Fix signed int overflow in scanner

iluuu1994 · iluuu1994 · commit 0a12aaa5b822 · 2025-08-22T16:24:20.000+02:00
yylen is unsigned int, but len in zend_scan_escape_string() is int, which will break for string literals >=2GB. yyleng is still limited to 4GB, but we can't fix this without breaking the ABI. Partially addresses GH-19542 Closes GH-19545
diff --git a/NEWS b/NEWS
@@ -5,6 +5,8 @@ PHP                                                                        NEWS
 - Core:
   . Fixed bug GH-18850 (Repeated inclusion of file with __halt_compiler()
     triggers "Constant already defined" warning). (ilutov)
+  . Partially fixed bug GH-19542 (Scanning of string literals >=2GB will fail
+    due to signed int overflow). (ilutov)
 
 - OpenSSL:
   . Fixed bug GH-19245 (Success error message on TLS stream accept failure).
diff --git a/Zend/zend_language_scanner.l b/Zend/zend_language_scanner.l
@@ -911,7 +911,7 @@ ZEND_API void zend_multibyte_yyinput_again(zend_encoding_filter old_input_filter
 		ZVAL_STRINGL(zendlval, yytext, yyleng); \
 	}
 
-static zend_result zend_scan_escape_string(zval *zendlval, char *str, int len, char quote_type)
+static zend_result zend_scan_escape_string(zval *zendlval, char *str, size_t len, char quote_type)
 {
 	char *s, *t;
 	char *end;

Original file line number	Diff line number	Diff line change
`@@ -911,7 +911,7 @@ ZEND_API void zend_multibyte_yyinput_again(zend_encoding_filter old_input_filter`
`911`	`911`	`ZVAL_STRINGL(zendlval, yytext, yyleng); \`
`912`	`912`	`}`
`913`	`913`
`914`		`-static zend_result zend_scan_escape_string(zval zendlval, char str, int len, char quote_type)`
	`914`	`+static zend_result zend_scan_escape_string(zval zendlval, char str, size_t len, char quote_type)`
`915`	`915`	`{`
`916`	`916`	`char s, t;`
`917`	`917`	`char *end;`