Fix signedness confusion in php_filter_validate_domain()

cmb69 · cmb69 · commit 771dbdb319fa · 2022-03-28T14:00:22.000+02:00
As is, there is the possibility that integer underflow occurs, making `_php_filter_validate_domain()` succeed for very long domain names. Cf. <https://pwning.systems/posts/php_filter_var_shenanigans/>.
diff --git a/NEWS b/NEWS
@@ -8,6 +8,9 @@ PHP                                                                        NEWS
     (Tim Düsterhus)
   . Fixed bug GH-8160 (ZTS support on Alpine is broken). (Michael Voříšek)
 
+- Filter:
+  . Fixed signedness confusion in php_filter_validate_domain(). (cmb)
+
 - Intl:
   . Fixed bug GH-8142 (Compilation error on cygwin). (David Carlier)
 
diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c
@@ -496,7 +496,7 @@ void php_filter_validate_regexp(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
 	}
 }
 
-static int _php_filter_validate_domain(char * domain, int len, zend_long flags) /* {{{ */
+static int _php_filter_validate_domain(char * domain, size_t len, zend_long flags) /* {{{ */
 {
 	char *e, *s, *t;
 	size_t l;

Original file line number	Diff line number	Diff line change
`@@ -496,7 +496,7 @@ void php_filter_validate_regexp(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */`
`496`	`496`	`}`
`497`	`497`	`}`
`498`	`498`
`499`		`-static int _php_filter_validate_domain(char * domain, int len, zend_long flags) /* {{{ */`
	`499`	`+static int _php_filter_validate_domain(char * domain, size_t len, zend_long flags) /* {{{ */`
`500`	`500`	`{`
`501`	`501`	`char e, s, *t;`
`502`	`502`	`size_t l;`