summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--NEWS2
-rw-r--r--ext/filter/logical_filters.c31
-rw-r--r--ext/filter/tests/bug47745.phpt11
3 files changed, 31 insertions, 13 deletions
diff --git a/NEWS b/NEWS
index 129cff3eef..6454b28b9d 100644
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,8 @@ PHP NEWS
- Fixed bug #47828 (openssl_x509_parse() segfaults when a UTF-8 conversion
fails). (Scott, Kees Cook, Pierre)
- Fixed bug #47769 (Strange extends PDO). (Felipe)
+- Fixed bug #47745 (FILTER_VALIDATE_INT doesn't allow minimum integer).
+ (Dmitry)
- Fixed bug #47721 (Alignment issues in mbstring and sysvshm extension)
(crrodriguez at opensuse dot org, Ilia)
- Fixed bug #47704 (PHP crashes on some "bad" operations with string offsets).
diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c
index 022d539ba4..84a54f22bd 100644
--- a/ext/filter/logical_filters.c
+++ b/ext/filter/logical_filters.c
@@ -70,14 +70,12 @@
static int php_filter_parse_int(const char *str, unsigned int str_len, long *ret TSRMLS_DC) { /* {{{ */
long ctx_value;
- long sign = 1;
+ long sign = 0;
const char *end = str + str_len;
- double dval;
- long overflow;
switch (*str) {
case '-':
- sign = -1;
+ sign = 1;
case '+':
str++;
default:
@@ -91,22 +89,29 @@ static int php_filter_parse_int(const char *str, unsigned int str_len, long *ret
return -1;
}
+ if ((end - str > MAX_LENGTH_OF_LONG - 1) /* number too long */
+ || (SIZEOF_LONG == 4 && end - str == MAX_LENGTH_OF_LONG - 1 && *str > '2')) {
+ /* overflow */
+ return -1;
+ }
+
while (str < end) {
if (*str >= '0' && *str <= '9') {
- ZEND_SIGNED_MULTIPLY_LONG(ctx_value, 10, ctx_value, dval, overflow);
- if (overflow) {
- return -1;
- }
- ctx_value += ((*(str++)) - '0');
- if (ctx_value & LONG_SIGN_MASK) {
- return -1;
- }
+ ctx_value = (ctx_value * 10) + (*(str++) - '0'); \
} else {
return -1;
}
}
+ if (sign) {
+ ctx_value = -ctx_value;
+ if (ctx_value > 0) { /* overflow */
+ return -1;
+ }
+ } else if (ctx_value < 0) { /* overflow */
+ return -1;
+ }
- *ret = ctx_value * sign;
+ *ret = ctx_value;
return 1;
}
/* }}} */
diff --git a/ext/filter/tests/bug47745.phpt b/ext/filter/tests/bug47745.phpt
new file mode 100644
index 0000000000..a8656fd933
--- /dev/null
+++ b/ext/filter/tests/bug47745.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #47745 (FILTER_VALIDATE_INT doesn't allow minimum integer)
+--FILE--
+<?php
+$s = (string)(-PHP_INT_MAX-1);
+var_dump(intval($s));
+var_dump(filter_var($s, FILTER_VALIDATE_INT));
+?>
+--EXPECTF--
+int(-%d)
+int(-%d)
View Lorry Controller Status