Merge branch 'PHP-8.2' into PHP-8.3

cmb69 · cmb69 · commit c701508e6b14 · 2024-09-23T00:29:15.000+02:00
* PHP-8.2: Fix GH-15980: Signed integer overflow in main/streams/streams.c
diff --git a/NEWS b/NEWS
@@ -23,6 +23,8 @@ PHP                                                                        NEWS
 - Streams:
   . Fixed bugs GH-15908 and GH-15026 (leak / assertion failure in streams.c).
     (nielsdos)
+  . Fixed bug GH-15980 (Signed integer overflow in main/streams/streams.c).
+    (cmb)
 
 - TSRM:
   . Prevent closing of unrelated handles. (cmb)
diff --git a/ext/standard/tests/streams/gh15980.phpt b/ext/standard/tests/streams/gh15980.phpt
@@ -0,0 +1,11 @@
+--TEST--
+GH-15980 (Signed integer overflow in main/streams/streams.c)
+--FILE--
+<?php
+$s = fopen(__FILE__, "r");
+fseek($s, 1);
+fseek($s, PHP_INT_MAX, SEEK_CUR);
+var_dump(ftell($s) > 1);
+?>
+--EXPECT--
+bool(true)
diff --git a/main/streams/streams.c b/main/streams/streams.c
@@ -1382,8 +1382,13 @@ PHPAPI int _php_stream_seek(php_stream *stream, zend_off_t offset, int whence)
 
 		switch(whence) {
 			case SEEK_CUR:
-				offset = stream->position + offset;
-				whence = SEEK_SET;
+				ZEND_ASSERT(stream->position >= 0);
+				if (UNEXPECTED(offset > ZEND_LONG_MAX - stream->position)) {
+					offset = ZEND_LONG_MAX;
+				} else {
+					offset = stream->position + offset;
+				}
+ 				whence = SEEK_SET;
 				break;
 		}
 		ret = stream->ops->seek(stream, offset, whence, &stream->position);
