Fix phpGH-16290: session cookie_lifetime ini value overflow.

close phpGH-16295

NEWS

@@ -35,6 +35,8 @@ PHP                                                                        NEWS
 - Session:
   . Fixed bug GH-16385 (Unexpected null returned by session_set_cookie_params).
     (nielsdos)
+  . Fixed bug GH-16290 (overflow on cookie_lifetime ini value).
+    (David Carlier)
 
 - Sockets:
   . Fixed bug with overflow socket_recvfrom $length argument. (David Carlier)

ext/session/session.c

@@ -693,9 +693,18 @@ static PHP_INI_MH(OnUpdateCookieLifetime) /* {{{ */
 {
 	SESSION_CHECK_ACTIVE_STATE;
 	SESSION_CHECK_OUTPUT_STATE;
-	if (atol(ZSTR_VAL(new_value)) < 0) {
+
+#ifdef ZEND_ENABLE_ZVAL_LONG64
+	const zend_long maxcookie = ZEND_LONG_MAX - INT_MAX - 1;
+#else
+	const zend_long maxcookie = ZEND_LONG_MAX / 2 - 1;
+#endif
+	zend_long v = (zend_long)atol(ZSTR_VAL(new_value));
+	if (v < 0) {
 		php_error_docref(NULL, E_WARNING, "CookieLifetime cannot be negative");
 		return FAILURE;
+	} else if (v > maxcookie) {
+		return SUCCESS;
 	}
 	return OnUpdateLongGEZero(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage);
 }

ext/session/tests/gh16290.phpt

@@ -0,0 +1,13 @@
+--TEST--
+GH-16290 (overflow on session cookie_lifetime ini)
+--EXTENSIONS--
+session
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--FILE--
+<?php
+session_set_cookie_params(PHP_INT_MAX, '/', null, false, true);
+echo "DONE";
+?>
+--EXPECT--
+DONE

ext/session/tests/session_get_cookie_params_basic.phpt

@@ -35,7 +35,7 @@ var_dump(session_get_cookie_params());
 echo "Done";
 ob_end_flush();
 ?>
---EXPECT--
+--EXPECTF--
 *** Testing session_get_cookie_params() : basic functionality ***
 array(6) {
   ["lifetime"]=>
@@ -69,7 +69,7 @@ array(6) {
 bool(true)
 array(6) {
   ["lifetime"]=>
-  int(1234567890)
+  int(%d)
   ["path"]=>
   string(5) "/guff"
   ["domain"]=>