From 791a6ef19c72f735b1442596fc9d26fe6f3a0997 Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Wed, 28 Aug 2024 12:55:29 +0100
Subject: [PATCH] Fix GH-15613: unpack on format hex strings repeater value.

close GH-15615
---
 NEWS                                    |  4 ++++
 ext/standard/pack.c                     |  7 +++++++
 ext/standard/tests/strings/gh15613.phpt | 25 +++++++++++++++++++++++++
 3 files changed, 36 insertions(+)
 create mode 100644 ext/standard/tests/strings/gh15613.phpt

diff --git a/NEWS b/NEWS
index 21ab2923e23..001f5ba9cca 100644
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,10 @@ PHP                                                                        NEWS
 - SOAP:
   . Fixed bug #62900 (Wrong namespace on xsd import error message). (nielsdos)
 
+- Standard:
+  . Fixed bug GH-15613 (overflow on unpack call hex string repeater).
+    (David Carlier)
+
 26 Sep 2024, PHP 8.2.24
 
 - Core:
diff --git a/ext/standard/pack.c b/ext/standard/pack.c
index d12cd280a81..24d116d3020 100644
--- a/ext/standard/pack.c
+++ b/ext/standard/pack.c
@@ -979,6 +979,13 @@ PHP_FUNCTION(unpack)
 						zend_string *buf;
 						zend_long ipos, opos;
 
+
+						if (size > INT_MAX / 2) {
+							zend_string_release(real_name);
+							zend_argument_value_error(1, "repeater must be less than or equal to %d", INT_MAX / 2);
+							RETURN_THROWS();
+						}
+
 						/* If size was given take minimum of len and size */
 						if (size >= 0 && len > (size * 2)) {
 							len = size * 2;
diff --git a/ext/standard/tests/strings/gh15613.phpt b/ext/standard/tests/strings/gh15613.phpt
new file mode 100644
index 00000000000..8f40ee820c9
--- /dev/null
+++ b/ext/standard/tests/strings/gh15613.phpt
@@ -0,0 +1,25 @@
+--TEST--
+GH-15613 overflow on hex strings repeater value
+--SKIPIF--
+<?php
+if (PHP_INT_SIZE != 8) die("skip this test is for 64 bit platform only");
+?>
+--INI--
+memory_limit=-1
+--FILE--
+<?php
+try {
+	unpack('h2147483647', str_repeat('X', 2**31 + 10));
+} catch (\ValueError $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+
+try {
+	unpack('H2147483647', str_repeat('X', 2**31 + 10));
+} catch (\ValueError $e) {
+	echo $e->getMessage();
+}
+?>
+--EXPECTF--
+unpack(): Argument #1 ($format) repeater must be less than or equal to %d
+unpack(): Argument #1 ($format) repeater must be less than or equal to %d