From 3609350efb5cf6c8c1fb52b052fc4b2fbb369960 Mon Sep 17 00:00:00 2001 From: fuzzsave <0599jiangyc@gmail.com> Date: Tue, 13 Jan 2026 21:26:44 +0530 Subject: [PATCH] Fixed negation of LONG_MIN in ext/pdo_sqlite/pdo_sqlite.c --- ext/pdo_sqlite/pdo_sqlite.c | 4 ++-- ext/pdo_sqlite/tests/bug20927.phpt | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+), 2 deletions(-) create mode 100644 ext/pdo_sqlite/tests/bug20927.phpt diff --git a/ext/pdo_sqlite/pdo_sqlite.c b/ext/pdo_sqlite/pdo_sqlite.c index 667948fea9f1f..fceeb9583ecf4 100644 --- a/ext/pdo_sqlite/pdo_sqlite.c +++ b/ext/pdo_sqlite/pdo_sqlite.c @@ -205,7 +205,7 @@ static int php_pdosqlite3_stream_seek(php_stream *stream, zend_off_t offset, int switch(whence) { case SEEK_CUR: if (offset < 0) { - if (sqlite3_stream->position < (size_t)(-offset)) { + if (sqlite3_stream->position < -(size_t)(offset)) { sqlite3_stream->position = 0; *newoffs = -1; return -1; @@ -243,7 +243,7 @@ static int php_pdosqlite3_stream_seek(php_stream *stream, zend_off_t offset, int sqlite3_stream->position = sqlite3_stream->size; *newoffs = -1; return -1; - } else if (sqlite3_stream->size < (size_t)(-offset)) { + } else if (sqlite3_stream->size < -(size_t)(offset)) { sqlite3_stream->position = 0; *newoffs = -1; return -1; diff --git a/ext/pdo_sqlite/tests/bug20927.phpt b/ext/pdo_sqlite/tests/bug20927.phpt new file mode 100644 index 0000000000000..b5c139d424aa4 --- /dev/null +++ b/ext/pdo_sqlite/tests/bug20927.phpt @@ -0,0 +1,18 @@ +--TEST-- +PDO_SQLITE: fseek() with PHP_INT_MIN on sqlite blob stream (UBSan regression test) +--EXTENSIONS-- +pdo +pdo_sqlite +--FILE-- +exec('CREATE TABLE test (id STRING, data BLOB)'); +$insert_stmt = $db->prepare("INSERT INTO test (id, data) VALUES (?, ?)"); +$insert_stmt->bindValue(1, 'a', PDO::PARAM_STR); +$insert_stmt->bindValue(2, 'TEST TEST', PDO::PARAM_LOB); +$insert_stmt->execute(); +$stream = $db->openBlob('test', 'data', 1); +var_dump(fseek($stream, PHP_INT_MIN, SEEK_END)); +?> +--EXPECT-- +int(-1) \ No newline at end of file