From d229a480ad5a63b029cc0d74ba251c5ddb8738e4 Mon Sep 17 00:00:00 2001
From: George Peter Banyard <girgias@php.net>
Date: Tue, 8 Aug 2023 10:44:04 +0100
Subject: [PATCH] Fix GH-11876: ini_parse_quantity() accepts invalid quantities

Closes GH-11910
---
 NEWS                             |  2 ++
 Zend/tests/zend_ini/gh11876.phpt | 51 ++++++++++++++++++++++++++++++++
 Zend/zend_ini.c                  | 40 +++++++++++++++++++++++++
 3 files changed, 93 insertions(+)
 create mode 100644 Zend/tests/zend_ini/gh11876.phpt

diff --git a/NEWS b/NEWS
index dc48ab51822..8e9c36ecdd9 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,8 @@ PHP                                                                        NEWS
   . Fixed bug GH-11937 (Constant ASTs containing objects). (ilutov)
   . Fixed bug GH-11790 (On riscv64 require libatomic if actually needed).
     (Jeremie Courreges-Anglas)
+  . Fixed bug GH-11876: ini_parse_quantity() accepts invalid quantities.
+    (Girgias)
 
 - DOM:
   . Fix memory leak when setting an invalid DOMDocument encoding. (nielsdos)
diff --git a/Zend/tests/zend_ini/gh11876.phpt b/Zend/tests/zend_ini/gh11876.phpt
new file mode 100644
index 00000000000..b83061bf161
--- /dev/null
+++ b/Zend/tests/zend_ini/gh11876.phpt
@@ -0,0 +1,51 @@
+--TEST--
+Invalid INI quantities, base prefix followed by stuff eaten by strtoull()
+--EXTENSIONS--
+zend_test
+--FILE--
+<?php
+
+var_dump(zend_test_zend_ini_parse_quantity('0x0x12'));
+
+var_dump(zend_test_zend_ini_parse_quantity('0b+10'));
+var_dump(zend_test_zend_ini_parse_quantity('0o+10'));
+var_dump(zend_test_zend_ini_parse_quantity('0x+10'));
+
+var_dump(zend_test_zend_ini_parse_quantity('0b 10'));
+var_dump(zend_test_zend_ini_parse_quantity('0o 10'));
+var_dump(zend_test_zend_ini_parse_quantity('0x 10'));
+
+var_dump(zend_test_zend_ini_parse_quantity('0g10'));
+var_dump(zend_test_zend_ini_parse_quantity('0m10'));
+var_dump(zend_test_zend_ini_parse_quantity('0k10'));
+
+--EXPECTF--
+Warning: Invalid quantity "0x0x12": no digits after base prefix, interpreting as "0" for backwards compatibility in %s on line %d
+int(0)
+
+Warning: Invalid quantity "0b+10": no digits after base prefix, interpreting as "0" for backwards compatibility in %s on line %d
+int(0)
+
+Warning: Invalid quantity "0o+10": no digits after base prefix, interpreting as "0" for backwards compatibility in %s on line %d
+int(0)
+
+Warning: Invalid quantity "0x+10": no digits after base prefix, interpreting as "0" for backwards compatibility in %s on line %d
+int(0)
+
+Warning: Invalid quantity "0b 10": no digits after base prefix, interpreting as "0" for backwards compatibility in %s on line %d
+int(0)
+
+Warning: Invalid quantity "0o 10": no digits after base prefix, interpreting as "0" for backwards compatibility in %s on line %d
+int(0)
+
+Warning: Invalid quantity "0x 10": no digits after base prefix, interpreting as "0" for backwards compatibility in %s on line %d
+int(0)
+
+Warning: Invalid quantity "0g10": unknown multiplier "0", interpreting as "0" for backwards compatibility in %s on line %d
+int(0)
+
+Warning: Invalid quantity "0m10": unknown multiplier "0", interpreting as "0" for backwards compatibility in %s on line %d
+int(0)
+
+Warning: Invalid quantity "0k10": unknown multiplier "0", interpreting as "0" for backwards compatibility in %s on line %d
+int(0)
diff --git a/Zend/zend_ini.c b/Zend/zend_ini.c
index 86aa959f990..1aaac0ba348 100644
--- a/Zend/zend_ini.c
+++ b/Zend/zend_ini.c
@@ -547,6 +547,34 @@ typedef enum {
 	ZEND_INI_PARSE_QUANTITY_UNSIGNED,
 } zend_ini_parse_quantity_signed_result_t;
 
+static const char *zend_ini_consume_quantity_prefix(const char *const digits, const char *const str_end) {
+	const char *digits_consumed = digits;
+	/* Ignore leading whitespace. */
+	while (digits_consumed < str_end && zend_is_whitespace(*digits_consumed)) {++digits_consumed;}
+	if (digits_consumed[0] == '+' || digits_consumed[0] == '-') {
+		++digits_consumed;
+	}
+
+	if (digits_consumed[0] == '0' && !isdigit(digits_consumed[1])) {
+		/* Value is just 0 */
+		if ((digits_consumed+1) == str_end) {
+			return digits;
+		}
+
+		switch (digits_consumed[1]) {
+			case 'x':
+			case 'X':
+			case 'o':
+			case 'O':
+			case 'b':
+			case 'B':
+				digits_consumed += 2;
+				break;
+		}
+	}
+	return digits_consumed;
+}
+
 static zend_ulong zend_ini_parse_quantity_internal(zend_string *value, zend_ini_parse_quantity_signed_result_t signed_result, zend_string **errstr) /* {{{ */
 {
 	char *digits_end = NULL;
@@ -634,6 +662,18 @@ static zend_ulong zend_ini_parse_quantity_internal(zend_string *value, zend_ini_
 			smart_str_append_escaped(&invalid, ZSTR_VAL(value), ZSTR_LEN(value));
 			smart_str_0(&invalid);
 
+			*errstr = zend_strpprintf(0, "Invalid quantity \"%s\": no digits after base prefix, interpreting as \"0\" for backwards compatibility",
+							ZSTR_VAL(invalid.s));
+
+			smart_str_free(&invalid);
+			return 0;
+		}
+		if (UNEXPECTED(digits != zend_ini_consume_quantity_prefix(digits, str_end))) {
+			/* Escape the string to avoid null bytes and to make non-printable chars
+			 * visible */
+			smart_str_append_escaped(&invalid, ZSTR_VAL(value), ZSTR_LEN(value));
+			smart_str_0(&invalid);
+
 			*errstr = zend_strpprintf(0, "Invalid quantity \"%s\": no digits after base prefix, interpreting as \"0\" for backwards compatibility",
 							ZSTR_VAL(invalid.s));