From f9a16d4cf9430eeb3a464b8f27fa2364eda7a2b9 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Fri, 11 Apr 2025 20:59:34 +0200 Subject: [PATCH 1/2] Fix GH-18309: ipv6 filter integer overflow The intermediate computation can cause a signed integer overflow, but the input is correctly rejected later on by the check on variable `n`. Solve this by using an unsigned number. --- ext/filter/logical_filters.c | 2 +- ext/filter/tests/gh18309.phpt | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 ext/filter/tests/gh18309.phpt diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c index 1bd9bad5afbe1..5c2dec69fc291 100644 --- a/ext/filter/logical_filters.c +++ b/ext/filter/logical_filters.c @@ -762,7 +762,7 @@ static int _php_filter_validate_ipv6(const char *str, size_t str_len, int ip[8]) { int compressed_pos = -1; int blocks = 0; - int num, n, i; + unsigned int num, n, i; char *ipv4; const char *end; int ip4elm[4]; diff --git a/ext/filter/tests/gh18309.phpt b/ext/filter/tests/gh18309.phpt new file mode 100644 index 0000000000000..b541f10883fe6 --- /dev/null +++ b/ext/filter/tests/gh18309.phpt @@ -0,0 +1,10 @@ +--TEST-- +GH-18309 (ipv6 filter integer overflow) +--EXTENSIONS-- +filter +--FILE-- + +--EXPECT-- +bool(false) From 0cb6aaceef529ba6cdb0df5274dfefcd10bbf417 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Fri, 11 Apr 2025 21:45:39 +0200 Subject: [PATCH 2/2] fix --- ext/filter/logical_filters.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c index 5c2dec69fc291..76656a218d281 100644 --- a/ext/filter/logical_filters.c +++ b/ext/filter/logical_filters.c @@ -762,7 +762,8 @@ static int _php_filter_validate_ipv6(const char *str, size_t str_len, int ip[8]) { int compressed_pos = -1; int blocks = 0; - unsigned int num, n, i; + unsigned int num, n; + int i; char *ipv4; const char *end; int ip4elm[4];