Fix #72146: Integer overflow on substr_replace

Adding two `zend_long`s may overflow, and casting `size_t` to `zend_long` may truncate; we can avoid this here by enforcing unsigned arithmetic. Closes GH-7240.
php · Jul 15, 2021 · 33f8dfb · 33f8dfb
1 parent ebd3a21
commit 33f8dfb
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 1 deletion.
diff --git a/NEWS b/NEWS
@@ -2,6 +2,8 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 7.4.23
 
+- Standard:
+  . Fixed bug #72146 (Integer overflow on substr_replace). (cmb)
 
 29 Jul 2021, PHP 7.4.22
 

diff --git a/ext/standard/string.c b/ext/standard/string.c
@@ -2664,7 +2664,9 @@ PHP_FUNCTION(substr_replace)
 				}
 			}
 
-			if ((f + l) > (zend_long)ZSTR_LEN(orig_str)) {
+			ZEND_ASSERT(0 <= f && f <= ZEND_LONG_MAX);
+			ZEND_ASSERT(0 <= l && l <= ZEND_LONG_MAX);
+			if (((size_t) f + l) > ZSTR_LEN(orig_str)) {
 				l = ZSTR_LEN(orig_str) - f;
 			}
 

diff --git a/ext/standard/tests/strings/bug72146.phpt b/ext/standard/tests/strings/bug72146.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #72146 (Integer overflow on substr_replace)
+--FILE--
+<?php 
+var_dump(substr_replace(["ABCDE"], "123", 3, PHP_INT_MAX));
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  string(6) "ABC123"
+}