pFad - Phone/Frame/Anonymizer/Declutterfier! Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

URL: http://github.com/php/php-src/pull/21433

/assets/global-68dd150ce6c8e711.css" /> Fix GH-20964, GH-20927: fseek() stream seek with PHP_INT_MIN causes undefined behavior by iliaal · Pull Request #21433 · php/php-src · GitHub
Skip to content

Fix GH-20964, GH-20927: fseek() stream seek with PHP_INT_MIN causes undefined behavior#21433

Open
iliaal wants to merge 1 commit intophp:masterfrom
iliaal:fix/gh-20964-fseek-ubsan
Open

Fix GH-20964, GH-20927: fseek() stream seek with PHP_INT_MIN causes undefined behavior#21433
iliaal wants to merge 1 commit intophp:masterfrom
iliaal:fix/gh-20964-fseek-ubsan

Conversation

@iliaal
Copy link
Contributor

@iliaal iliaal commented Mar 13, 2026

Summary

Stream seek functions in memory, pdo_sqlite, and sqlite3 compute the absolute value of a negative offset using (size_t)(-offset). When offset == ZEND_LONG_MIN, the signed negation overflows -- undefined behavior caught by UBSAN.

The fix swaps the cast order: -(size_t)offset casts to unsigned first (well-defined), then negates (well-defined unsigned arithmetic). Same result for all values, no behavioral change.

Files changed

  • main/streams/memory.c -- php://memory and php://temp stream seek
  • ext/pdo_sqlite/pdo_sqlite.c -- PDO SQLite blob stream seek
  • ext/sqlite3/sqlite3.c -- SQLite3 blob stream seek

Existing PRs

This patch covers all three affected files.

Fixes #20964
Fixes #20927

@iliaal
Fix phpGH-20964: fseek() on php://memory with PHP_INT_MIN causes unde…
da3dad2 
…fined behavior

Negate after casting to unsigned instead of before, avoiding signed
integer overflow when offset is ZEND_LONG_MIN. The same pattern existed
in the pdo_sqlite and sqlite3 stream seek handlers.

Closes phpGH-20964
Closes phpGH-20927
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bukka bukka Awaiting requested review from bukka bukka is a code owner

@SakiTakamachi SakiTakamachi Awaiting requested review from SakiTakamachi SakiTakamachi is a code owner

Assignees

No one assigned

Labels

Extension: pdo_sqlite Extension: sqlite3

Projects

None yet

Milestone

No milestone

1 participant

@iliaal
pFad - Phonifier reborn

Pfad - The Proxy pFad © 2024 Your Company Name. All rights reserved.




Check this box to remove all script contents from the fetched content.



Check this box to remove all images from the fetched content.


Check this box to remove all CSS styles from the fetched content.


Check this box to keep images inefficiently compressed and original size.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy