PHP :: Bug #79225 :: Risk of integer overflow in logical

Bug #79225	Risk of integer overflow in logical_filters.c
Submitted:	2020-02-04 14:44 UTC	Modified:	2020-02-05 17:00 UTC
From:	geeknik at protonmail dot ch	Assigned:
Status:	Not a bug	Package:	Filter related
PHP Version:	7.4Git-2020-02-04 (Git)	OS:	Ubuntu
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	geeknik at protonmail dot ch
New email:
PHP Version:		OS:

New Comment:

[2020-02-04 14:44 UTC] geeknik at protonmail dot ch

Description:
------------
Line 117 of logical_filters.c looks like so:

ctx_value = ((sign)?-1:1) * ((*(str++)) - '0');

It may be possible to overflow this 'int' before it is converted to 'zend_long'. Please tell me what you think.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-02-04 17:56 UTC] cmb@php.net

> It may be possible to overflow this 'int' […]

How so?  It seems to me that the right-hand factor of the
multiplication[1] evaluates to 1..9.

[1] <https://github.com/php/php-src/blob/php-7.4.3RC1/ext/filter/logical_filters.c#L117>

[2020-02-05 17:00 UTC] nikic@php.net

-Status: Open +Status: Not a bug -Type: Security +Type: Bug

[2020-02-05 17:00 UTC] nikic@php.net

That's correct, there can be no overflow here.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 17:01:58 2024 UTC