Merge branch 'PHP-8.1' into PHP-8.2

nielsdos · nielsdos · commit e9195b21cc0f · 2023-03-28T22:43:53.000+02:00
* PHP-8.1:
  Fix undefined behaviour in unpack()
diff --git a/NEWS b/NEWS
@@ -81,6 +81,7 @@ PHP                                                                        NEWS
     (apache2)). (nielsdos)
   . Fixed oss-fuzz #57392 (Buffer-overflow in php_fgetcsv() with \0 delimiter
     and enclosure). (ilutov)
+  . Fixed undefined behaviour in unpack(). (nielsdos)
 
 16 Mar 2023, PHP 8.2.4
 
diff --git a/ext/standard/pack.c b/ext/standard/pack.c
@@ -750,7 +750,16 @@ PHP_FUNCTION(unpack)
 			c = *format;
 
 			if (c >= '0' && c <= '9') {
-				repetitions = atoi(format);
+				errno = 0;
+				long tmp = strtol(format, NULL, 10);
+				/* There is not strtoi. We have to check the range ourselves.
+				 * With 32-bit long the INT_{MIN,MAX} are useless because long == int, but with 64-bit they do limit us to 32-bit. */
+				if (errno || tmp < INT_MIN || tmp > INT_MAX) {
+					php_error_docref(NULL, E_WARNING, "Type %c: integer overflow", type);
+					zend_array_destroy(Z_ARR_P(return_value));
+					RETURN_FALSE;
+				}
+				repetitions = tmp;
 
 				while (formatlen > 0 && *format >= '0' && *format <= '9') {
 					format++;
@@ -800,7 +809,7 @@ PHP_FUNCTION(unpack)
 
 			case 'h':
 			case 'H':
-				size = (repetitions > 0) ? (repetitions + (repetitions % 2)) / 2 : repetitions;
+				size = (repetitions > 0) ? ((unsigned int) repetitions + 1) / 2 : repetitions;
 				repetitions = 1;
 				break;
 
@@ -865,12 +874,6 @@ PHP_FUNCTION(unpack)
 				RETURN_THROWS();
 		}
 
-		if (size != 0 && size != -1 && size < 0) {
-			php_error_docref(NULL, E_WARNING, "Type %c: integer overflow", type);
-			zend_array_destroy(Z_ARR_P(return_value));
-			RETURN_FALSE;
-		}
-
 
 		/* Do actual unpacking */
 		for (i = 0; i != repetitions; i++ ) {
diff --git a/ext/standard/tests/strings/gh10940.phpt b/ext/standard/tests/strings/gh10940.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Test unpacking at the 32-bit integer limit
+--FILE--
+<?php
+$a = pack("AAAAAAAAAAAA", 1,2,3,4,5,6,7,8,9,10,11,12);
+unpack('h2147483647', $a);
+?>
+--EXPECTF--
+Warning: unpack(): Type h: not enough input, need 1073741824, have 12 in %s on line %d
