Fix GH-17921 socket_read/socket_recv overflows on buffer size.

update the existing checks to be more straightforward instead of
counting on undefined behavior.

close GH-17923

Author: devnexen

NEWS

@@ -65,6 +65,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-15902 (Core dumped in ext/reflection/php_reflection.c).
     (DanielEScherzer)
 
+- Sockets:
+  . Fixed bug GH-17921 (socket_read/socket_recv overflow on buffer size).
+    (David Carlier)
+
 - Standard:
   . Fixed bug #72666 (stat cache clearing inconsistent between file:// paths
     and plain paths). (Jakub Zelenka)

ext/sockets/sockets.c

@@ -884,7 +884,7 @@ PHP_FUNCTION(socket_read)
 	ENSURE_SOCKET_VALID(php_sock);
 
 	/* overflow check */
-	if ((length + 1) < 2) {
+	if (length <= 0 || length == ZEND_LONG_MAX) {
 		RETURN_FALSE;
 	}
 
@@ -1326,7 +1326,7 @@ PHP_FUNCTION(socket_recv)
 	ENSURE_SOCKET_VALID(php_sock);
 
 	/* overflow check */
-	if ((len + 1) < 2) {
+	if (len <= 0 || len == ZEND_LONG_MAX) {
 		RETURN_FALSE;
 	}
 

ext/sockets/tests/gh17921.phpt

@@ -0,0 +1,18 @@
+--TEST--
+GH-16267 - overflow on socket_strerror argument
+--EXTENSIONS--
+sockets
+--FILE--
+<?php
+$s_c_l = socket_create_listen(0);
+var_dump(socket_read($s_c_l, PHP_INT_MAX));
+var_dump(socket_read($s_c_l, PHP_INT_MIN));
+$a = "";
+var_dump(socket_recv($s_c_l, $a, PHP_INT_MAX, 0));
+var_dump(socket_recv($s_c_l, $a, PHP_INT_MIN, 0));
+?>
+--EXPECT--
+bool(false)
+bool(false)
+bool(false)
+bool(false)