Fix GH-14807 ext/standard levenshtein overflow on 3rd, 4th and 5th arguments.

devnexen · devnexen · commit 4fdbb09b3521 · 2024-07-04T07:06:30.000+01:00
diff --git a/ext/standard/levenshtein.c b/ext/standard/levenshtein.c
@@ -78,6 +78,20 @@ PHP_FUNCTION(levenshtein)
 		RETURN_THROWS();
 	}
 
+	if (ZEND_LONG_UINT_OVFL(cost_ins)) {
+		zend_argument_value_error(3, "must be between 0 and %u", UINT_MAX);
+		RETURN_THROWS();
+	}
+
+	if (ZEND_LONG_UINT_OVFL(cost_rep)) {
+		zend_argument_value_error(4, "must be between 0 and %u", UINT_MAX);
+		RETURN_THROWS();
+	}
+
+	if (ZEND_LONG_UINT_OVFL(cost_del)) {
+		zend_argument_value_error(5, "must be between 0 and %u", UINT_MAX);
+		RETURN_THROWS();
+	}
 
 	RETURN_LONG(reference_levdist(string1, string2, cost_ins, cost_rep, cost_del));
 }
diff --git a/ext/standard/tests/strings/gh14807.phpt b/ext/standard/tests/strings/gh14807.phpt
@@ -0,0 +1,33 @@
+--TEST--
+GH-14807 overflow on insertion_cost/replacement_cost/deletion_cost
+--SKIPIF--
+<?php
+if (PHP_INT_SIZE != 8) die("skip this test is for 64bit platform only");
+?>
+--FILE--
+<?php
+$str1 = "abcd";
+$str2 = "defg";
+
+try {
+	levenshtein($str1, $str2, PHP_INT_MIN);
+} catch (\ValueError $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+
+try {
+	levenshtein($str1, $str2, 1, PHP_INT_MIN);
+} catch (\ValueError $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+
+try {
+	levenshtein($str1, $str2, 1, 1, PHP_INT_MIN);
+} catch (\ValueError $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+?>
+--EXPECTF--
+levenshtein(): Argument #3 ($insertion_cost) must be between 0 and %d
+levenshtein(): Argument #4 ($replacement_cost) must be between 0 and %d
+levenshtein(): Argument #5 ($deletion_cost) must be between 0 and %d
