Fix GH-18309: ipv6 filter integer overflow

ndossche · ndossche · commit f9a16d4cf943 · 2025-04-11T21:00:06.000+02:00
The intermediate computation can cause a signed integer overflow, but
the input is correctly rejected later on by the check on variable `n`.
Solve this by using an unsigned number.
diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c
@@ -762,7 +762,7 @@ static int _php_filter_validate_ipv6(const char *str, size_t str_len, int ip[8])
 {
 	int compressed_pos = -1;
 	int blocks = 0;
-	int num, n, i;
+	unsigned int num, n, i;
 	char *ipv4;
 	const char *end;
 	int ip4elm[4];
diff --git a/ext/filter/tests/gh18309.phpt b/ext/filter/tests/gh18309.phpt
@@ -0,0 +1,10 @@
+--TEST--
+GH-18309 (ipv6 filter integer overflow)
+--EXTENSIONS--
+filter
+--FILE--
+<?php
+var_dump(filter_var('fffffffffffffffffffffffffffffffffffff::', FILTER_VALIDATE_IP, FILTER_FLAG_IPV6));
+?>
+--EXPECT--
+bool(false)

Original file line number	Diff line number	Diff line change
`@@ -762,7 +762,7 @@ static int _php_filter_validate_ipv6(const char *str, size_t str_len, int ip[8])`
`762`	`762`	`{`
`763`	`763`	`int compressed_pos = -1;`
`764`	`764`	`int blocks = 0;`
`765`		`- int num, n, i;`
	`765`	`+ unsigned int num, n, i;`
`766`	`766`	`char *ipv4;`
`767`	`767`	`const char *end;`
`768`	`768`	`int ip4elm[4];`