Merge branch 'PHP-7.2' into PHP-7.3

* PHP-7.2:
  Fix #78833: Integer overflow in pack causes out-of-bound access

3 files changed, 15 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index 70fd82e912..1786ba2b15 100644
--- a/NEWS
+++ b/NEWS
@@ -26,6 +26,8 @@ PHP                                                                        NEWS
   . Fixed bug #78759 (array_search in $GLOBALS). (Nikita)
   . Fixed bug #77638 (var_export'ing certain class instances segfaults). (cmb)
   . Fixed bug #78840 (imploding $GLOBALS crashes). (cmb)
+  . Fixed bug #78833 (Integer overflow in pack causes out-of-bound access).
+    (cmb)
 
 21 Nov 2019, PHP 7.3.12
 
diff --git a/ext/standard/pack.c b/ext/standard/pack.c
index c923305973..580bab5a76 100644
--- a/ext/standard/pack.c
+++ b/ext/standard/pack.c
@@ -342,10 +342,13 @@ PHP_FUNCTION(pack)
 				if (arg < 0) {
 					arg = num_args - currentarg;
 				}
-
+				if (currentarg > INT_MAX - arg) {
+					goto too_few_args;
+				}
 				currentarg += arg;
 
 				if (currentarg > num_args) {
+too_few_args:
 					efree(formatcodes);
 					efree(formatargs);
 					php_error_docref(NULL, E_WARNING, "Type %c: too few arguments", code);
diff --git a/ext/standard/tests/strings/bug78833.phpt b/ext/standard/tests/strings/bug78833.phpt
new file mode 100644
index 0000000000..763b6ec4ea
--- /dev/null
+++ b/ext/standard/tests/strings/bug78833.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Bug #78833 (Integer overflow in pack causes out-of-bound access)
+--FILE--
+<?php
+var_dump(pack("E2E2147483647H*", 0x0, 0x0, 0x0));
+?>
+--EXPECTF--
+Warning: pack(): Type E: too few arguments in %s on line %d
+bool(false)