Fix GH-15653: fgetcsv overflow on length parameter.

close GH-15655

NEWS

@@ -89,6 +89,7 @@ PHP                                                                        NEWS
 - Standard:
   . Fix passing non-finite timeout values in stream functions. (nielsdos)
   . Fixed GH-14780 p(f)sockopen timeout overflow. (David Carlier)
+  . Fixed GH-15653 overflow on fgetcsv length parameter. (David Carlier)
 
 - Streams:
   . Fixed bug GH-15028 (Memory leak in ext/phar/stream.c). (nielsdos)

ext/standard/file.c

@@ -1895,8 +1895,8 @@ PHP_FUNCTION(fgetcsv)
 
 		if (len_is_null || len == 0) {
 			len = -1;
-		} else if (len < 0) {
-			zend_argument_value_error(2, "must be a greater than or equal to 0");
+		} else if (len < 0 || len > (ZEND_LONG_MAX - 1)) {
+			zend_argument_value_error(2, "must be between 0 and " ZEND_LONG_FMT, (ZEND_LONG_MAX - 1));
 			RETURN_THROWS();
 		}
 

ext/standard/tests/file/fgetcsv_error_conditions.phpt

@@ -48,11 +48,11 @@ try {
     echo $e->getMessage() . \PHP_EOL;
 }
 ?>
---EXPECT--
+--EXPECTF--
 fgetcsv() with negative length
-fgetcsv(): Argument #2 ($length) must be a greater than or equal to 0
-fgetcsv(): Argument #2 ($length) must be a greater than or equal to 0
-fgetcsv(): Argument #2 ($length) must be a greater than or equal to 0
+fgetcsv(): Argument #2 ($length) must be between 0 and %d
+fgetcsv(): Argument #2 ($length) must be between 0 and %d
+fgetcsv(): Argument #2 ($length) must be between 0 and %d
 fgetcsv() with delimiter as empty string
 fgetcsv(): Argument #3 ($separator) must be a single character
 fgetcsv() with enclosure as empty string

ext/standard/tests/file/gh15653.phpt

@@ -0,0 +1,22 @@
+--TEST--
+GH-15653 (fgetcsv overflow on length argument)
+--FILE--
+<?php
+$filename = __DIR__ . "/gh15653.tmp";
+touch($filename);
+$fp = fopen ($filename, "r");
+
+try {
+	fgetcsv($fp, PHP_INT_MAX);
+} catch (\ValueError $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+
+fgetcsv($fp, PHP_INT_MAX-1);
+--CLEAN--
+<?php
+@unlink(__DIR__ . "/gh15653.tmp");
+?>
+--EXPECTF--
+fgetcsv(): Argument #2 ($length) must be between 0 and %d
+%A