From 0a12aaa5b822bc22124a54648597837d9b219d41 Mon Sep 17 00:00:00 2001 From: Ilija Tovilo Date: Thu, 21 Aug 2025 17:22:52 +0200 Subject: [PATCH] Fix signed int overflow in scanner yylen is unsigned int, but len in zend_scan_escape_string() is int, which will break for string literals >=2GB. yyleng is still limited to 4GB, but we can't fix this without breaking the ABI. Partially addresses GH-19542 Closes GH-19545 --- NEWS | 2 ++ Zend/zend_language_scanner.l | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 858b7190cd2..80b84fe03a9 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,8 @@ PHP NEWS - Core: . Fixed bug GH-18850 (Repeated inclusion of file with __halt_compiler() triggers "Constant already defined" warning). (ilutov) + . Partially fixed bug GH-19542 (Scanning of string literals >=2GB will fail + due to signed int overflow). (ilutov) - OpenSSL: . Fixed bug GH-19245 (Success error message on TLS stream accept failure). diff --git a/Zend/zend_language_scanner.l b/Zend/zend_language_scanner.l index 3ea51fe7c9d..6276bd785b2 100644 --- a/Zend/zend_language_scanner.l +++ b/Zend/zend_language_scanner.l @@ -911,7 +911,7 @@ ZEND_API void zend_multibyte_yyinput_again(zend_encoding_filter old_input_filter ZVAL_STRINGL(zendlval, yytext, yyleng); \ } -static zend_result zend_scan_escape_string(zval *zendlval, char *str, int len, char quote_type) +static zend_result zend_scan_escape_string(zval *zendlval, char *str, size_t len, char quote_type) { char *s, *t; char *end;