Fix overflow UB in range()

diff --git a/ext/standard/array.c b/ext/standard/array.c
index 6ce48a191c8e3b1f72826121cc03142f784bd7ad..b90f24ae636644364e21f613ccbb3467421bacf5 100644 (file)
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -2717,7 +2717,7 @@ PHP_FUNCTION(array_fill_keys)
        } while (0)
 
 #define RANGE_CHECK_LONG_INIT_ARRAY(start, end) do { \
-               zend_ulong __calc_size = (start - end) / lstep; \
+               zend_ulong __calc_size = ((zend_ulong) start - end) / lstep; \
                if (__calc_size >= HT_MAX_SIZE - 1) { \
                        php_error_docref(NULL, E_WARNING, "The supplied range exceeds the maximum array size: start=" ZEND_LONG_FMT " end=" ZEND_LONG_FMT, end, start); \
                        RETURN_FALSE; \
@@ -2887,7 +2887,7 @@ long_str:
                }
 
                if (low > high) {               /* Negative steps */
-                       if ((zend_ulong)(low - high) < lstep) {
+                       if ((zend_ulong)low - high < lstep) {
                                err = 1;
                                goto err;
                        }
@@ -2901,7 +2901,7 @@ long_str:
                                }
                        } ZEND_HASH_FILL_END();
                } else if (high > low) {        /* Positive steps */
-                       if ((zend_ulong)(high - low) < lstep) {
+                       if ((zend_ulong)high - low < lstep) {
                                err = 1;
                                goto err;
                        }