Fix GH-18976: pack with h or H format string overflow.

devnexen · devnexen · commit 7495339c3f64 · 2025-06-29T13:16:49.000+01:00
adding with its own remainder, INT_MAX overflows here (negative values are
discarded).
diff --git a/ext/standard/pack.c b/ext/standard/pack.c
@@ -388,6 +388,12 @@ PHP_FUNCTION(pack)
 		switch ((int) code) {
 			case 'h':
 			case 'H':
+				if (arg == INT_MAX) {
+					efree(formatcodes);
+					efree(formatargs);
+					zend_value_error("Type %c: integer overflow in format string", code);
+					RETURN_THROWS();
+				}
 				INC_OUTPUTPOS((arg + (arg % 2)) / 2,1)	/* 4 bit per arg */
 				break;
 
diff --git a/ext/standard/tests/strings/gh18976.phpt b/ext/standard/tests/strings/gh18976.phpt
@@ -0,0 +1,18 @@
+--TEST--
+GH-18976 pack overflow wit h/H format
+--FILE--
+<?php
+try {
+	pack('h2147483647');
+} catch (ValueError $e) {
+	echo $e->getMessage(), PHP_EOL;
+}
+try {
+	pack('H2147483647');
+} catch (ValueError $e) {
+	echo $e->getMessage(), PHP_EOL;
+}
+?>
+--EXPECT--
+Type h: integer overflow in format string
+Type H: integer overflow in format string
