Use unsigned subtraction in php_random_int()

nikic · nikic · commit 265af40a0a84 · 2019-09-03T12:28:18.000+02:00
This subtraction may overflow the signed domain, which is UB. Use
an unsigned subtraction instead.
diff --git a/ext/standard/random.c b/ext/standard/random.c
@@ -235,7 +235,7 @@ PHPAPI int php_random_int(zend_long min, zend_long max, zend_long *result, zend_
 		return SUCCESS;
 	}
 
-	umax = max - min;
+	umax = (zend_ulong) max - (zend_ulong) min;
 
 	if (php_random_bytes(&trial, sizeof(trial), should_throw) == FAILURE) {
 		return FAILURE;
diff --git a/ext/standard/tests/random/random_int.phpt b/ext/standard/tests/random/random_int.phpt
@@ -2,19 +2,22 @@
 Test normal operation of random_int()
 --FILE--
 <?php
-//-=-=-=-
 
 var_dump(is_int(random_int(10, 100)));
 
 $x = random_int(10, 100);
 var_dump($x >= 10 && $x <= 100);
 
 var_dump(random_int(-1000, -1) < 0);
+var_dump(random_int(-1, PHP_INT_MAX) >= -1);
+var_dump(is_int(random_int(PHP_INT_MIN, PHP_INT_MAX)));
 
 var_dump(random_int(42,42));
 
 ?>
---EXPECT--
+--EXPECTF--
+bool(true)
+bool(true)
 bool(true)
 bool(true)
 bool(true)

Original file line number	Diff line number	Diff line change
`@@ -235,7 +235,7 @@ PHPAPI int php_random_int(zend_long min, zend_long max, zend_long *result, zend_`
`235`	`235`	`return SUCCESS;`
`236`	`236`	`}`
`237`	`237`
`238`		`- umax = max - min;`
	`238`	`+ umax = (zend_ulong) max - (zend_ulong) min;`
`239`	`239`
`240`	`240`	`if (php_random_bytes(&trial, sizeof(trial), should_throw) == FAILURE) {`
`241`	`241`	`return FAILURE;`