From 8849a5336ea6feda910567acca34407901d3fc57 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Fri, 11 Apr 2025 20:59:34 +0200
Subject: [PATCH] Fix GH-18309: ipv6 filter integer overflow

The intermediate computation can cause a signed integer overflow, but
the input is correctly rejected later on by the check on variable `n`.
Solve this by using an unsigned number.

Closes GH-18312.
---
 NEWS                          |  3 +++
 ext/filter/logical_filters.c  |  3 ++-
 ext/filter/tests/gh18309.phpt | 10 ++++++++++
 3 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 ext/filter/tests/gh18309.phpt

diff --git a/NEWS b/NEWS
index 64911472be3..c652b3b8374 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,9 @@ PHP                                                                        NEWS
   . Fixed bug GH-18304 (Changing the properties of a DateInterval through
     dynamic properties triggers a SegFault). (nielsdos)
 
+- Filter:
+  . Fixed bug GH-18309 (ipv6 filter integer overflow). (nielsdos)
+
 - GD:
   . Fixed imagecrop() overflow with rect argument with x/width y/heigh usage
     in gdImageCrop(). (David Carlier)
diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c
index 1bd9bad5afb..76656a218d2 100644
--- a/ext/filter/logical_filters.c
+++ b/ext/filter/logical_filters.c
@@ -762,7 +762,8 @@ static int _php_filter_validate_ipv6(const char *str, size_t str_len, int ip[8])
 {
 	int compressed_pos = -1;
 	int blocks = 0;
-	int num, n, i;
+	unsigned int num, n;
+	int i;
 	char *ipv4;
 	const char *end;
 	int ip4elm[4];
diff --git a/ext/filter/tests/gh18309.phpt b/ext/filter/tests/gh18309.phpt
new file mode 100644
index 00000000000..b541f10883f
--- /dev/null
+++ b/ext/filter/tests/gh18309.phpt
@@ -0,0 +1,10 @@
+--TEST--
+GH-18309 (ipv6 filter integer overflow)
+--EXTENSIONS--
+filter
+--FILE--
+<?php
+var_dump(filter_var('fffffffffffffffffffffffffffffffffffff::', FILTER_VALIDATE_IP, FILTER_FLAG_IPV6));
+?>
+--EXPECT--
+bool(false)