Handle overflows

Author: arnaud-lb

Zend/tests/zend_ini_parse_quantity_error.phpt

@@ -18,14 +18,14 @@ foreach ($tests as $setting) {
   var_dump(zend_test_zend_ini_parse_quantity($setting));
 }
 --EXPECTF--
-Warning: Invalid quantity 'K': no valid leading digits, interpreting as '0' for backwards compatibility in %s%ezend_ini_parse_quantity_error.php on line %d
+Warning: Invalid quantity "K": no valid leading digits, interpreting as "0" for backwards compatibility in %s%ezend_ini_parse_quantity_error.php on line %d
 int(0)
 
-Warning: Invalid quantity '1KM', interpreting as '1M' for backwards compatibility in %s%ezend_ini_parse_quantity_error.php on line %d
+Warning: Invalid quantity "1KM", interpreting as "1M" for backwards compatibility in %s%ezend_ini_parse_quantity_error.php on line %d
 int(1048576)
 
-Warning: Invalid quantity '1X': unknown multipler 'X', interpreting as '1' for backwards compatibility in %s%ezend_ini_parse_quantity_error.php on line %d
+Warning: Invalid quantity "1X": unknown multipler "X", interpreting as "1" for backwards compatibility in %s%ezend_ini_parse_quantity_error.php on line %d
 int(1)
 
-Warning: Invalid quantity '1.0K', interpreting as '1K' for backwards compatibility in %s%ezend_ini_parse_quantity_error.php on line %d
+Warning: Invalid quantity "1.0K", interpreting as "1K" for backwards compatibility in %s%ezend_ini_parse_quantity_error.php on line %d
 int(1024)

Zend/tests/zend_ini_parse_quantity_ini_set_error.phpt

@@ -1,5 +1,5 @@
 --TEST--
-Test ini_set() with invalid quantity syntax
+Test ini_set() with invalid quantity
 --EXTENSIONS--
 zend_test
 --FILE--
@@ -8,6 +8,6 @@ zend_test
 var_dump(ini_set("zend_test.quantity_value", "1MB"));
 var_dump(ini_get("zend_test.quantity_value"));
 --EXPECTF--
-Warning: Invalid "zend_test.quantity_value" setting: Invalid quantity '1MB': unknown multipler 'B', interpreting as '1' for backwards compatibility in %s on line %d
+Warning: Invalid "zend_test.quantity_value" setting: Invalid quantity "1MB": unknown multipler "B", interpreting as "1" for backwards compatibility in %s on line %d
 string(1) "0"
 string(3) "1MB"

Zend/tests/zend_ini_parse_quantity_null.phpt

@@ -11,20 +11,20 @@ var_dump(zend_test_zend_ini_parse_quantity(" 123K\x00"));
 var_dump(zend_test_zend_ini_parse_quantity(" 123\x00"));
 
 --EXPECTF--
-Warning: Invalid quantity ' 123\x00K', interpreting as ' 123K' for backwards compatibility in %s on line %d
+Warning: Invalid quantity " 123\x00K", interpreting as " 123K" for backwards compatibility in %s on line %d
 int(125952)
 
-Warning: Invalid quantity '\x00 123K': no valid leading digits, interpreting as '0' for backwards compatibility in %s on line %d
+Warning: Invalid quantity "\x00 123K": no valid leading digits, interpreting as "0" for backwards compatibility in %s on line %d
 int(0)
 
-Warning: Invalid quantity ' \x00123K': no valid leading digits, interpreting as '0' for backwards compatibility in %s on line %d
+Warning: Invalid quantity " \x00123K": no valid leading digits, interpreting as "0" for backwards compatibility in %s on line %d
 int(0)
 
-Warning: Invalid quantity ' 123\x00K', interpreting as ' 123K' for backwards compatibility in %s on line %d
+Warning: Invalid quantity " 123\x00K", interpreting as " 123K" for backwards compatibility in %s on line %d
 int(125952)
 
-Warning: Invalid quantity ' 123K\x00': unknown multipler '\x00', interpreting as ' 123' for backwards compatibility in %s on line %d
+Warning: Invalid quantity " 123K\x00": unknown multipler "\x00", interpreting as " 123" for backwards compatibility in %s on line %d
 int(123)
 
-Warning: Invalid quantity ' 123\x00': unknown multipler '\x00', interpreting as ' 123' for backwards compatibility in %s on line %d
+Warning: Invalid quantity " 123\x00": unknown multipler "\x00", interpreting as " 123" for backwards compatibility in %s on line %d
 int(123)

Zend/zend_ini.c

@@ -541,94 +541,130 @@ ZEND_API bool zend_ini_parse_bool(zend_string *str)
 	}
 }
 
-ZEND_API zend_long zend_ini_parse_quantity(zend_string *value, zend_string **errstr) /* {{{ */
+static zend_long zend_ini_parse_quantity_internal(zend_string *value, bool signed_result, zend_string **errstr) /* {{{ */
 {
 	char *digits_end = NULL;
 	char *str = ZSTR_VAL(value);
-	size_t str_len = ZSTR_LEN(value);
+	char *str_end = &str[ZSTR_LEN(value)];
+	char *digits = str;
+	bool overflow = false;
+	zend_ulong factor;
 	smart_str invalid = {0};
 	smart_str interpreted = {0};
 	smart_str chr = {0};
 
+	/* Ignore leading whitespace. ZEND_STRTOL() also skips leading whitespaces,
+	 * but we need the position of the first non-whitespace later. */
+	while (digits < str_end && zend_is_whitespace(*digits)) ++digits;
+
 	/* Ignore trailing whitespace */
-	while (str_len && zend_is_whitespace(str[str_len-1])) --str_len;
+	while (digits < str_end && zend_is_whitespace(*(str_end-1))) --str_end;
 
-	if (!str_len) {
+	if (digits == str_end) {
 		*errstr = NULL;
 		return 0;
 	}
 
-	/* Perform following multiplications on unsigned to avoid overflow UB.
-	 * For now overflow is silently ignored -- not clear what else can be
-	 * done here, especially as the final result of this function may be
-	 * used in an unsigned context (e.g. "memory_limit=3G", which overflows
-	 * zend_long on 32-bit, but not size_t). */
-	zend_ulong retval = (zend_ulong) ZEND_STRTOL(str, &digits_end, 0);
+	zend_ulong retval;
+	errno = 0;
+
+	if (signed_result) {
+		retval = (zend_ulong) ZEND_STRTOL(digits, &digits_end, 0);
+	} else {
+		retval = ZEND_STRTOUL(digits, &digits_end, 0);
+	}
+
+	if (errno == ERANGE) {
+		overflow = true;
+	} else if (!signed_result) {
+		/* ZEND_STRTOUL() does not report a range error when the subject starts
+		 * with a minus sign, so we check this here. Ignore "-1" as it is
+		 * commonly used as max value, for instance in memory_limit=-1. */
+		if (digits[0] == '-' && !(digits_end - digits == 2 && digits_end == str_end && digits[1] == '1')) {
+			overflow = true;
+		}
+	}
+
+	if (UNEXPECTED(digits_end == digits)) {
+		/* No leading digits */
 
-	if (digits_end == str) {
-		smart_str_append_escaped(&invalid, str, str_len);
+		/* Escape the string to avoid null bytes and to make non-printable chars
+		 * visible */
+		smart_str_append_escaped(&invalid, ZSTR_VAL(value), ZSTR_LEN(value));
 		smart_str_0(&invalid);
 
-		*errstr = zend_strpprintf(0, "Invalid quantity '%s': no valid leading digits, interpreting as '0' for backwards compatibility",
+		*errstr = zend_strpprintf(0, "Invalid quantity \"%s\": no valid leading digits, interpreting as \"0\" for backwards compatibility",
 						ZSTR_VAL(invalid.s));
 
 		smart_str_free(&invalid);
 		return 0;
 	}
 
 	/* Allow for whitespace between integer portion and any suffix character */
-	while (digits_end < &str[str_len] && zend_is_whitespace(*digits_end)) ++digits_end;
+	while (digits_end < str_end && zend_is_whitespace(*digits_end)) ++digits_end;
 
 	/* No exponent suffix. */
-	if (digits_end == &str[str_len]) {
-		*errstr = NULL;
-		return retval;
-	}
-
-	if (str_len>0) {
-		switch (str[str_len-1]) {
-			case 'g':
-			case 'G':
-				retval *= 1024;
-				ZEND_FALLTHROUGH;
-			case 'm':
-			case 'M':
-				retval *= 1024;
-				ZEND_FALLTHROUGH;
-			case 'k':
-			case 'K':
-				retval *= 1024;
-				break;
-			default:
-				/* Unknown suffix */
-				smart_str_append_escaped(&invalid, str, str_len);
-				smart_str_0(&invalid);
-				smart_str_append_escaped(&interpreted, str, digits_end - str);
-				smart_str_0(&interpreted);
-				smart_str_append_escaped(&chr, &str[str_len-1], 1);
-				smart_str_0(&chr);
-
-				*errstr = zend_strpprintf(0, "Invalid quantity '%s': unknown multipler '%s', interpreting as '%s' for backwards compatibility",
-							ZSTR_VAL(invalid.s), ZSTR_VAL(chr.s), ZSTR_VAL(interpreted.s));
-
-				smart_str_free(&invalid);
-				smart_str_free(&interpreted);
-				smart_str_free(&chr);
-
-				return retval;
+	if (digits_end == str_end) {
+		goto end;
+	}
+
+	switch (*(str_end-1)) {
+		case 'g':
+		case 'G':
+			factor = 1<<30;
+			break;
+		case 'm':
+		case 'M':
+			factor = 1<<20;
+			break;
+		case 'k':
+		case 'K':
+			factor = 1<<10;
+			break;
+		default:
+			/* Unknown suffix */
+			smart_str_append_escaped(&invalid, ZSTR_VAL(value), ZSTR_LEN(value));
+			smart_str_0(&invalid);
+			smart_str_append_escaped(&interpreted, str, digits_end - str);
+			smart_str_0(&interpreted);
+			smart_str_append_escaped(&chr, str_end-1, 1);
+			smart_str_0(&chr);
+
+			*errstr = zend_strpprintf(0, "Invalid quantity \"%s\": unknown multipler \"%s\", interpreting as \"%s\" for backwards compatibility",
+						ZSTR_VAL(invalid.s), ZSTR_VAL(chr.s), ZSTR_VAL(interpreted.s));
+
+			smart_str_free(&invalid);
+			smart_str_free(&interpreted);
+			smart_str_free(&chr);
+
+			return retval;
+	}
+
+	if (!overflow) {
+		if (signed_result) {
+			zend_long sretval = (zend_long)retval;
+			if (sretval > 0) {
+				overflow = (zend_long)retval > ZEND_LONG_MAX / (zend_long)factor;
+			} else {
+				overflow = (zend_long)retval < ZEND_LONG_MIN / (zend_long)factor;
+			}
+		} else {
+			overflow = retval > ZEND_ULONG_MAX / factor;
 		}
 	}
 
-	if (digits_end < &str[str_len-1]) {
+	retval *= factor;
+
+	if (UNEXPECTED(digits_end != str_end-1)) {
 		/* More than one character in suffix */
-		smart_str_append_escaped(&invalid, str, str_len);
+		smart_str_append_escaped(&invalid, ZSTR_VAL(value), ZSTR_LEN(value));
 		smart_str_0(&invalid);
 		smart_str_append_escaped(&interpreted, str, digits_end - str);
 		smart_str_0(&interpreted);
-		smart_str_append_escaped(&chr, &str[str_len-1], 1);
+		smart_str_append_escaped(&chr, str_end-1, 1);
 		smart_str_0(&chr);
 
-		*errstr = zend_strpprintf(0, "Invalid quantity '%s', interpreting as '%s%s' for backwards compatibility",
+		*errstr = zend_strpprintf(0, "Invalid quantity \"%s\", interpreting as \"%s%s\" for backwards compatibility",
 						ZSTR_VAL(invalid.s), ZSTR_VAL(interpreted.s), ZSTR_VAL(chr.s));
 
 		smart_str_free(&invalid);
@@ -638,11 +674,41 @@ ZEND_API zend_long zend_ini_parse_quantity(zend_string *value, zend_string **err
 		return (zend_long) retval;
 	}
 
+end:
+	if (UNEXPECTED(overflow)) {
+		smart_str_append_escaped(&invalid, ZSTR_VAL(value), ZSTR_LEN(value));
+		smart_str_0(&invalid);
+
+		/* Not specifying the resulting value here because the caller may make
+		 * additional conversions. Not specifying the allowed range
+		 * because the caller may do narrower range checks. */
+		*errstr = zend_strpprintf(0, "Invalid quantity \"%s\": value is out of range, using overflow result for backwards compatibility",
+						ZSTR_VAL(invalid.s));
+
+		smart_str_free(&invalid);
+		smart_str_free(&interpreted);
+		smart_str_free(&chr);
+
+		return (zend_long) retval;
+	}
+
 	*errstr = NULL;
 	return (zend_long) retval;
 }
 /* }}} */
 
+ZEND_API zend_long zend_ini_parse_quantity(zend_string *value, zend_string **errstr) /* {{{ */
+{
+	return zend_ini_parse_quantity_internal(value, true, errstr);
+}
+/* }}} */
+
+zend_ulong zend_ini_parse_uquantity(zend_string *value, zend_string **errstr) /* {{{ */
+{
+	return (zend_ulong) zend_ini_parse_quantity_internal(value, false, errstr);
+}
+/* }}} */
+
 ZEND_INI_DISP(zend_ini_boolean_displayer_cb) /* {{{ */
 {
 	int value;

Zend/zend_ini.h

@@ -91,27 +91,47 @@ ZEND_API zend_string *zend_ini_get_value(zend_string *name);
 ZEND_API bool zend_ini_parse_bool(zend_string *str);
 
 /**
- * Parses a quantity
+ * Parses an ini quantity
  *
- * value must be a string of digits optionally followed by a multiplier
- * character K, M, or G (for 2**10, 2**20, and 2**30, respectively).
+ * The value parameter must be a string in the form
  *
- * The digits are parsed as decimal unless the first character is '0', in which
- * case they are parsed as octal.
+ *     sign? digits ws* multipler?
  *
- * Whitespaces before and after the multiplier are ignored.
+ * with
+ *
+ *     sign: [+-]
+ *     digit: [0-9]
+ *     digits: digit+
+ *     ws: [ \t\n\r\v\f]
+ *     multipler: [KMG]
+ *
+ * Leading and trailing whitespaces are ignored.
+ *
+ * If the string is empty or consists only of only whitespaces, 0 is returned.
+ *
+ * Digits is parsed as decimal unless the first digit is '0', in which case
+ * digits is parsed as octal.
+ *
+ * The multiplier is case-insensitive. K, M, and G multiply the quantity by
+ * 2**10, 2**20, and 2**30, respectively.
  *
  * For backwards compatibility, ill-formatted values are handled as follows:
  * - No leading digits: value is treated as '0'
  * - Invalid multiplier: multiplier is ignored
  * - Invalid characters between digits and multiplier: invalid characters are
  *   ignored
+ * - Integer overflow: The result of the overflow is returned
  *
  * In any of these cases an error string is stored in *errstr (caller must
  * release it), otherwise *errstr is set to NULL.
  */
 ZEND_API zend_long zend_ini_parse_quantity(zend_string *value, zend_string **errstr);
 
+/**
+ * Unsigned variant of zend_ini_parse_quantity
+ */
+ZEND_API zend_ulong zend_ini_parse_uquantity(zend_string *value, zend_string **errstr);
+
 ZEND_API zend_result zend_ini_register_displayer(const char *name, uint32_t name_length, void (*displayer)(zend_ini_entry *ini_entry, int type));
 
 ZEND_API ZEND_INI_DISP(zend_ini_boolean_displayer_cb);

ext/zend_test/test.c

@@ -373,6 +373,23 @@ static ZEND_FUNCTION(zend_test_zend_ini_parse_quantity)
 	}
 }
 
+static ZEND_FUNCTION(zend_test_zend_ini_parse_uquantity)
+{
+	zend_string *str;
+	zend_string *errstr;
+
+	ZEND_PARSE_PARAMETERS_START(1, 1)
+		Z_PARAM_STR(str)
+	ZEND_PARSE_PARAMETERS_END();
+
+	RETVAL_LONG((zend_long)zend_ini_parse_uquantity(str, &errstr));
+
+	if (errstr) {
+		zend_error(E_WARNING, "%s", ZSTR_VAL(errstr));
+		zend_string_release(errstr);
+	}
+}
+
 static ZEND_FUNCTION(namespaced_func)
 {
 	ZEND_PARSE_PARAMETERS_NONE();

ext/zend_test/test.stub.php

@@ -122,6 +122,7 @@ function zend_get_current_func_name(): string {}
     function zend_call_method(object|string $obj_or_class, string $method, mixed $arg1 = UNKNOWN, mixed $arg2 = UNKNOWN): mixed {}
 
     function zend_test_zend_ini_parse_quantity(string $str): int {}
+    function zend_test_zend_ini_parse_uquantity(string $str): int {}
 }
 
 namespace ZendTestNS {