From: Nikita Popov <nikita.ppv@gmail.com>
Date: Mon, 23 Sep 2019 11:06:55 +0000 (+0200)
Subject: Fix ubsan violation in parse_iv2
X-Git-Tag: php-7.4.0RC3~40^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e65adc9c190fbaadfc9cad044ee0a3cc5df15973;p=php

Fix ubsan violation in parse_iv2

This fixes two issues:
 * Negative the value in an unsigned type to avoid signed overflow.
 * Treat -0 as 0 rather than an invalid number that gets converted
   to ZEND_LONG_MIN.
---

diff --git a/ext/standard/tests/serialize/unserialize_neg_iv_edge_cases.phpt b/ext/standard/tests/serialize/unserialize_neg_iv_edge_cases.phpt
new file mode 100644
index 0000000000..a3732bde1b
--- /dev/null
+++ b/ext/standard/tests/serialize/unserialize_neg_iv_edge_cases.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Negative parse_iv2 edge cases
+--FILE--
+<?php
+
+var_dump(unserialize('i:-9223372036854775808;'));
+var_dump(unserialize('i:-0;'));
+
+?>
+--EXPECT--
+int(-9223372036854775808)
+int(0)
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index c99e673c8d..1eff008da8 100644
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -357,12 +357,12 @@ static inline zend_long parse_iv2(const unsigned char *p, const unsigned char **
 	 || (SIZEOF_ZEND_LONG == 4
 	 	&& UNEXPECTED(p - start == MAX_LENGTH_OF_LONG - 1)
 	 	&& UNEXPECTED(*start > '2'))
-	 || UNEXPECTED(result - neg > ZEND_LONG_MAX)) {
+	 || UNEXPECTED(result > ZEND_LONG_MAX + neg)) {
 		php_error_docref(NULL, E_WARNING, "Numerical result out of range");
 		return (!neg) ? ZEND_LONG_MAX : ZEND_LONG_MIN;
 	}
 
-	return (!neg) ? (zend_long)result : -(zend_long)result;
+	return (zend_long) ((!neg) ? result : -result);
 }
 
 static inline zend_long parse_iv(const unsigned char *p)