From 801600347fa939a2d9e2832bdd151f3fd0d91ef8 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 19 Nov 2019 14:22:26 +0100
Subject: [PATCH] Fix #78833: Integer overflow in pack causes out-of-bound
 access

We check for potential signed integer overflow, and bail out
gracefully, in that case.
---
 ext/standard/pack.c                      | 5 ++++-
 ext/standard/tests/strings/bug78833.phpt | 9 +++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 ext/standard/tests/strings/bug78833.phpt

diff --git a/ext/standard/pack.c b/ext/standard/pack.c
index 7d154841abe54..b21edc4a84bbd 100644
--- a/ext/standard/pack.c
+++ b/ext/standard/pack.c
@@ -343,10 +343,13 @@ PHP_FUNCTION(pack)
 				if (arg < 0) {
 					arg = num_args - currentarg;
 				}
-
+				if (currentarg > INT_MAX - arg) {
+					goto too_few_args;
+				}
 				currentarg += arg;
 
 				if (currentarg > num_args) {
+too_few_args:
 					efree(formatcodes);
 					efree(formatargs);
 					php_error_docref(NULL, E_WARNING, "Type %c: too few arguments", code);
diff --git a/ext/standard/tests/strings/bug78833.phpt b/ext/standard/tests/strings/bug78833.phpt
new file mode 100644
index 0000000000000..763b6ec4eac32
--- /dev/null
+++ b/ext/standard/tests/strings/bug78833.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Bug #78833 (Integer overflow in pack causes out-of-bound access)
+--FILE--
+<?php
+var_dump(pack("E2E2147483647H*", 0x0, 0x0, 0x0));
+?>
+--EXPECTF--
+Warning: pack(): Type E: too few arguments in %s on line %d
+bool(false)