From cc67220ea357132b83dc2214aceb9ba07ff99912 Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Thu, 22 Aug 2024 22:41:39 +0100
Subject: [PATCH] Fixed GH-15547: curl_multi_wait expects a signed int for
 timeout.

confusion might come from the previous argument type.
PHP expects ms so we check it fits integer boundaries before the cast.
raising a warning at least for stable branches.

close GH-15548
---
 NEWS                        |  4 ++++
 ext/curl/multi.c            | 10 +++++++++-
 ext/curl/tests/gh15547.phpt | 29 +++++++++++++++++++++++++++++
 3 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 ext/curl/tests/gh15547.phpt

diff --git a/NEWS b/NEWS
index 60a17e3cb15..3be42abdd2b 100644
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-15587 (CRC32 API build error on arm 32-bit).
     (Bernd Kuhls, Thomas Petazzoni)
 
+- Curl:
+  . FIxed bug GH-15547 (curl_multi_select overflow on timeout argument).
+    (David Carlier)
+
 - DOM:
   . Fixed bug GH-15551 (Segmentation fault (access null pointer) in
     ext/dom/xml_common.h). (nielsdos)
diff --git a/ext/curl/multi.c b/ext/curl/multi.c
index e8c32301d2e..70cc7e03664 100644
--- a/ext/curl/multi.c
+++ b/ext/curl/multi.c
@@ -187,7 +187,15 @@ PHP_FUNCTION(curl_multi_select)
 
 	mh = Z_CURL_MULTI_P(z_mh);
 
-	error = curl_multi_wait(mh->multi, NULL, 0, (unsigned long) (timeout * 1000.0), &numfds);
+	if (!(timeout >= 0.0 && timeout <= ((double)INT_MAX / 1000.0))) {
+		php_error_docref(NULL, E_WARNING, "timeout must be between 0 and %d", (int)ceilf((double)INT_MAX / 1000));
+#ifdef CURLM_BAD_FUNCTION_ARGUMENT
+		SAVE_CURLM_ERROR(mh, CURLM_BAD_FUNCTION_ARGUMENT);
+#endif
+		RETURN_LONG(-1);
+	}
+
+	error = curl_multi_wait(mh->multi, NULL, 0, (int) (timeout * 1000.0), &numfds);
 	if (CURLM_OK != error) {
 		SAVE_CURLM_ERROR(mh, error);
 		RETURN_LONG(-1);
diff --git a/ext/curl/tests/gh15547.phpt b/ext/curl/tests/gh15547.phpt
new file mode 100644
index 00000000000..bbb1d5c5b03
--- /dev/null
+++ b/ext/curl/tests/gh15547.phpt
@@ -0,0 +1,29 @@
+--TEST--
+GH-15547 - curl_multi_select overflow on timeout argument
+--EXTENSIONS--
+curl
+--FILE--
+<?php
+
+$mh = curl_multi_init();
+var_dump(curl_multi_select($mh, -2500000));
+var_dump(curl_multi_strerror(curl_multi_errno($mh)));
+curl_multi_close($mh);
+$mh = curl_multi_init();
+var_dump(curl_multi_select($mh, 2500000));
+var_dump(curl_multi_strerror(curl_multi_errno($mh)));
+curl_multi_close($mh);
+$mh = curl_multi_init();
+var_dump(curl_multi_select($mh, 1000000));
+var_dump(curl_multi_strerror(curl_multi_errno($mh)));
+?>
+--EXPECTF--
+Warning: curl_multi_select(): timeout must be between 0 and %d in %s on line %d
+int(-1)
+%s
+
+Warning: curl_multi_select(): timeout must be between 0 and %d in %s on line %d
+int(-1)
+%s
+int(0)
+string(8) "No error"