Fix GH-20601: ftp_connect() timeout argument overflow.

close GH-20603

Author: devnexen

NEWS

@@ -24,6 +24,9 @@ PHP                                                                        NEWS
   . Fixed bug GH-20483 (ASAN stack overflow with fiber.stack_size INI
     small value). (David Carlier)
 
+- FTP:
+  . Fixed bug GH-20601 (ftp_connect overflow on timeout). (David Carlier)
+
 - GD:
   . Fixed bug GH-20511 (imagegammacorrect out of range input/output values).
     (David Carlier)

ext/ftp/php_ftp.c

@@ -158,11 +158,18 @@ PHP_FUNCTION(ftp_connect)
 		RETURN_THROWS();
 	}
 
+	const zend_long timeoutmax = (zend_long)((double) PHP_TIMEOUT_ULL_MAX / 1000000.0);
+
 	if (timeout_sec <= 0) {
 		zend_argument_value_error(3, "must be greater than 0");
 		RETURN_THROWS();
 	}
 
+	if (timeout_sec >= timeoutmax) {
+		zend_argument_value_error(3, "must be less than " ZEND_LONG_FMT, timeoutmax);
+		RETURN_THROWS();
+	}
+
 	/* connect */
 	if (!(ftp = ftp_open(host, (short)port, timeout_sec))) {
 		RETURN_FALSE;

ext/ftp/tests/gh20601.phpt

@@ -0,0 +1,19 @@
+--TEST--
+GH-20601 (ftp_connect timeout overflow)
+--EXTENSIONS--
+ftp
+--SKIPIF--
+<?php
+if (PHP_INT_SIZE != 8) die("skip: 64-bit only");
+if (PHP_OS_FAMILY === 'Windows') die("skip not for windows");
+?>
+--FILE--
+<?php
+try {
+	ftp_connect('127.0.0.1', 1024, PHP_INT_MAX);
+} catch (\ValueError $e) {
+	echo $e->getMessage();
+}
+?>
+--EXPECTF--
+ftp_connect(): Argument #3 ($timeout) must be less than %d

main/network.c

@@ -319,6 +319,8 @@ static inline void php_network_set_limit_time(struct timeval *limit_time,
 		struct timeval *timeout)
 {
 	gettimeofday(limit_time, NULL);
+	const double timeoutmax = (double) PHP_TIMEOUT_ULL_MAX / 1000000.0;
+	ZEND_ASSERT(limit_time->tv_sec < (timeoutmax - timeout->tv_sec));
 	limit_time->tv_sec += timeout->tv_sec;
 	limit_time->tv_usec += timeout->tv_usec;
 	if (limit_time->tv_usec >= 1000000) {