Fix phpGH-14807 ext/standard levenshtein overflow on 3rd, 4th and 5th…

… arguments.
devnexen · Jul 4, 2024 · 4fdbb09 · 4fdbb09
1 parent a8d1955
commit 4fdbb09
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 0 deletions.
diff --git a/ext/standard/levenshtein.c b/ext/standard/levenshtein.c
@@ -78,6 +78,20 @@ PHP_FUNCTION(levenshtein)
  RETURN_THROWS();
  }
 
+ if (ZEND_LONG_UINT_OVFL(cost_ins)) {
+ zend_argument_value_error(3, "must be between 0 and %u", UINT_MAX);
+ RETURN_THROWS();
+ }
+
+ if (ZEND_LONG_UINT_OVFL(cost_rep)) {
+ zend_argument_value_error(4, "must be between 0 and %u", UINT_MAX);
+ RETURN_THROWS();
+ }
+
+ if (ZEND_LONG_UINT_OVFL(cost_del)) {
+ zend_argument_value_error(5, "must be between 0 and %u", UINT_MAX);
+ RETURN_THROWS();
+ }
 
  RETURN_LONG(reference_levdist(string1, string2, cost_ins, cost_rep, cost_del));
 }

diff --git a/ext/standard/tests/strings/gh14807.phpt b/ext/standard/tests/strings/gh14807.phpt
@@ -0,0 +1,33 @@
+--TEST--
+GH-14807 overflow on insertion_cost/replacement_cost/deletion_cost
+--SKIPIF--
+<?php
+if (PHP_INT_SIZE != 8) die("skip this test is for 64bit platform only");
+?>
+--FILE--
+<?php
+$str1 = "abcd";
+$str2 = "defg";
+
+try {
+ levenshtein($str1, $str2, PHP_INT_MIN);
+} catch (\ValueError $e) {
+ echo $e->getMessage() . PHP_EOL;
+}
+
+try {
+ levenshtein($str1, $str2, 1, PHP_INT_MIN);
+} catch (\ValueError $e) {
+ echo $e->getMessage() . PHP_EOL;
+}
+
+try {
+ levenshtein($str1, $str2, 1, 1, PHP_INT_MIN);
+} catch (\ValueError $e) {
+ echo $e->getMessage() . PHP_EOL;
+}
+?>
+--EXPECTF--
+levenshtein(): Argument #3 ($insertion_cost) must be between 0 and %d
+levenshtein(): Argument #4 ($replacement_cost) must be between 0 and %d
+levenshtein(): Argument #5 ($deletion_cost) must be between 0 and %d