Fix undefined behavior in php_stream_memory_seek()#21353
Closed
lacatoire wants to merge 1 commit intophp:masterfrom
Closed
Fix undefined behavior in php_stream_memory_seek()#21353lacatoire wants to merge 1 commit intophp:masterfrom
lacatoire wants to merge 1 commit intophp:masterfrom
Conversation
When offset is ZEND_LONG_MIN, (size_t)(-offset) triggers signed integer overflow which is undefined behavior. Replace with (size_t)0 - (size_t)offset to perform the negation in unsigned arithmetic, which is well-defined. Also adds a test to verify that seeking with PHP_INT_MIN does not crash and that the stream remains usable afterwards.
Member
|
Hi @lacatoire. There's already a PR open for this: GH-20965. Though it seems Jakub (who generally handles stream stuff) is busy atm. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix signed integer overflow when negating offset in
php_stream_memory_seek(). Whenoffset == ZEND_LONG_MIN,(size_t)(-offset)is undefined behavior. Uses(size_t)0 - (size_t)offsetto perform the negation in unsigned arithmetic.