php · devnexen · Aug 22, 2024 · Aug 23, 2024 · Aug 23, 2024 · Aug 23, 2024
@@ -187,7 +187,12 @@ PHP_FUNCTION(curl_multi_select)
 
 	mh = Z_CURL_MULTI_P(z_mh);
 
-	error = curl_multi_wait(mh->multi, NULL, 0, (unsigned long) (timeout * 1000.0), &numfds);
+	if (!(timeout >= ((double)INT_MIN / 1000.0) && timeout <= ((double)INT_MAX / 1000.0))) {
+		php_error_docref(NULL, E_WARNING, "timeout must be between %d and %d", (INT_MIN / 1000), (INT_MAX / 1000));
+		RETURN_LONG(-1);
+	}
+
+	error = curl_multi_wait(mh->multi, NULL, 0, (int) (timeout * 1000.0), &numfds);
 	if (CURLM_OK != error) {
 		SAVE_CURLM_ERROR(mh, error);
 		RETURN_LONG(-1);

@@ -0,0 +1,19 @@
+--TEST--
+GH-15547 - overflow on timeout argument
+--EXTENSIONS--
+curl
+--FILE--
+<?php
+
+$mh = curl_multi_init();
+var_dump(curl_multi_select($mh, -2500000));
+var_dump(curl_multi_select($mh, 2500000));
+var_dump(curl_multi_select($mh, 1000000));
+?>
+--EXPECTF--
+Warning: curl_multi_select(): timeout must be between %s and %s in %s on line %d
-Warning: curl_multi_select(): timeout must be between %s and %s in %s on line %d
+Warning: curl_multi_select(): timeout must be between %d and %d in %s on line %d
-Warning: curl_multi_select(): timeout must be between %s and %s in %s on line %d
+Warning: curl_multi_select(): timeout must be between %d and %d in %s on line %d
+int(-1)
+
+Warning: curl_multi_select(): timeout must be between %s and %s in %s on line %d
+int(-1)
+int(0)