Integer overflow in ext/sockets/sockets.c

[YuanchengJiang]

Description

The following code:

<?php
$s_c_l = socket_create_listen(0);
$s_c = socket_read($s_c_l, PHP_INT_MAX);

Resulted in this output:

/home/phpfuzz/WorkSpace/flowfusion/php-src/ext/sockets/sockets.c:941:14: runtime error: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/sockets/sockets.c:941:14 in 

To reproduce:

./php-src/sapi/cli/php  ./test.php

Commit:

49d798abcc13cc001b1dbf878bbc76982b079b11

Configurations:

CC="clang-12" CXX="clang++-12" CFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" CXXFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" ./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip --with-mysqli --with-pdo-mysql --with-pdo-pgsql --with-pgsql --with-sqlite3 --with-pdo-sqlite --with-webp --with-jpeg --with-freetype --enable-sigchild --with-readline --with-pcre-jit --with-iconv

Operating System:

Ubuntu 20.04 Host, Docker 0599jiangyc/flowfusion:latest

This report is automatically generated by FlowFusion

PHP Version

49d798a

Operating System

No response

[devnexen]

AFAIK socket_recv can overflow in a similar manner, let's fix both.