From 3a861aad64d0b0b402c1d8de94d7673c90bcf29f Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Sat, 12 Oct 2024 04:55:45 +0100
Subject: [PATCH] Fix socket_recvfrom overflow on buffer size.

when passing PHP_INT_MAX for the $length param we get this (with ubsan)

`ext/sockets/sockets.c:1409:36: runtime error: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long int'`
---
 ext/sockets/sockets.c                       |  3 ++-
 ext/sockets/tests/socket_recv_overflow.phpt | 19 +++++++++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 ext/sockets/tests/socket_recv_overflow.phpt

diff --git a/ext/sockets/sockets.c b/ext/sockets/sockets.c
index f1a62c719291a..2430b10977ec7 100644
--- a/ext/sockets/sockets.c
+++ b/ext/sockets/sockets.c
@@ -1402,7 +1402,8 @@ PHP_FUNCTION(socket_recvfrom)
 
 	/* overflow check */
 	/* Shouldthrow ? */
-	if ((arg3 + 2) < 3) {
+
+	if (arg3 <= 0 || arg3 > ZEND_LONG_MAX - 1) {
 		RETURN_FALSE;
 	}
 
diff --git a/ext/sockets/tests/socket_recv_overflow.phpt b/ext/sockets/tests/socket_recv_overflow.phpt
new file mode 100644
index 0000000000000..9b3f7a0bbb538
--- /dev/null
+++ b/ext/sockets/tests/socket_recv_overflow.phpt
@@ -0,0 +1,19 @@
+--TEST--
+socket_recvfrom overflow on length argument
+--EXTENSIONS--
+sockets
+--SKIPIF--
+<?php
+if (strtolower(substr(PHP_OS, 0, 3)) === 'win') {
+    die('skip not valid for Windows.');
+}
+--FILE--
+<?php
+$s = socket_create(AF_UNIX, SOCK_DGRAM, 0);
+$buf = $end = "";
+var_dump(socket_recvfrom($s, $buf, PHP_INT_MAX, 0, $end));
+var_dump(socket_recvfrom($s, $buf, -1, 0, $end));
+?>
+--EXPECT--
+bool(false)
+bool(false)