From e4473abefc4fd711a2343a0954d60a2422a9e4fb Mon Sep 17 00:00:00 2001 From: David Carlier Date: Mon, 13 Jan 2025 18:09:08 +0000 Subject: [PATCH] Fix GH-17463: SplTempFileObject::ftruncate() segfault on negative length. close GH-465 --- NEWS | 4 ++++ ext/spl/spl_directory.c | 6 ++++++ ext/spl/tests/gh17463.phpt | 16 ++++++++++++++++ 3 files changed, 26 insertions(+) create mode 100644 ext/spl/tests/gh17463.phpt diff --git a/NEWS b/NEWS index d247f33bc3540..004db0830827d 100644 --- a/NEWS +++ b/NEWS @@ -40,6 +40,10 @@ PHP NEWS . Fixed bug GH-17330 (SNMP::setSecurity segfault on closed session). (David Carlier) +- SPL: + . Fixed bug GH-17463 (crash on SplTempFileObject::ftruncate with negative + value). (David Carlier) + - Zip: . Fixed bug GH-17139 (Fix zip_entry_name() crash on invalid entry). (nielsdos) diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c index e4e79b0edb861..0a4d1456d65e9 100644 --- a/ext/spl/spl_directory.c +++ b/ext/spl/spl_directory.c @@ -2708,6 +2708,12 @@ PHP_METHOD(SplFileObject, ftruncate) CHECK_SPL_FILE_OBJECT_IS_INITIALIZED(intern); + if (size < 0) { + zend_argument_value_error(1, "must be greater than or equal to 0"); + RETURN_THROWS(); + } + + if (!php_stream_truncate_supported(intern->u.file.stream)) { zend_throw_exception_ex(spl_ce_LogicException, 0, "Can't truncate file %s", ZSTR_VAL(intern->file_name)); RETURN_THROWS(); diff --git a/ext/spl/tests/gh17463.phpt b/ext/spl/tests/gh17463.phpt new file mode 100644 index 0000000000000..41939c62f5b2c --- /dev/null +++ b/ext/spl/tests/gh17463.phpt @@ -0,0 +1,16 @@ +--TEST-- +GH-17463 segfault on SplFileObject::ftruncate() with negative value. +--CREDITS-- +YuanchengJiang +--FILE-- +ftruncate(-1); +} catch (\ValueError $e) { + echo $e->getMessage(); +} +?> +--EXPECT-- +SplFileObject::ftruncate(): Argument #1 ($size) must be greater than or equal to 0