Fix phpGH-14774 time_sleep_until overflow.

devnexen · Jul 5, 2024 · f0f029c · f0f029c
1 parent 070779c
commit f0f029c
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 0 deletions.
diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c
@@ -1228,6 +1228,7 @@ PHP_FUNCTION(time_sleep_until)
 	struct timespec php_req, php_rem;
 	uint64_t current_ns, target_ns, diff_ns;
 	const uint64_t ns_per_sec = 1000000000;
+	const uint64_t top_target_sec = UINT64_MAX / ns_per_sec;
 
 	ZEND_PARSE_PARAMETERS_START(1, 1)
 		Z_PARAM_DOUBLE(target_secs)
@@ -1237,6 +1238,11 @@ PHP_FUNCTION(time_sleep_until)
 		RETURN_FALSE;
 	}
 
+	if (UNEXPECTED((uint64_t)target_secs > top_target_sec)) {
+		zend_argument_value_error(1, "must be at most " ZEND_LONG_FMT, top_target_sec);
+		RETURN_THROWS();
+	}
+
 	target_ns = (uint64_t) (target_secs * ns_per_sec);
 	current_ns = ((uint64_t) tm.tv_sec) * ns_per_sec + ((uint64_t) tm.tv_usec) * 1000;
 	if (target_ns < current_ns) {

diff --git a/ext/standard/tests/misc/gh14774.phpt b/ext/standard/tests/misc/gh14774.phpt
@@ -0,0 +1,17 @@
+--TEST--
+GH-14774 time_sleep_until overflow
+--SKIPIF--
+<?php
+if (PHP_INT_SIZE != 8) die("skip this test is for 64bit platform only");
+?>
+--FILE--
+<?php
+static $var = (PHP_INT_MAX / 500000000) + 1;
+try {
+	time_sleep_until($var);
+} catch (\ValueError $e) {
+	echo $e->getMessage();
+}
+?>
+--EXPECTF--
+time_sleep_until(): Argument #1 ($timestamp) must be at most %d