Fix GH-17921 socket_read/socket_recv overflows on buffer size.

devnexen · devnexen · commit 17bbd4221a3b · 2025-02-25T05:20:40.000Z
update the existing checks to be more straightforward instead of
counting on undefined behavior.
diff --git a/ext/sockets/sockets.c b/ext/sockets/sockets.c
@@ -884,7 +884,7 @@ PHP_FUNCTION(socket_read)
 	ENSURE_SOCKET_VALID(php_sock);
 
 	/* overflow check */
-	if ((length + 1) < 2) {
+	if (length <= 0 || length == ZEND_LONG_MAX) {
 		RETURN_FALSE;
 	}
 
@@ -1326,7 +1326,7 @@ PHP_FUNCTION(socket_recv)
 	ENSURE_SOCKET_VALID(php_sock);
 
 	/* overflow check */
-	if ((len + 1) < 2) {
+	if (len <= 0 || len == ZEND_LONG_MAX) {
 		RETURN_FALSE;
 	}
 
diff --git a/ext/sockets/tests/gh17921.phpt b/ext/sockets/tests/gh17921.phpt
@@ -0,0 +1,20 @@
+--TEST--
+GH-16267 - overflow on socket_strerror argument
+--EXTENSIONS--
+sockets
+--INI--
+memory_limit=-1
+--FILE--
+<?php
+$s_c_l = socket_create_listen(0);
+var_dump(socket_read($s_c_l, PHP_INT_MAX));
+var_dump(socket_read($s_c_l, PHP_INT_MIN));
+$a = "";
+var_dump(socket_recv($s_c_l, $a, PHP_INT_MAX, 0));
+var_dump(socket_recv($s_c_l, $a, PHP_INT_MIN, 0));
+?>
+--EXPECT--
+bool(false)
+bool(false)
+bool(false)
+bool(false)

Original file line number	Diff line number	Diff line change
`@@ -884,7 +884,7 @@ PHP_FUNCTION(socket_read)`
`884`	`884`	`ENSURE_SOCKET_VALID(php_sock);`
`885`	`885`
`886`	`886`	`/* overflow check */`
`887`		`- if ((length + 1) < 2) {`
	`887`	`+ if (length <= 0 \|\| length == ZEND_LONG_MAX) {`
`888`	`888`	`RETURN_FALSE;`
`889`	`889`	`}`
`890`	`890`
`@@ -1326,7 +1326,7 @@ PHP_FUNCTION(socket_recv)`
`1326`	`1326`	`ENSURE_SOCKET_VALID(php_sock);`
`1327`	`1327`
`1328`	`1328`	`/* overflow check */`
`1329`		`- if ((len + 1) < 2) {`
	`1329`	`+ if (len <= 0 \|\| len == ZEND_LONG_MAX) {`
`1330`	`1330`	`RETURN_FALSE;`
`1331`	`1331`	`}`
`1332`	`1332`