php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 00:02:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix GH-18309: ipv6 filter integer overflow

Browse Source 
The intermediate computation can cause a signed integer overflow, but
the input is correctly rejected later on by the check on variable `n`.
Solve this by using an unsigned number.

Closes GH-18312.
This commit is contained in:
Niels Dossche
2025-04-11 20:59:34 +02:00
parent ba0853888d
commit 8849a5336e
3 changed files with 15 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
NEWS
View File

@@ -6,6 +6,9 @@ PHP NEWS
. Fixed bug GH-18304 (Changing the properties of a DateInterval through
dynamic properties triggers a SegFault). (nielsdos)
- Filter:
. Fixed bug GH-18309 (ipv6 filter integer overflow). (nielsdos)
- GD:
. Fixed imagecrop() overflow with rect argument with x/width y/heigh usage
in gdImageCrop(). (David Carlier)

3
ext/filter/logical_filters.c
View File

@@ -762,7 +762,8 @@ static int _php_filter_validate_ipv6(const char *str, size_t str_len, int ip[8])
{
int compressed_pos = -1;
int blocks = 0;
int num, n, i;
unsigned int num, n;
int i;
char *ipv4;
const char *end;
int ip4elm[4];

10
ext/filter/tests/gh18309.phpt Normal file
View File

@@ -0,0 +1,10 @@
--TEST--
GH-18309 (ipv6 filter integer overflow)
--EXTENSIONS--
filter
--FILE--
<?php
var_dump(filter_var('fffffffffffffffffffffffffffffffffffff::', FILTER_VALIDATE_IP, FILTER_FLAG_IPV6));
?>
--EXPECT--
bool(false)