add tests

devnexen · devnexen · commit 61d4ab9689f2 · 2025-05-02T18:27:19.000+01:00
diff --git a/ext/standard/array.c b/ext/standard/array.c
@@ -3234,7 +3234,7 @@ static void php_splice(HashTable *in_hash, zend_long offset, zend_long length, H
 	/* Create and initialize output hash */
 	zend_hash_init(&out_hash, (length > 0 ? num_in - length : 0) + (replace ? zend_hash_num_elements(replace) : 0), NULL, ZVAL_PTR_DTOR, 0);
 
-	if (length > ZEND_LONG_MAX - offset) {
+	if (length > ZEND_LONG_MAX - offset || length < ZEND_LONG_MIN + offset) {
 		goto end;
 	}
 
diff --git a/ext/standard/tests/array/gh18480.phpt b/ext/standard/tests/array/gh18480.phpt
@@ -0,0 +1,15 @@
+--TEST--
+GH-18480 array_splice overflow with large offset / length values
+--FILE--
+<?php
+$a = [PHP_INT_MAX];
+$offset = PHP_INT_MAX;
+var_dump(array_splice($a,$offset, PHP_INT_MAX));
+$offset = PHP_INT_MIN;
+var_dump(array_splice($a,$offset, PHP_INT_MIN));
+--EXPECT--
+array(0) {
+}
+array(0) {
+}
+

Original file line number	Diff line number	Diff line change
`@@ -3234,7 +3234,7 @@ static void php_splice(HashTable *in_hash, zend_long offset, zend_long length, H`
`3234`	`3234`	`/* Create and initialize output hash */`
`3235`	`3235`	`zend_hash_init(&out_hash, (length > 0 ? num_in - length : 0) + (replace ? zend_hash_num_elements(replace) : 0), NULL, ZVAL_PTR_DTOR, 0);`
`3236`	`3236`
`3237`		`- if (length > ZEND_LONG_MAX - offset) {`
	`3237`	`+ if (length > ZEND_LONG_MAX - offset \|\| length < ZEND_LONG_MIN + offset) {`
`3238`	`3238`	`goto end;`
`3239`	`3239`	`}`
`3240`	`3240`