From 8537aa687e8da4938fd1ac4570e8065f6f98d938 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Sun, 6 Oct 2024 16:09:47 +0100 Subject: [PATCH] Fix GH-16267 socket_strerror overflow on argument value. only socket_strerror provides user-supplied value to sockets_strerror handler. close GH-16270 --- NEWS | 4 ++++ ext/sockets/sockets.c | 5 +++++ ext/sockets/tests/gh16267.phpt | 22 ++++++++++++++++++++++ 3 files changed, 31 insertions(+) create mode 100644 ext/sockets/tests/gh16267.phpt diff --git a/NEWS b/NEWS index b083174c1b1..68f6fa42036 100644 --- a/NEWS +++ b/NEWS @@ -72,6 +72,10 @@ PHP NEWS . Fixed bug GH-15837 (Segmentation fault in ext/simplexml/simplexml.c). (nielsdos) +- Sockets: + . Fixed bug GH-16267 (socket_strerror overflow on errno argument). + (David Carlier) + - SOAP: . Fixed bug #62900 (Wrong namespace on xsd import error message). (nielsdos) . Fixed bug GH-16237 (Segmentation fault when cloning SoapServer). (nielsdos) diff --git a/ext/sockets/sockets.c b/ext/sockets/sockets.c index 8183398a8d3..f1a62c71929 100644 --- a/ext/sockets/sockets.c +++ b/ext/sockets/sockets.c @@ -1211,6 +1211,11 @@ PHP_FUNCTION(socket_strerror) RETURN_THROWS(); } + if (ZEND_LONG_EXCEEDS_INT(arg1)) { + zend_argument_value_error(1, "must be between %d and %d", INT_MIN, INT_MAX); + RETURN_THROWS(); + } + RETURN_STRING(sockets_strerror(arg1)); } /* }}} */ diff --git a/ext/sockets/tests/gh16267.phpt b/ext/sockets/tests/gh16267.phpt new file mode 100644 index 00000000000..d2462b31645 --- /dev/null +++ b/ext/sockets/tests/gh16267.phpt @@ -0,0 +1,22 @@ +--TEST-- +GH-16267 - overflow on socket_strerror argument +--EXTENSIONS-- +sockets +--SKIPIF-- + +--FILE-- +getMessage() . PHP_EOL; +} +try { + socket_strerror(PHP_INT_MAX); +} catch (\ValueError $e) { + echo $e->getMessage() . PHP_EOL; +} +?> +--EXPECTF-- +socket_strerror(): Argument #1 ($error_code) must be between %s and %s +socket_strerror(): Argument #1 ($error_code) must be between %s and %s