From 332b067c5ee7d6d406180afc5eca50762fe6fc06 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Tue, 17 Sep 2024 19:43:42 +0100 Subject: [PATCH] Fix GH-15937: stream timeout option overflow. close GH-15942 --- NEWS | 2 ++ ext/standard/tests/streams/gh15937.phpt | 16 ++++++++++++++++ main/php_network.h | 2 +- 3 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 ext/standard/tests/streams/gh15937.phpt diff --git a/NEWS b/NEWS index 594b766a940..81f87a74289 100644 --- a/NEWS +++ b/NEWS @@ -43,6 +43,8 @@ PHP NEWS - Standard: . Fixed bug GH-15613 (overflow on unpack call hex string repeater). (David Carlier) + . Fixed bug GH-15937 (overflow on stream timeout option value). + (David Carlier) - Streams: . Fixed bugs GH-15908 and GH-15026 (leak / assertion failure in streams.c). diff --git a/ext/standard/tests/streams/gh15937.phpt b/ext/standard/tests/streams/gh15937.phpt new file mode 100644 index 00000000000..db0564342b1 --- /dev/null +++ b/ext/standard/tests/streams/gh15937.phpt @@ -0,0 +1,16 @@ +--TEST-- +GH-15937 (stream overflow on timeout setting) +--SKIPIF-- + +--FILE-- + [ + 'timeout' => PHP_INT_MAX, + ], +]; +$ctx = stream_context_create($config); +var_dump(fopen("http://www.example.com", "r", false, $ctx)); +?> +--EXPECTF-- +resource(%d) of type (stream) diff --git a/main/php_network.h b/main/php_network.h index a3b7ba7ab31..fda61b87cb4 100644 --- a/main/php_network.h +++ b/main/php_network.h @@ -162,7 +162,7 @@ PHPAPI int php_poll2(php_pollfd *ufds, unsigned int nfds, int timeout); /* timeval-to-timeout (for poll(2)) */ static inline int php_tvtoto(struct timeval *timeouttv) { - if (timeouttv) { + if (timeouttv && timeouttv->tv_sec >= 0 && timeouttv->tv_sec <= ((INT_MAX - 1000) / 1000)) { return (timeouttv->tv_sec * 1000) + (timeouttv->tv_usec / 1000); } return -1;