Fix GH-18976: pack with h or H format string overflow.

adding with its own remainder, INT_MAX overflows here (negative values are discarded). close GH-18977
2026-03-24 00:02:20 +01:00 · 2025-06-29 13:03:43 +01:00
parent aee1d7fb96
commit 865739e5b1
3 changed files with 17 additions and 1 deletions
--- a/2
+++ b/2
@@ -33,6 +33,8 @@ PHP                                                                        NEWS
 - Standard:
  . Fix misleading errors in printf(). (nielsdos)
  . Fix RCN violations in array functions. (nielsdos)
+  . Fixed GH-18976 pack() overflow with h/H format and INT_MAX repeater value.
+    (David Carlier)

 - Streams:
  . Fixed GH-13264 (fgets() and stream_get_line() do not return false on filter
--- a/ext/standard/pack.c
+++ b/ext/standard/pack.c
@@ -388,7 +388,7 @@ too_few_args:
 		switch ((int) code) {
 			case 'h':
 			case 'H':
-				INC_OUTPUTPOS((arg + (arg % 2)) / 2,1)	/* 4 bit per arg */
+				INC_OUTPUTPOS((arg / 2) + (arg % 2),1)	/* 4 bit per arg */
 				break;

 			case 'a':
--- a/ext/standard/tests/strings/gh18976.phpt
+++ b/ext/standard/tests/strings/gh18976.phpt
@@ -0,0 +1,14 @@
+--TEST--
+GH-18976 (pack overflow with h/H format)
+--INI--
+memory_limit=-1
+--FILE--
+<?php
+pack('h2147483647', 1);
+pack('H2147483647', 1);
+?>
+--EXPECTF--
+
+Warning: pack(): Type h: not enough characters in string in %s on line %d
+
+Warning: pack(): Type H: not enough characters in string in %s on line %d