Fix #78833: Integer overflow in pack causes out-of-bound access

We check for potential signed integer overflow, and bail out
gracefully, in that case.

diff --git a/NEWS b/NEWS
index c3d4783ebe8a13c3235fb9740644a618741e9c24..8bb7aa5b1c16d1729e07ea455fa2ac769515a537 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,8 @@ PHP                                                                        NEWS
 
 - Standard:
   . Fixed bug #78759 (array_search in $GLOBALS). (Nikita)
+  . Fixed bug #78833 (Integer overflow in pack causes out-of-bound access).
+    (cmb)
 
 21 Nov 2019, PHP 7.2.25
 

diff --git a/ext/standard/pack.c b/ext/standard/pack.c
index 7d154841abe541e4e21c872e01c39c106b06f8e9..b21edc4a84bbd67f6b8f37c43fe7a2d36a4c9409 100644 (file)
--- a/ext/standard/pack.c
+++ b/ext/standard/pack.c
@@ -343,10 +343,13 @@ PHP_FUNCTION(pack)
                                if (arg < 0) {
                                        arg = num_args - currentarg;
                                }
-
+                               if (currentarg > INT_MAX - arg) {
+                                       goto too_few_args;
+                               }
                                currentarg += arg;
 
                                if (currentarg > num_args) {
+too_few_args:
                                        efree(formatcodes);
                                        efree(formatargs);
                                        php_error_docref(NULL, E_WARNING, "Type %c: too few arguments", code);

diff --git a/ext/standard/tests/strings/bug78833.phpt b/ext/standard/tests/strings/bug78833.phpt
new file mode 100644 (file)
index 0000000..763b6ec
--- /dev/null
+++ b/ext/standard/tests/strings/bug78833.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Bug #78833 (Integer overflow in pack causes out-of-bound access)
+--FILE--
+<?php
+var_dump(pack("E2E2147483647H*", 0x0, 0x0, 0x0));
+?>
+--EXPECTF--
+Warning: pack(): Type E: too few arguments in %s on line %d
+bool(false)