From 4fdbb09b3521f54bd4b0cf252454c73894cd9390 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Thu, 4 Jul 2024 06:41:19 +0100 Subject: [PATCH] Fix GH-14807 ext/standard levenshtein overflow on 3rd, 4th and 5th arguments. --- ext/standard/levenshtein.c | 14 +++++++++++ ext/standard/tests/strings/gh14807.phpt | 33 +++++++++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 ext/standard/tests/strings/gh14807.phpt diff --git a/ext/standard/levenshtein.c b/ext/standard/levenshtein.c index b336be2220864..e7f9397988252 100644 --- a/ext/standard/levenshtein.c +++ b/ext/standard/levenshtein.c @@ -78,6 +78,20 @@ PHP_FUNCTION(levenshtein) RETURN_THROWS(); } + if (ZEND_LONG_UINT_OVFL(cost_ins)) { + zend_argument_value_error(3, "must be between 0 and %u", UINT_MAX); + RETURN_THROWS(); + } + + if (ZEND_LONG_UINT_OVFL(cost_rep)) { + zend_argument_value_error(4, "must be between 0 and %u", UINT_MAX); + RETURN_THROWS(); + } + + if (ZEND_LONG_UINT_OVFL(cost_del)) { + zend_argument_value_error(5, "must be between 0 and %u", UINT_MAX); + RETURN_THROWS(); + } RETURN_LONG(reference_levdist(string1, string2, cost_ins, cost_rep, cost_del)); } diff --git a/ext/standard/tests/strings/gh14807.phpt b/ext/standard/tests/strings/gh14807.phpt new file mode 100644 index 0000000000000..ff3782f7ba63c --- /dev/null +++ b/ext/standard/tests/strings/gh14807.phpt @@ -0,0 +1,33 @@ +--TEST-- +GH-14807 overflow on insertion_cost/replacement_cost/deletion_cost +--SKIPIF-- + +--FILE-- +getMessage() . PHP_EOL; +} + +try { + levenshtein($str1, $str2, 1, PHP_INT_MIN); +} catch (\ValueError $e) { + echo $e->getMessage() . PHP_EOL; +} + +try { + levenshtein($str1, $str2, 1, 1, PHP_INT_MIN); +} catch (\ValueError $e) { + echo $e->getMessage() . PHP_EOL; +} +?> +--EXPECTF-- +levenshtein(): Argument #3 ($insertion_cost) must be between 0 and %d +levenshtein(): Argument #4 ($replacement_cost) must be between 0 and %d +levenshtein(): Argument #5 ($deletion_cost) must be between 0 and %d