From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 19 Jun 2019 12:12:54 +0000 (+0200)
Subject: Fix overflow UB in range()
X-Git-Tag: php-7.4.0alpha2~51^2~13
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=4ae87f4bf964146d8da1deb64cf1b668f1103891;p=php

Fix overflow UB in range()
---

diff --git a/ext/standard/array.c b/ext/standard/array.c
index 6ce48a191c..b90f24ae63 100644
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -2717,7 +2717,7 @@ PHP_FUNCTION(array_fill_keys)
 	} while (0)
 
 #define RANGE_CHECK_LONG_INIT_ARRAY(start, end) do { \
-		zend_ulong __calc_size = (start - end) / lstep; \
+		zend_ulong __calc_size = ((zend_ulong) start - end) / lstep; \
 		if (__calc_size >= HT_MAX_SIZE - 1) { \
 			php_error_docref(NULL, E_WARNING, "The supplied range exceeds the maximum array size: start=" ZEND_LONG_FMT " end=" ZEND_LONG_FMT, end, start); \
 			RETURN_FALSE; \
@@ -2887,7 +2887,7 @@ long_str:
 		}
 
 		if (low > high) { 		/* Negative steps */
-			if ((zend_ulong)(low - high) < lstep) {
+			if ((zend_ulong)low - high < lstep) {
 				err = 1;
 				goto err;
 			}
@@ -2901,7 +2901,7 @@ long_str:
 				}
 			} ZEND_HASH_FILL_END();
 		} else if (high > low) { 	/* Positive steps */
-			if ((zend_ulong)(high - low) < lstep) {
+			if ((zend_ulong)high - low < lstep) {
 				err = 1;
 				goto err;
 			}