Fixed GH-15547: curl_multi_wait expects a signed int for timeout.

devnexen · devnexen · commit cc67220ea357 · 2024-08-27T04:56:32.000+01:00
confusion might come from the previous argument type. PHP expects ms so we check it fits integer boundaries before the cast. raising a warning at least for stable branches. close GH-15548
diff --git a/NEWS b/NEWS
@@ -12,6 +12,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-15587 (CRC32 API build error on arm 32-bit).
     (Bernd Kuhls, Thomas Petazzoni)
 
+- Curl:
+  . FIxed bug GH-15547 (curl_multi_select overflow on timeout argument).
+    (David Carlier)
+
 - DOM:
   . Fixed bug GH-15551 (Segmentation fault (access null pointer) in
     ext/dom/xml_common.h). (nielsdos)
diff --git a/ext/curl/multi.c b/ext/curl/multi.c
@@ -187,7 +187,15 @@ PHP_FUNCTION(curl_multi_select)
 
 	mh = Z_CURL_MULTI_P(z_mh);
 
-	error = curl_multi_wait(mh->multi, NULL, 0, (unsigned long) (timeout * 1000.0), &numfds);
+	if (!(timeout >= 0.0 && timeout <= ((double)INT_MAX / 1000.0))) {
+		php_error_docref(NULL, E_WARNING, "timeout must be between 0 and %d", (int)ceilf((double)INT_MAX / 1000));
+#ifdef CURLM_BAD_FUNCTION_ARGUMENT
+		SAVE_CURLM_ERROR(mh, CURLM_BAD_FUNCTION_ARGUMENT);
+#endif
+		RETURN_LONG(-1);
+	}
+
+	error = curl_multi_wait(mh->multi, NULL, 0, (int) (timeout * 1000.0), &numfds);
 	if (CURLM_OK != error) {
 		SAVE_CURLM_ERROR(mh, error);
 		RETURN_LONG(-1);
diff --git a/ext/curl/tests/gh15547.phpt b/ext/curl/tests/gh15547.phpt
@@ -0,0 +1,29 @@
+--TEST--
+GH-15547 - curl_multi_select overflow on timeout argument
+--EXTENSIONS--
+curl
+--FILE--
+<?php
+
+$mh = curl_multi_init();
+var_dump(curl_multi_select($mh, -2500000));
+var_dump(curl_multi_strerror(curl_multi_errno($mh)));
+curl_multi_close($mh);
+$mh = curl_multi_init();
+var_dump(curl_multi_select($mh, 2500000));
+var_dump(curl_multi_strerror(curl_multi_errno($mh)));
+curl_multi_close($mh);
+$mh = curl_multi_init();
+var_dump(curl_multi_select($mh, 1000000));
+var_dump(curl_multi_strerror(curl_multi_errno($mh)));
+?>
+--EXPECTF--
+Warning: curl_multi_select(): timeout must be between 0 and %d in %s on line %d
+int(-1)
+%s
+
+Warning: curl_multi_select(): timeout must be between 0 and %d in %s on line %d
+int(-1)
+%s
+int(0)
+string(8) "No error"
