Fix GH-18976: pack with h or H format string overflow.

devnexen · devnexen · commit 865739e5b196 · 2025-06-29T16:57:10.000+01:00
adding with its own remainder, INT_MAX overflows here (negative values are discarded). close GH-18977
diff --git a/NEWS b/NEWS
@@ -33,6 +33,8 @@ PHP                                                                        NEWS
 - Standard:
   . Fix misleading errors in printf(). (nielsdos)
   . Fix RCN violations in array functions. (nielsdos)
+  . Fixed GH-18976 pack() overflow with h/H format and INT_MAX repeater value.
+    (David Carlier)
 
 - Streams:
   . Fixed GH-13264 (fgets() and stream_get_line() do not return false on filter
diff --git a/ext/standard/pack.c b/ext/standard/pack.c
@@ -388,7 +388,7 @@ PHP_FUNCTION(pack)
 		switch ((int) code) {
 			case 'h':
 			case 'H':
-				INC_OUTPUTPOS((arg + (arg % 2)) / 2,1)	/* 4 bit per arg */
+				INC_OUTPUTPOS((arg / 2) + (arg % 2),1)	/* 4 bit per arg */
 				break;
 
 			case 'a':
diff --git a/ext/standard/tests/strings/gh18976.phpt b/ext/standard/tests/strings/gh18976.phpt
@@ -0,0 +1,14 @@
+--TEST--
+GH-18976 (pack overflow with h/H format)
+--INI--
+memory_limit=-1
+--FILE--
+<?php
+pack('h2147483647', 1);
+pack('H2147483647', 1);
+?>
+--EXPECTF--
+
+Warning: pack(): Type h: not enough characters in string in %s on line %d
+
+Warning: pack(): Type H: not enough characters in string in %s on line %d
