ext/sockets: follow-up on GH-17300 to check hints value ranges.

close GH-17326
2026-03-24 00:02:20 +01:00 · 2025-01-02 19:06:28 +00:00
parent 0a69e14278
commit c7a322cc4c
4 changed files with 71 additions and 2 deletions
--- a/2
+++ b/2
@@ -90,6 +90,8 @@ PHP                                                                        NEWS
    (David Carlier)
  . socket_addrinfo_lookup throws an exception on invalid hints value types.
    (David Carlier)
+  . socket_addrinfo_lookup throws an exception if any of the hints value
+    overflows. (David Carlier)

 - Standard:
  . Fixed crypt() tests on musl when using --with-external-libcrypt
--- a/3
+++ b/3
@@ -128,7 +128,8 @@ PHP 8.5 UPGRADE NOTES
  . socket_create_listen, socket_bind and socket_sendto throw a
    ValueError if the port is lower than 0 or greater than 65535.
  . socket_addrinfo_lookup throw a TypeError if any of the hints
-    values cannot be cast to a int.
+    values cannot be cast to a int and can throw a ValueError if
+    any of these values overflow.

 - Zlib:
  . The "use_include_path" argument for the
--- a/ext/sockets/sockets.c
+++ b/ext/sockets/sockets.c
@@ -2583,6 +2583,12 @@ PHP_FUNCTION(socket_addrinfo_lookup)

 	memset(&hints, 0, sizeof(hints));

+#if defined(PHP_WIN32)
+#  if !defined(AF_MAX)
+#    define AF_MAX (AF_BTH + 1)
+#  endif
+#endif
+
 	if (zhints && !HT_IS_PACKED(Z_ARRVAL_P(zhints))) {
 		ZEND_HASH_MAP_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(zhints), key, hint) {
 			if (key) {
@@ -2593,6 +2599,10 @@ PHP_FUNCTION(socket_addrinfo_lookup)
 						zend_argument_type_error(3, "\"ai_flags\" key must be of type int, %s given", zend_zval_type_name(hint));
 						RETURN_THROWS();
 					}
+					if (val < 0 || val > INT_MAX) {
+						zend_argument_value_error(3, "\"ai_flags\" key must be between 0 and %d", INT_MAX);
+						RETURN_THROWS();
+					}
 					hints.ai_flags = (int)val;
 				} else if (zend_string_equals_literal(key, "ai_socktype")) {
 					zend_long val = zval_try_get_long(hint, &failed);
@@ -2600,6 +2610,10 @@ PHP_FUNCTION(socket_addrinfo_lookup)
 						zend_argument_type_error(3, "\"ai_socktype\" key must be of type int, %s given", zend_zval_type_name(hint));
 						RETURN_THROWS();
 					}
+					if (val < 0 || val > INT_MAX) {
+						zend_argument_value_error(3, "\"ai_socktype\" key must be between 0 and %d", INT_MAX);
+						RETURN_THROWS();
+					}
 					hints.ai_socktype = (int)val;
 				} else if (zend_string_equals_literal(key, "ai_protocol")) {
 					zend_long val = zval_try_get_long(hint, &failed);
@@ -2607,6 +2621,10 @@ PHP_FUNCTION(socket_addrinfo_lookup)
 						zend_argument_type_error(3, "\"ai_protocol\" key must be of type int, %s given", zend_zval_type_name(hint));
 						RETURN_THROWS();
 					}
+					if (val < 0 || val > INT_MAX) {
+						zend_argument_value_error(3, "\"ai_protocol\" key must be between 0 and %d", INT_MAX);
+						RETURN_THROWS();
+					}
 					hints.ai_protocol = (int)val;
 				} else if (zend_string_equals_literal(key, "ai_family")) {
 					zend_long val = zval_try_get_long(hint, &failed);
@@ -2614,6 +2632,10 @@ PHP_FUNCTION(socket_addrinfo_lookup)
 						zend_argument_type_error(3, "\"ai_family\" key must be of type int, %s given", zend_zval_type_name(hint));
 						RETURN_THROWS();
 					}
+					if (val < 0 || val >= AF_MAX) {
+						zend_argument_value_error(3, "\"ai_family\" key must be between 0 and %d", AF_MAX - 1);
+						RETURN_THROWS();
+					}
 					hints.ai_family = (int)val;
 				} else {
 					zend_argument_value_error(3, "must only contain array keys \"ai_flags\", \"ai_socktype\", "
--- a/ext/sockets/tests/socket_getaddrinfo_error.phpt
+++ b/ext/sockets/tests/socket_getaddrinfo_error.phpt
@@ -44,9 +44,53 @@ try {
 } catch (\TypeError $e) {
 	echo $e->getMessage() . PHP_EOL;
 }
+try {
+	socket_addrinfo_lookup('127.0.0.1', 2000, array(
+		'ai_family' => PHP_INT_MAX,
+		'ai_socktype' => SOCK_DGRAM,
+		'ai_flags' => 0,
+		'ai_protocol' => 0,
+	));
+} catch (\ValueError $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+try {
+	socket_addrinfo_lookup('127.0.0.1', 2000, array(
+		'ai_family' => AF_INET,
+		'ai_socktype' => -1,
+		'ai_flags' => 0,
+		'ai_protocol' => 0,
+	));
+} catch (\ValueError $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+try {
+	socket_addrinfo_lookup('127.0.0.1', 2000, array(
+		'ai_family' => AF_INET,
+		'ai_socktype' => SOCK_DGRAM,
+		'ai_flags' => -256,
+		'ai_protocol' => 0,
+	));
+} catch (\ValueError $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+try {
+	socket_addrinfo_lookup('127.0.0.1', 2000, array(
+		'ai_family' => AF_INET,
+		'ai_socktype' => SOCK_DGRAM,
+		'ai_flags' => 0,
+		'ai_protocol' => PHP_INT_MIN,
+	));
+} catch (\ValueError $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
 ?>
--EXPECT--
+--EXPECTF--
 socket_addrinfo_lookup(): Argument #3 ($hints) "ai_family" key must be of type int, stdClass given
 socket_addrinfo_lookup(): Argument #3 ($hints) "ai_socktype" key must be of type int, stdClass given
 socket_addrinfo_lookup(): Argument #3 ($hints) "ai_flags" key must be of type int, stdClass given
 socket_addrinfo_lookup(): Argument #3 ($hints) "ai_protocol" key must be of type int, stdClass given
+socket_addrinfo_lookup(): Argument #3 ($hints) "ai_family" key must be between 0 and %d
+socket_addrinfo_lookup(): Argument #3 ($hints) "ai_socktype" key must be between 0 and %d
+socket_addrinfo_lookup(): Argument #3 ($hints) "ai_flags" key must be between 0 and %d
+socket_addrinfo_lookup(): Argument #3 ($hints) "ai_protocol" key must be between 0 and %d