php · cmb69 · Dec 23, 2019 · Dec 23, 2019 · nikic · Dec 27, 2019
diff --git a/ext/date/php_date.c b/ext/date/php_date.c
@@ -4389,14 +4389,16 @@ static int php_date_interval_initialize_from_hash(zval **return_value, php_inter
 	PHP_DATE_INTERVAL_READ_PROPERTY("h", h, timelib_sll, -1)
 	PHP_DATE_INTERVAL_READ_PROPERTY("i", i, timelib_sll, -1)
 	PHP_DATE_INTERVAL_READ_PROPERTY("s", s, timelib_sll, -1)
-	do {
+	{
 		zval *z_arg = zend_hash_str_find(myht, "f", sizeof("f") - 1);
+		(*intobj)->diff->us = -1000000;
 		if (z_arg) {
-			(*intobj)->diff->us = ((double)zval_get_double(z_arg) * 1000000);
-		} else {
-			(*intobj)->diff->us = (double) -1000000;
+			double val = zval_get_double(z_arg) * 1000000;
+			if (val >= 0 && val < 1000000) {
+				(*intobj)->diff->us = val;
+			}
 		}
-	} while (0);
+	}
 	PHP_DATE_INTERVAL_READ_PROPERTY("weekday", weekday, int, -1)
 	PHP_DATE_INTERVAL_READ_PROPERTY("weekday_behavior", weekday_behavior, int, -1)
 	PHP_DATE_INTERVAL_READ_PROPERTY("first_last_day_of", first_last_day_of, int, -1)

diff --git a/ext/date/tests/bug79015.phpt b/ext/date/tests/bug79015.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Bug #79015 (undefined-behavior in php_date.c)
+--FILE--
+<?php
+var_dump(unserialize('O:12:"DateInterval":1:1s:1:"f";i:9999999999990;'));
+?>
+--EXPECTF--
+Notice: unserialize(): Error at offset 47 of 47 bytes in %s on line %d
+bool(false)