Fix phpGH-15653: fgetcsv overflow on length parameter.

devnexen · devnexen · commit 7db1a5843ffc · 2024-08-30T17:16:57.000+01:00
close phpGH-15655
diff --git a/NEWS b/NEWS
@@ -89,6 +89,7 @@ PHP                                                                        NEWS
 - Standard:
   . Fix passing non-finite timeout values in stream functions. (nielsdos)
   . Fixed GH-14780 p(f)sockopen timeout overflow. (David Carlier)
+  . Fixed GH-15653 overflow on fgetcsv length parameter. (David Carlier)
 
 - Streams:
   . Fixed bug GH-15028 (Memory leak in ext/phar/stream.c). (nielsdos)
diff --git a/ext/standard/file.c b/ext/standard/file.c
@@ -1895,8 +1895,8 @@ PHP_FUNCTION(fgetcsv)
 
 		if (len_is_null || len == 0) {
 			len = -1;
-		} else if (len < 0) {
-			zend_argument_value_error(2, "must be a greater than or equal to 0");
+		} else if (len < 0 || len > (ZEND_LONG_MAX - 1)) {
+			zend_argument_value_error(2, "must be between 0 and " ZEND_LONG_FMT, (ZEND_LONG_MAX - 1));
 			RETURN_THROWS();
 		}
 
diff --git a/ext/standard/tests/file/fgetcsv_error_conditions.phpt b/ext/standard/tests/file/fgetcsv_error_conditions.phpt
@@ -48,11 +48,11 @@ try {
     echo $e->getMessage() . \PHP_EOL;
 }
 ?>
---EXPECT--
+--EXPECTF--
 fgetcsv() with negative length
-fgetcsv(): Argument #2 ($length) must be a greater than or equal to 0
-fgetcsv(): Argument #2 ($length) must be a greater than or equal to 0
-fgetcsv(): Argument #2 ($length) must be a greater than or equal to 0
+fgetcsv(): Argument #2 ($length) must be between 0 and %d
+fgetcsv(): Argument #2 ($length) must be between 0 and %d
+fgetcsv(): Argument #2 ($length) must be between 0 and %d
 fgetcsv() with delimiter as empty string
 fgetcsv(): Argument #3 ($separator) must be a single character
 fgetcsv() with enclosure as empty string
diff --git a/ext/standard/tests/file/gh15653.phpt b/ext/standard/tests/file/gh15653.phpt
@@ -0,0 +1,22 @@
+--TEST--
+GH-15653 (fgetcsv overflow on length argument)
+--FILE--
+<?php
+$filename = __DIR__ . "/gh15653.tmp";
+touch($filename);
+$fp = fopen ($filename, "r");
+
+try {
+	fgetcsv($fp, PHP_INT_MAX);
+} catch (\ValueError $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+
+fgetcsv($fp, PHP_INT_MAX-1);
+--CLEAN--
+<?php
+@unlink(__DIR__ . "/gh15653.tmp");
+?>
+--EXPECTF--
+fgetcsv(): Argument #2 ($length) must be between 0 and %d
+%A

Original file line number	Diff line number	Diff line change
`@@ -1895,8 +1895,8 @@ PHP_FUNCTION(fgetcsv)`
`1895`	`1895`
`1896`	`1896`	`if (len_is_null \|\| len == 0) {`
`1897`	`1897`	`len = -1;`
`1898`		`- } else if (len < 0) {`
`1899`		`- zend_argument_value_error(2, "must be a greater than or equal to 0");`
	`1898`	`+ } else if (len < 0 \|\| len > (ZEND_LONG_MAX - 1)) {`
	`1899`	`+ zend_argument_value_error(2, "must be between 0 and " ZEND_LONG_FMT, (ZEND_LONG_MAX - 1));`
`1900`	`1900`	`RETURN_THROWS();`
`1901`	`1901`	`}`
`1902`	`1902`