Avoid signed integer overflow in php_random_range() (#9066)

php · Jul 22, 2022 · 133b9b0 · 133b9b0
1 parent dfbe964
commit 133b9b0
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 6 deletions.
diff --git a/NEWS b/NEWS
@@ -62,6 +62,7 @@ PHP                                                                        NEWS
 
 - Random:
   . Added new random extension. (Go Kudo)
+  . Fixed bug GH-9066 (signed integer overflow). (zeriyoshi)
 
 - SPL:
   . Widen iterator_to_array() and iterator_count()'s $iterator parameter to

diff --git a/ext/random/php_random.h b/ext/random/php_random.h
@@ -245,8 +245,6 @@ extern PHPAPI const php_random_algo php_random_algo_xoshiro256starstar;
 extern PHPAPI const php_random_algo php_random_algo_secure;
 extern PHPAPI const php_random_algo php_random_algo_user;
 
-# define PHP_RANDOM_ALGO_IS_DYNAMIC(algo)	((algo)->generate_size == 0)
-
 typedef struct _php_random_engine {
 	const php_random_algo *algo;
 	php_random_status *status;

diff --git a/ext/random/random.c b/ext/random/random.c
@@ -307,13 +307,13 @@ PHPAPI zend_object *php_random_engine_common_clone_object(zend_object *object)
 /* {{{ php_random_range */
 PHPAPI zend_long php_random_range(const php_random_algo *algo, php_random_status *status, zend_long min, zend_long max)
 {
-	zend_ulong umax = max - min;
+	zend_ulong umax = (zend_ulong) max - (zend_ulong) min;
 
-	if (PHP_RANDOM_ALGO_IS_DYNAMIC(algo) || algo->generate_size > sizeof(uint32_t) || umax > UINT32_MAX) {
-		return (zend_long) rand_range64(algo, status, umax) + min;
+	if (algo->generate_size == 0 || algo->generate_size > sizeof(uint32_t) || umax > UINT32_MAX) {
+		return (zend_long) (rand_range64(algo, status, umax) + min);
 	}
 
-	return (zend_long) rand_range32(algo, status, umax) + min;
+	return (zend_long) (rand_range32(algo, status, umax) + min);
 }
 /* }}} */