From 3bea6a2ddbe02cd9da10f66091f9996ae43de64e Mon Sep 17 00:00:00 2001 From: David Carlier Date: Thu, 28 Nov 2024 13:00:42 +0000 Subject: [PATCH] ext/sockets: socket_strerror follow-up on GH-16267 fix. boundaries should be INT_MIN <= val < INT_MAX in fact. close GH-16891 --- NEWS | 4 ++++ ext/sockets/sockets.c | 6 +++++- ext/sockets/tests/gh16267.phpt | 14 +++++--------- 3 files changed, 14 insertions(+), 10 deletions(-) diff --git a/NEWS b/NEWS index 09abb4f1ab1..2dee36b440b 100644 --- a/NEWS +++ b/NEWS @@ -14,6 +14,10 @@ PHP NEWS - SimpleXML: . Fixed bug GH-17040 (SimpleXML's unset can break DOM objects). (nielsdos) +- Sockets: + . Fixed bug GH-16276 (socket_strerror overflow handling with INT_MIN). + (David Carlier / cmb) + - Streams: . Fixed bug GH-17037 (UAF in user filter when adding existing filter name due to incorrect error handling). (nielsdos) diff --git a/ext/sockets/sockets.c b/ext/sockets/sockets.c index 2f731b3b05a..e1b350b4045 100644 --- a/ext/sockets/sockets.c +++ b/ext/sockets/sockets.c @@ -354,7 +354,11 @@ char *sockets_strerror(int error) /* {{{ */ #ifndef PHP_WIN32 if (error < -10000) { - error = -error - 10000; + if (error == INT_MIN) { + error = 2147473648; + } else { + error = -error - 10000; + } #ifdef HAVE_HSTRERROR buf = hstrerror(error); diff --git a/ext/sockets/tests/gh16267.phpt b/ext/sockets/tests/gh16267.phpt index d2462b31645..de3e1b657fb 100644 --- a/ext/sockets/tests/gh16267.phpt +++ b/ext/sockets/tests/gh16267.phpt @@ -3,20 +3,16 @@ GH-16267 - overflow on socket_strerror argument --EXTENSIONS-- sockets --SKIPIF-- - + --FILE-- getMessage() . PHP_EOL; -} -try { - socket_strerror(PHP_INT_MAX); + socket_strerror(2147483648); } catch (\ValueError $e) { echo $e->getMessage() . PHP_EOL; } ?> --EXPECTF-- -socket_strerror(): Argument #1 ($error_code) must be between %s and %s -socket_strerror(): Argument #1 ($error_code) must be between %s and %s +string(%d) "%S" +socket_strerror(): Argument #1 ($error_code) must be between %i and %d