Merge branch 'PHP-8.3' into PHP-8.4

* PHP-8.3: Fix GH-18642: Signed integer overflow in ext/phar fseek
2026-03-24 00:02:20 +01:00 · 2025-05-28 18:54:15 +02:00
parent 877663178c 61884c3b52
commit d6ed107510
3 changed files with 41 additions and 9 deletions
--- a/1
+++ b/1
@@ -19,6 +19,7 @@ PHP                                                                        NEWS

 - Phar:
  . Add missing filter cleanups on phar failure. (nielsdos)
+  . Fixed bug GH-18642 (Signed integer overflow in ext/phar fseek). (nielsdos)

 - Readline:
  . Fix memory leak when calloc() fails in php_readline_completion_cb().
--- a/ext/phar/stream.c
+++ b/ext/phar/stream.c
@@ -404,7 +404,7 @@ static int phar_stream_seek(php_stream *stream, zend_off_t offset, int whence, z
 	phar_entry_data *data = (phar_entry_data *)stream->abstract;
 	phar_entry_info *entry;
 	int res;
-	zend_off_t temp;
+	zend_ulong temp;

 	if (data->internal_file->link) {
 		entry = phar_get_link_source(data->internal_file);
@@ -414,26 +414,28 @@ static int phar_stream_seek(php_stream *stream, zend_off_t offset, int whence, z

 	switch (whence) {
 		case SEEK_END :
-			temp = data->zero + entry->uncompressed_filesize + offset;
+			temp = (zend_ulong) data->zero + (zend_ulong) entry->uncompressed_filesize + (zend_ulong) offset;
 			break;
 		case SEEK_CUR :
-			temp = data->zero + data->position + offset;
+			temp = (zend_ulong) data->zero + (zend_ulong) data->position + (zend_ulong) offset;
 			break;
 		case SEEK_SET :
-			temp = data->zero + offset;
+			temp = (zend_ulong) data->zero + (zend_ulong) offset;
 			break;
 		default:
 			temp = 0;
 	}
-	if (temp > data->zero + (zend_off_t) entry->uncompressed_filesize) {
-		*newoffset = -1;
+
+	zend_off_t temp_signed = (zend_off_t) temp;
+	if (temp_signed > data->zero + (zend_off_t) entry->uncompressed_filesize) {
+		*newoffset = -1; /* FIXME: this will invalidate the ZEND_ASSERT(stream->position >= 0); assertion in streams.c */
 		return -1;
 	}
-	if (temp < data->zero) {
-		*newoffset = -1;
+	if (temp_signed < data->zero) {
+		*newoffset = -1; /* FIXME: this will invalidate the ZEND_ASSERT(stream->position >= 0); assertion in streams.c */
 		return -1;
 	}
-	res = php_stream_seek(data->fp, temp, SEEK_SET);
+	res = php_stream_seek(data->fp, temp_signed, SEEK_SET);
 	*newoffset = php_stream_tell(data->fp) - data->zero;
 	data->position = *newoffset;
 	return res;
--- a/ext/phar/tests/gh18642.phpt
+++ b/ext/phar/tests/gh18642.phpt
@@ -0,0 +1,29 @@
+--TEST--
+GH-18642 (Signed integer overflow in ext/phar fseek)
+--EXTENSIONS--
+phar
+--INI--
+phar.require_hash=0
+--FILE--
+<?php
+require_once __DIR__ . '/files/phar_oo_test.inc';
+class MyFile extends SplFileObject
+{
+}
+$phar = new Phar($fname);
+$phar->setInfoClass('MyFile');
+$f = $phar['a.php'];
+var_dump($f->fseek(PHP_INT_MAX));
+var_dump($f->fseek(0));
+var_dump($f->fseek(PHP_INT_MIN, SEEK_END));
+var_dump($f->fseek(0, SEEK_SET));
+var_dump($f->fseek(1, SEEK_CUR));
+var_dump($f->fseek(PHP_INT_MAX, SEEK_CUR));
+?>
+--EXPECT--
+int(-1)
+int(0)
+int(-1)
+int(0)
+int(0)
+int(-1)