Fix GH-14780: p(f)sockopen overflow on timeout argument.

devnexen · devnexen · commit 6f51b1e8c44e · 2024-07-03T12:54:41.000+01:00
diff --git a/ext/standard/fsock.c b/ext/standard/fsock.c
@@ -30,6 +30,7 @@ static void php_fsockopen_stream(INTERNAL_FUNCTION_PARAMETERS, int persistent)
 	char *host;
 	size_t host_len;
 	zend_long port = -1;
+	zend_ulong ltimeout;
 	zval *zerrno = NULL, *zerrstr = NULL;
 	double timeout;
 	bool timeout_is_null = 1;
@@ -73,13 +74,23 @@ static void php_fsockopen_stream(INTERNAL_FUNCTION_PARAMETERS, int persistent)
 	}
 
 	/* prepare the timeout value for use */
+	ltimeout = (zend_ulong)(timeout * 1000000.0);
+	if (ltimeout > LONG_MAX) {
+		if (port > 0) {
+			efree(hostname);
+		}
+		if (hashkey) {
+			efree(hashkey);
+		}
+		zend_argument_value_error(6, "must be between 0 and " ZEND_LONG_FMT, (LONG_MAX / 1000000));
+		RETURN_THROWS();
+	}
 #ifndef PHP_WIN32
-	conv = (time_t) (timeout * 1000000.0);
-	tv.tv_sec = conv / 1000000;
+	conv = (time_t) (ltimeout);
 #else
-	conv = (long) (timeout * 1000000.0);
-	tv.tv_sec = conv / 1000000;
+	conv = (long) (ltimeout);
 #endif
+	tv.tv_sec = conv / 1000000;
 	tv.tv_usec = conv % 1000000;
 
 	stream = php_stream_xport_create(hostname, hostname_len, REPORT_ERRORS,
diff --git a/ext/standard/tests/streams/gh14780.phpt b/ext/standard/tests/streams/gh14780.phpt
@@ -0,0 +1,13 @@
+--TEST--
+GH-14780: p(f)sockopen overflow on timeout.
+--FILE--
+<?php
+$code = null;
+$err = null;
+try {
+	pfsockopen('udp://127.0.0.1', '63844', $code, $err, (PHP_INT_MAX/1000000)+1);
+} catch (\ValueError $e) {
+	echo $e->getMessage();
+}
+--EXPECTF--
+pfsockopen(): Argument #6 must be between 0 and %s
