From 84a8fea2511770e8c4e8ba17e53a24d494fb35f0 Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Tue, 8 Oct 2024 07:14:57 +0100
Subject: [PATCH] Fix GH-16290: session cookie_lifetime ini value overflow.

close GH-16295
---
 NEWS                                                |  2 ++
 ext/session/session.c                               | 11 ++++++++++-
 ext/session/tests/gh16290.phpt                      | 13 +++++++++++++
 .../tests/session_get_cookie_params_basic.phpt      |  4 ++--
 4 files changed, 27 insertions(+), 3 deletions(-)
 create mode 100644 ext/session/tests/gh16290.phpt

diff --git a/NEWS b/NEWS
index 1d5015f37264a..92786aec04fcb 100644
--- a/NEWS
+++ b/NEWS
@@ -35,6 +35,8 @@ PHP                                                                        NEWS
 - Session:
   . Fixed bug GH-16385 (Unexpected null returned by session_set_cookie_params).
     (nielsdos)
+  . Fixed bug GH-16290 (overflow on cookie_lifetime ini value).
+    (David Carlier)
 
 - Sockets:
   . Fixed bug with overflow socket_recvfrom $length argument. (David Carlier)
diff --git a/ext/session/session.c b/ext/session/session.c
index 0ebdf51251aa1..dd780f4afd424 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -693,9 +693,18 @@ static PHP_INI_MH(OnUpdateCookieLifetime) /* {{{ */
 {
 	SESSION_CHECK_ACTIVE_STATE;
 	SESSION_CHECK_OUTPUT_STATE;
-	if (atol(ZSTR_VAL(new_value)) < 0) {
+
+#ifdef ZEND_ENABLE_ZVAL_LONG64
+	const zend_long maxcookie = ZEND_LONG_MAX - INT_MAX - 1;
+#else
+	const zend_long maxcookie = ZEND_LONG_MAX / 2 - 1;
+#endif
+	zend_long v = (zend_long)atol(ZSTR_VAL(new_value));
+	if (v < 0) {
 		php_error_docref(NULL, E_WARNING, "CookieLifetime cannot be negative");
 		return FAILURE;
+	} else if (v > maxcookie) {
+		return SUCCESS;
 	}
 	return OnUpdateLongGEZero(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage);
 }
diff --git a/ext/session/tests/gh16290.phpt b/ext/session/tests/gh16290.phpt
new file mode 100644
index 0000000000000..d341eb47471b8
--- /dev/null
+++ b/ext/session/tests/gh16290.phpt
@@ -0,0 +1,13 @@
+--TEST--
+GH-16290 (overflow on session cookie_lifetime ini)
+--EXTENSIONS--
+session
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--FILE--
+<?php
+session_set_cookie_params(PHP_INT_MAX, '/', null, false, true);
+echo "DONE";
+?>
+--EXPECT--
+DONE
diff --git a/ext/session/tests/session_get_cookie_params_basic.phpt b/ext/session/tests/session_get_cookie_params_basic.phpt
index d34f7ccbf95c3..65b020d30b9ec 100644
--- a/ext/session/tests/session_get_cookie_params_basic.phpt
+++ b/ext/session/tests/session_get_cookie_params_basic.phpt
@@ -35,7 +35,7 @@ var_dump(session_get_cookie_params());
 echo "Done";
 ob_end_flush();
 ?>
---EXPECT--
+--EXPECTF--
 *** Testing session_get_cookie_params() : basic functionality ***
 array(6) {
   ["lifetime"]=>
@@ -69,7 +69,7 @@ array(6) {
 bool(true)
 array(6) {
   ["lifetime"]=>
-  int(1234567890)
+  int(%d)
   ["path"]=>
   string(5) "/guff"
   ["domain"]=>