Use unsigned subtraction in php_random_int()

This subtraction may overflow the signed domain, which is UB. Use
an unsigned subtraction instead.

2 files changed, 6 insertions, 3 deletions

diff --git a/ext/standard/random.c b/ext/standard/random.c
index 82eee863e7..2ab0e8ed80 100644
--- a/ext/standard/random.c
+++ b/ext/standard/random.c
@@ -235,7 +235,7 @@ PHPAPI int php_random_int(zend_long min, zend_long max, zend_long *result, zend_
 		return SUCCESS;
 	}
 
-	umax = max - min;
+	umax = (zend_ulong) max - (zend_ulong) min;
 
 	if (php_random_bytes(&trial, sizeof(trial), should_throw) == FAILURE) {
 		return FAILURE;
diff --git a/ext/standard/tests/random/random_int.phpt b/ext/standard/tests/random/random_int.phpt
index 768bc4f97d..94654a7f72 100644
--- a/ext/standard/tests/random/random_int.phpt
+++ b/ext/standard/tests/random/random_int.phpt
@@ -2,7 +2,6 @@
 Test normal operation of random_int()
 --FILE--
 <?php
-//-=-=-=-
 
 var_dump(is_int(random_int(10, 100)));
 
@@ -10,11 +9,15 @@ $x = random_int(10, 100);
 var_dump($x >= 10 && $x <= 100);
 
 var_dump(random_int(-1000, -1) < 0);
+var_dump(random_int(-1, PHP_INT_MAX) >= -1);
+var_dump(is_int(random_int(PHP_INT_MIN, PHP_INT_MAX)));
 
 var_dump(random_int(42,42));
 
 ?>
---EXPECT--
+--EXPECTF--
+bool(true)
+bool(true)
 bool(true)
 bool(true)
 bool(true)