From 865739e5b196390f2eb1c5aeb2a7551e31da87cb Mon Sep 17 00:00:00 2001 From: David Carlier Date: Sun, 29 Jun 2025 13:03:43 +0100 Subject: [PATCH] Fix GH-18976: pack with h or H format string overflow. adding with its own remainder, INT_MAX overflows here (negative values are discarded). close GH-18977 --- NEWS | 2 ++ ext/standard/pack.c | 2 +- ext/standard/tests/strings/gh18976.phpt | 14 ++++++++++++++ 3 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 ext/standard/tests/strings/gh18976.phpt diff --git a/NEWS b/NEWS index 61e1697b62d..267681cfa26 100644 --- a/NEWS +++ b/NEWS @@ -33,6 +33,8 @@ PHP NEWS - Standard: . Fix misleading errors in printf(). (nielsdos) . Fix RCN violations in array functions. (nielsdos) + . Fixed GH-18976 pack() overflow with h/H format and INT_MAX repeater value. + (David Carlier) - Streams: . Fixed GH-13264 (fgets() and stream_get_line() do not return false on filter diff --git a/ext/standard/pack.c b/ext/standard/pack.c index 8f72164a269..46798e7403d 100644 --- a/ext/standard/pack.c +++ b/ext/standard/pack.c @@ -388,7 +388,7 @@ too_few_args: switch ((int) code) { case 'h': case 'H': - INC_OUTPUTPOS((arg + (arg % 2)) / 2,1) /* 4 bit per arg */ + INC_OUTPUTPOS((arg / 2) + (arg % 2),1) /* 4 bit per arg */ break; case 'a': diff --git a/ext/standard/tests/strings/gh18976.phpt b/ext/standard/tests/strings/gh18976.phpt new file mode 100644 index 00000000000..aa58167f9d4 --- /dev/null +++ b/ext/standard/tests/strings/gh18976.phpt @@ -0,0 +1,14 @@ +--TEST-- +GH-18976 (pack overflow with h/H format) +--INI-- +memory_limit=-1 +--FILE-- + +--EXPECTF-- + +Warning: pack(): Type h: not enough characters in string in %s on line %d + +Warning: pack(): Type H: not enough characters in string in %s on line %d