Fix GH-20964: fseek() stream seek with PHP_INT_MIN causes undefined behavior#1
Closed
Fix GH-20964: fseek() stream seek with PHP_INT_MIN causes undefined behavior#1
Conversation
Loading
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
php_stream_memory_seek()(and equivalent functions in pdo_sqlite and sqlite3) compute the absolute value of a negative offset using(size_t)(-offset). Whenoffset == ZEND_LONG_MIN, the signed negation overflows -- undefined behavior caught by UBSAN.The fix swaps the cast order:
-(size_t)offsetcasts to unsigned first (well-defined), then negates (well-defined unsigned arithmetic). Same result for all values, no behavioral change.Files changed
main/streams/memory.c-- php://memory and php://temp stream seekext/pdo_sqlite/pdo_sqlite.c-- PDO SQLite blob stream seekext/sqlite3/sqlite3.c-- SQLite3 blob stream seekExisting PR
PR php#20965 takes a different approach (rejects
ZEND_LONG_MINwith a ValueError). This patch is simpler -- it fixes the UB without changing behavior.Fixes php#20964