Skip to content

signed integer overflow ext/standard/array.c #18480

Closed
Closed
signed integer overflow ext/standard/array.c#18480
Assignees
devnexen
Labels
BugExtension: standardStatus: Verified

Description

@YuanchengJiang
YuanchengJiang
opened on May 2, 2025

Description

The following code:

<?php
define("MAX_64Bit", 9223372036854775807);
define("MAX_32Bit", 2147483647);
define("MIN_64Bit", -9223372036854775807 - 1);
$longVals = array(
MAX_64Bit -1, MAX_64Bit + 1, MIN_64Bit + 1, MIN_64Bit - 1
);
$otherVals = array(0, 1, -1, 7, 9, 65, -44, MAX_32Bit, MAX_64Bit);
foreach ($otherVals as $otherVal) {
}
try {array_splice($longVals,$otherVal,$otherVal,$otherVal);} catch (Exception $e) { echo($e); }

Resulted in this output:

/home/phpfuzz/WorkSpace/flowfusion/php-src/ext/standard/array.c:3374:26: runtime error: signed integer overflow: 15 + 9223372036854775807 cannot be represented in type 'long'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/standard/array.c:3374:26 in

To reproduce:

./php-src/sapi/cli/php  ./test.php

Commit:

2fea4efa8f2821bf3cf767a73c1bef2c7b0a1791

Configurations:

CC="clang-12" CXX="clang++-12" CFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" CXXFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" ./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip --with-mysqli --with-pdo-mysql --with-pdo-pgsql --with-pgsql --with-sqlite3 --with-pdo-sqlite --with-webp --with-jpeg --with-freetype --enable-sigchild --with-readline --with-pcre-jit --with-iconv

Operating System:

Ubuntu 20.04 Host, Docker 0599jiangyc/flowfusion:latest

This report is automatically generated by FlowFusion

PHP Version

2fea4ef

Operating System

No response

Metadata

Metadata

Assignees

Labels

BugExtension: standardStatus: Verified

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions