Merge branch 'PHP-7.2' into PHP-7.3

cmb69 · cmb69 · commit 3d81c548796b · 2019-12-02T11:19:15.000+01:00
* PHP-7.2:
  Fix #78833: Integer overflow in pack causes out-of-bound access
diff --git a/NEWS b/NEWS
@@ -26,6 +26,8 @@ PHP                                                                        NEWS
   . Fixed bug #78759 (array_search in $GLOBALS). (Nikita)
   . Fixed bug #77638 (var_export'ing certain class instances segfaults). (cmb)
   . Fixed bug #78840 (imploding $GLOBALS crashes). (cmb)
+  . Fixed bug #78833 (Integer overflow in pack causes out-of-bound access).
+    (cmb)
 
 21 Nov 2019, PHP 7.3.12
 
diff --git a/ext/standard/pack.c b/ext/standard/pack.c
@@ -342,10 +342,13 @@ PHP_FUNCTION(pack)
 				if (arg < 0) {
 					arg = num_args - currentarg;
 				}
-
+				if (currentarg > INT_MAX - arg) {
+					goto too_few_args;
+				}
 				currentarg += arg;
 
 				if (currentarg > num_args) {
+too_few_args:
 					efree(formatcodes);
 					efree(formatargs);
 					php_error_docref(NULL, E_WARNING, "Type %c: too few arguments", code);
diff --git a/ext/standard/tests/strings/bug78833.phpt b/ext/standard/tests/strings/bug78833.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Bug #78833 (Integer overflow in pack causes out-of-bound access)
+--FILE--
+<?php
+var_dump(pack("E2E2147483647H*", 0x0, 0x0, 0x0));
+?>
+--EXPECTF--
+Warning: pack(): Type E: too few arguments in %s on line %d
+bool(false)
