Fix phpGH-14780: p(f)sockopen overflow on timeout argument.

devnexen · Jul 3, 2024 · 77acf3f · 77acf3f
1 parent cd67080
commit 77acf3f
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 4 deletions.
diff --git a/ext/standard/fsock.c b/ext/standard/fsock.c
@@ -30,6 +30,7 @@ static void php_fsockopen_stream(INTERNAL_FUNCTION_PARAMETERS, int persistent)
  char *host;
  size_t host_len;
  zend_long port = -1;
+ zend_ulong ltimeout;
  zval *zerrno = NULL, *zerrstr = NULL;
  double timeout;
  bool timeout_is_null = 1;
@@ -73,13 +74,23 @@ static void php_fsockopen_stream(INTERNAL_FUNCTION_PARAMETERS, int persistent)
  }
 
  /* prepare the timeout value for use */
+ ltimeout = (zend_ulong)(timeout * 1000000.0);
+ if (ltimeout < 0 || ltimeout > LONG_MAX) {
+ if (port > 0) {
+ efree(hostname);
+ }
+ if (hashkey) {
+ efree(hashkey);
+ }
+ zend_argument_value_error(6, "must be between 0 and " ZEND_LONG_FMT, (LONG_MAX / 1000000));
+ RETURN_THROWS();
+ }
 #ifndef PHP_WIN32
- conv = (time_t) (timeout * 1000000.0);
- tv.tv_sec = conv / 1000000;
+ conv = (time_t) (ltimeout);
 #else
- conv = (long) (timeout * 1000000.0);
- tv.tv_sec = conv / 1000000;
+ conv = (long) (ltimeout);
 #endif
+ tv.tv_sec = conv / 1000000;
  tv.tv_usec = conv % 1000000;
 
  stream = php_stream_xport_create(hostname, hostname_len, REPORT_ERRORS,

diff --git a/ext/standard/tests/streams/gh14780.phpt b/ext/standard/tests/streams/gh14780.phpt
@@ -0,0 +1,13 @@
+--TEST--
+GH-14780: p(f)sockopen overflow on timeout.
+--FILE--
+<?php
+$code = null;
+$err = null;
+try {
+ pfsockopen('udp://127.0.0.1', '63844', $code, $err, (PHP_INT_MAX/1000000)+1);
+} catch (\ValueError $e) {
+ echo $e->getMessage();
+}
+--EXPECTF--
+pfsockopen(): Argument #6 must be between 0 and %s