Prevent int overflow crash when comparing against PHP_INT_MAX/MIN#11715
Open
eyupcanakman wants to merge 1 commit intovimeo:6.xfrom
Open
Prevent int overflow crash when comparing against PHP_INT_MAX/MIN#11715eyupcanakman wants to merge 1 commit intovimeo:6.xfrom
eyupcanakman wants to merge 1 commit intovimeo:6.xfrom
Conversation
When an int is compared against PHP_INT_MAX (e.g. $v <= PHP_INT_MAX) and psalm evaluates the negated assertion (> PHP_INT_MAX) in the else branch, reconcileIsGreaterThan computes PHP_INT_MAX + 1, which silently overflows from int to float. Passing that float to TIntRange::contains(int $i) under strict_types=1 raises a fatal TypeError. The same underflow occurs in reconcileIsLessThan when the assertion value is PHP_INT_MIN. Add !is_int() guards after each arithmetic step. When the guard fires, no integer can satisfy the comparison (> PHP_INT_MAX or < PHP_INT_MIN), so all TIntRange, TInt, and TLiteralInt types are removed from the union. Fixes vimeo#11209.
eyupcanakman
force-pushed
the
fix/int-range-overflow-11209
branch
from
b479a89 to
bea0b2d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix #11209
reconcileIsGreaterThancomputes$assertion->value + 1, which overflows frominttofloatwhen the assertion value isPHP_INT_MAX. The resultingfloatis passed toTIntRange::contains(int $i)understrict_types=1, causing aTypeError.The same underflow happens in
reconcileIsLessThanwithPHP_INT_MIN - 1.Added
!is_int()guards after each arithmetic step. When overflow is detected, no integer can satisfy the comparison, so all integer types are removed from the union.