Skip to content

Avoid signed integer overflow in php_random_range() #9066

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jul 22, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions NEWS
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ PHP NEWS

- Random:
. Added new random extension. (Go Kudo)
. Fixed bug GH-9066 (signed integer overflow). (zeriyoshi)

- SPL:
. Widen iterator_to_array() and iterator_count()'s $iterator parameter to
Expand Down
2 changes: 0 additions & 2 deletions ext/random/php_random.h
Original file line number Diff line number Diff line change
Expand Up @@ -245,8 +245,6 @@ extern PHPAPI const php_random_algo php_random_algo_xoshiro256starstar;
extern PHPAPI const php_random_algo php_random_algo_secure;
extern PHPAPI const php_random_algo php_random_algo_user;

# define PHP_RANDOM_ALGO_IS_DYNAMIC(algo) ((algo)->generate_size == 0)

typedef struct _php_random_engine {
const php_random_algo *algo;
php_random_status *status;
Expand Down
8 changes: 4 additions & 4 deletions ext/random/random.c
Original file line number Diff line number Diff line change
Expand Up @@ -319,13 +319,13 @@ PHPAPI zend_object *php_random_engine_common_clone_object(zend_object *object)
/* {{{ php_random_range */
PHPAPI zend_long php_random_range(const php_random_algo *algo, php_random_status *status, zend_long min, zend_long max)
{
zend_ulong umax = max - min;
zend_ulong umax = (zend_ulong) max - (zend_ulong) min;

if (PHP_RANDOM_ALGO_IS_DYNAMIC(algo) || algo->generate_size > sizeof(uint32_t) || umax > UINT32_MAX) {
return (zend_long) rand_range64(algo, status, umax) + min;
if (algo->generate_size == 0 || algo->generate_size > sizeof(uint32_t) || umax > UINT32_MAX) {
return (zend_long) (rand_range64(algo, status, umax) + min);
}

return (zend_long) rand_range32(algo, status, umax) + min;
return (zend_long) (rand_range32(algo, status, umax) + min);
}
/* }}} */

Expand Down