Fix #72146: Integer overflow on substr_replace

cmb69 · cmb69 · commit 33f8dfb15a34 · 2021-07-15T12:54:28.000+02:00
Adding two `zend_long`s may overflow, and casting `size_t` to `zend_long` may truncate; we can avoid this here by enforcing unsigned arithmetic. Closes GH-7240.
diff --git a/NEWS b/NEWS
@@ -2,6 +2,8 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 7.4.23
 
+- Standard:
+  . Fixed bug #72146 (Integer overflow on substr_replace). (cmb)
 
 29 Jul 2021, PHP 7.4.22
 
diff --git a/ext/standard/string.c b/ext/standard/string.c
@@ -2664,7 +2664,9 @@ PHP_FUNCTION(substr_replace)
 				}
 			}
 
-			if ((f + l) > (zend_long)ZSTR_LEN(orig_str)) {
+			ZEND_ASSERT(0 <= f && f <= ZEND_LONG_MAX);
+			ZEND_ASSERT(0 <= l && l <= ZEND_LONG_MAX);
+			if (((size_t) f + l) > ZSTR_LEN(orig_str)) {
 				l = ZSTR_LEN(orig_str) - f;
 			}
 
diff --git a/ext/standard/tests/strings/bug72146.phpt b/ext/standard/tests/strings/bug72146.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #72146 (Integer overflow on substr_replace)
+--FILE--
+<?php 
+var_dump(substr_replace(["ABCDE"], "123", 3, PHP_INT_MAX));
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  string(6) "ABC123"
+}

Original file line number	Diff line number	Diff line change
`@@ -2664,7 +2664,9 @@ PHP_FUNCTION(substr_replace)`
`2664`	`2664`	`}`
`2665`	`2665`	`}`
`2666`	`2666`
`2667`		`- if ((f + l) > (zend_long)ZSTR_LEN(orig_str)) {`
	`2667`	`+ ZEND_ASSERT(0 <= f && f <= ZEND_LONG_MAX);`
	`2668`	`+ ZEND_ASSERT(0 <= l && l <= ZEND_LONG_MAX);`
	`2669`	`+ if (((size_t) f + l) > ZSTR_LEN(orig_str)) {`
`2668`	`2670`	`l = ZSTR_LEN(orig_str) - f;`
`2669`	`2671`	`}`
`2670`	`2672`