Avoid signed integer overflow in string offset check

nikic · nikic · commit 527ad1d80ce3 · 2019-12-19T11:47:50.000+01:00
Cast to size_t before performing operations instead of afterwards.
diff --git a/Zend/tests/string_offset_int_min_max.phpt b/Zend/tests/string_offset_int_min_max.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Accessing PHP_INT_MAX and PHP_INT_MIN as string offsets
+--FILE--
+<?php
+
+$str = "";
+var_dump($str[PHP_INT_MAX]);
+var_dump($str[PHP_INT_MIN]);
+
+?>
+--EXPECTF--
+Notice: Uninitialized string offset: %d in %s on line %d
+string(0) ""
+
+Notice: Uninitialized string offset: -%d in %s on line %d
+string(0) ""
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
@@ -2369,7 +2369,7 @@ static zend_always_inline void zend_fetch_dimension_address_read(zval *result, z
 			offset = Z_LVAL_P(dim);
 		}
 
-		if (UNEXPECTED(Z_STRLEN_P(container) < (size_t)((offset < 0) ? -offset : (offset + 1)))) {
+		if (UNEXPECTED(Z_STRLEN_P(container) < ((offset < 0) ? -(size_t)offset : ((size_t)offset + 1)))) {
 			if (type != BP_VAR_IS) {
 				zend_error(E_NOTICE, "Uninitialized string offset: " ZEND_LONG_FMT, offset);
 				ZVAL_EMPTY_STRING(result);

Original file line number	Diff line number	Diff line change
`@@ -2369,7 +2369,7 @@ static zend_always_inline void zend_fetch_dimension_address_read(zval *result, z`
`2369`	`2369`	`offset = Z_LVAL_P(dim);`
`2370`	`2370`	`}`
`2371`	`2371`
`2372`		`- if (UNEXPECTED(Z_STRLEN_P(container) < (size_t)((offset < 0) ? -offset : (offset + 1)))) {`
	`2372`	`+ if (UNEXPECTED(Z_STRLEN_P(container) < ((offset < 0) ? -(size_t)offset : ((size_t)offset + 1)))) {`
`2373`	`2373`	`if (type != BP_VAR_IS) {`
`2374`	`2374`	`zend_error(E_NOTICE, "Uninitialized string offset: " ZEND_LONG_FMT, offset);`
`2375`	`2375`	`ZVAL_EMPTY_STRING(result);`