Skip to content

Signed integer overflow in ext/phar fseek #18642

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
YuanchengJiang opened this issue May 24, 2025 · 2 comments · May be fixed by #18644
Open

Signed integer overflow in ext/phar fseek #18642

YuanchengJiang opened this issue May 24, 2025 · 2 comments · May be fixed by #18644
Assignees
@nielsdos
Labels
Bug Extension: phar Status: Verified

Comments

@YuanchengJiang
Copy link

Description

The following code:

<?php
require_once 'files/phar_oo_test.inc';
class MyFile extends SplFileObject
{
}
$phar = new Phar($fname);
$phar->setInfoClass('MyFile');
$f = $phar['a.php'];
var_dump($f->fseek(PHP_INT_MAX));

Resulted in this output:

/home/phpfuzz/WorkSpace/flowfusion/php-src/ext/phar/stream.c:419:22: runtime error: signed integer overflow: 278 + 9223372036854775807 cannot be represented in type 'long'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/phar/stream.c:419:22 in

To reproduce:

./php-src/sapi/cli/php  -d "phar.require_hash=0" ./test.php

Commit:

dfff6ac852a23c6e33c06c7716d095ad4a7166d8

Configurations:

CC="clang-12" CXX="clang++-12" CFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" CXXFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" ./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip --with-mysqli --with-pdo-mysql --with-pdo-pgsql --with-pgsql --with-sqlite3 --with-pdo-sqlite --with-webp --with-jpeg --with-freetype --enable-sigchild --with-readline --with-pcre-jit --with-iconv

Operating System:

Ubuntu 20.04 Host, Docker 0599jiangyc/flowfusion:latest

This report is automatically generated by FlowFusion

PHP Version

dfff6ac852a23c6e33c06c7716d095ad4a7166d8

Operating System

No response
@nielsdos nielsdos self-assigned this May 24, 2025
@devnexen
Copy link
Member

The way it seems to be => risk of overflow => newoffset at -1 then return -1 immediatly.

@devnexen
Copy link
Member

ah well nielsdos into it already :D

@nielsdos nielsdos changed the title signed integer overflow in fseek Signed integer overflow in ext/phar fseek May 24, 2025
nielsdos added a commit to nielsdos/php-src that referenced this issue May 24, 2025
@nielsdos
Fix phpGH-18642: Signed integer overflow in ext/phar fseek
9d54cd4 
The overflow checking code already existed, but didn't work because the
math was done on signed numbers instead of unsigned numbers.
In the process I also discovered a pre-existing issue that needs to be
fixed (and seems that other stream wrappers can have this issue too).
@nielsdos nielsdos linked a pull request May 24, 2025 that will close this issue
Fix GH-18642: Signed integer overflow in ext/phar fseek #18644
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nielsdos nielsdos

Labels
Bug Extension: phar Status: Verified
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix GH-18642: Signed integer overflow in ext/phar fseek nielsdos/php-src
3 participants
@devnexen @nielsdos @YuanchengJiang