Fixed bug #62477 LimitIterator int overflow

Author: weltling

ext/spl/spl_iterators.c

@@ -1380,12 +1380,31 @@ static spl_dual_it_object* spl_dual_it_construct(INTERNAL_FUNCTION_PARAMETERS, z
 	intern->dit_type = dit_type;
 	switch (dit_type) {
 		case DIT_LimitIterator: {
+			zval *tmp_offset, *tmp_count;
 			intern->u.limit.offset = 0; /* start at beginning */
 			intern->u.limit.count = -1; /* get all */
-			if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "O|ll", &zobject, ce_inner, &intern->u.limit.offset, &intern->u.limit.count) == FAILURE) {
+			if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "O|zz", &zobject, ce_inner, &tmp_offset, &tmp_count) == FAILURE) {
 				zend_restore_error_handling(&error_handling TSRMLS_CC);
 				return NULL;
 			}
+			if (tmp_offset && Z_TYPE_P(tmp_offset) != IS_NULL) {
+				if (Z_TYPE_P(tmp_offset) != IS_LONG) {
+					zend_throw_exception(spl_ce_OutOfRangeException, "offset param must be of type int", 0 TSRMLS_CC);
+					zend_restore_error_handling(&error_handling TSRMLS_CC);
+					return NULL;
+				} else {
+					intern->u.limit.offset = Z_LVAL_P(tmp_offset);
+				}
+			}
+			if (tmp_count && Z_TYPE_P(tmp_count) != IS_NULL) {
+				if (Z_TYPE_P(tmp_count) != IS_LONG) {
+					zend_throw_exception(spl_ce_OutOfRangeException, "count param must be of type int", 0 TSRMLS_CC);
+					zend_restore_error_handling(&error_handling TSRMLS_CC);
+					return NULL;
+				} else {
+					intern->u.limit.count = Z_LVAL_P(tmp_count);
+				}
+			}
 			if (intern->u.limit.offset < 0) {
 				zend_throw_exception(spl_ce_OutOfRangeException, "Parameter offset must be >= 0", 0 TSRMLS_CC);
 				zend_restore_error_handling(&error_handling TSRMLS_CC);

ext/spl/spl_iterators.h

@@ -128,7 +128,7 @@ typedef struct _spl_dual_it_object {
 		uint                 str_key_len;
 		ulong                int_key;
 		int                  key_type; /* HASH_KEY_IS_STRING or HASH_KEY_IS_LONG */
-		int                  pos;
+		long                  pos;
 	} current;
 	dual_it_type             dit_type;
 	union {

ext/spl/tests/bug62477_1.phpt

@@ -0,0 +1,12 @@
+--TEST--
+Bug #62477 LimitIterator int overflow when float is passed (1)
+--FILE--
+<?php
+
+$it = new LimitIterator(new ArrayIterator(array(42)), 10000000000000000000);
+--EXPECTF--
+Fatal error: Uncaught exception 'OutOfRangeException' with message 'offset param must be of type int' in %sbug62477_1.php:%d
+Stack trace:
+#0 %sbug62477_1.php(%d): LimitIterator->__construct(Object(ArrayIterator), %f)
+#1 {main}
+  thrown in %sbug62477_1.php on line %d

ext/spl/tests/bug62477_2.phpt

@@ -0,0 +1,12 @@
+--TEST--
+Bug #62477 LimitIterator int overflow when float is passed (2)
+--FILE--
+<?php
+
+$it = new LimitIterator(new ArrayIterator(array(42)), 0, 10000000000000000000);
+--EXPECTF--
+Fatal error: Uncaught exception 'OutOfRangeException' with message 'count param must be of type int' in %sbug62477_2.php:%d
+Stack trace:
+#0 %sbug62477_2.php(%d): LimitIterator->__construct(Object(ArrayIterator), 0, %f)
+#1 {main}
+  thrown in %sbug62477_2.php on line %d