
+?>
+--EXPECTF--
+resource(%d) of type (stream)
+
+Warning: fopen(http://www.example.com): Failed to open stream: timeout must be lower than %d in %s on line %d
+bool(false)