From e9402c6ea5f6bcb3364c25b4c04e7fb071016f97 Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Wed, 25 Jun 2025 22:33:21 +0100
Subject: [PATCH] ext/posix: posix_kill() process_id range check.

pid_t is, for the most part, represented by a signed int, by overflowing
it, we end up being in the -1 case which affect all accessible processes.
---
 ext/posix/posix.c                           | 11 ++++++++++
 ext/posix/tests/posix_kill_error.phpt       |  2 +-
 ext/posix/tests/posix_kill_pidoverflow.phpt | 24 +++++++++++++++++++++
 3 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 ext/posix/tests/posix_kill_pidoverflow.phpt

diff --git a/ext/posix/posix.c b/ext/posix/posix.c
index 512776d3ced20..e5c0abead96c9 100644
--- a/ext/posix/posix.c
+++ b/ext/posix/posix.c
@@ -45,6 +45,12 @@
 # include <sys/sysmacros.h>
 #endif
 
+#if (defined(__sun) && !defined(_LP64)) || defined(_AIX)
+#define POSIX_PID_MAX LONG_MAX
+#else
+#define POSIX_PID_MAX INT_MAX
+#endif
+
 #include "posix_arginfo.h"
 
 ZEND_DECLARE_MODULE_GLOBALS(posix)
@@ -129,6 +135,11 @@ PHP_FUNCTION(posix_kill)
 		Z_PARAM_LONG(sig)
 	ZEND_PARSE_PARAMETERS_END();
 
+	if (pid < -1 || pid > POSIX_PID_MAX) {
+		zend_argument_value_error(1, "must be between -1 and " ZEND_LONG_FMT, POSIX_PID_MAX);
+		RETURN_THROWS();
+	}
+
 	if (kill(pid, sig) < 0) {
 		POSIX_G(last_error) = errno;
 		RETURN_FALSE;
diff --git a/ext/posix/tests/posix_kill_error.phpt b/ext/posix/tests/posix_kill_error.phpt
index c4ad7b5e8dc73..a64c0d07d7aa1 100644
--- a/ext/posix/tests/posix_kill_error.phpt
+++ b/ext/posix/tests/posix_kill_error.phpt
@@ -13,7 +13,7 @@ $sig = 999;
 var_dump( posix_kill($pid, 999) );
 
 echo "\n-- Testing posix_kill() function with negative pid --\n";
-$pid = -999;
+$pid = -1;
 $sig = 9;
 var_dump( posix_kill($pid, 999) );
 
diff --git a/ext/posix/tests/posix_kill_pidoverflow.phpt b/ext/posix/tests/posix_kill_pidoverflow.phpt
new file mode 100644
index 0000000000000..45baf5fe6e0af
--- /dev/null
+++ b/ext/posix/tests/posix_kill_pidoverflow.phpt
@@ -0,0 +1,24 @@
+--TEST--
+posix_kill() with large pid
+--EXTENSIONS--
+posix
+--SKIPIF--
+<?php if (PHP_INT_SIZE != 8) die("skip this test is for 64bit platform only"); ?>
+--FILE--
+<?php
+// with pid overflow, it ends up being -1 which means all permissible processes are affected
+try {
+	posix_kill(PHP_INT_MAX, SIGTERM);
+} catch (\ValueError $e) {
+	echo $e->getMessage(), PHP_EOL;
+}
+
+try {
+	posix_kill(PHP_INT_MIN, SIGTERM);
+} catch (\ValueError $e) {
+	echo $e->getMessage(), PHP_EOL;
+}
+?>
+--EXPECTF--
+posix_kill(): Argument #1 ($process_id) must be between -1 and %d
+posix_kill(): Argument #1 ($process_id) must be between -1 and %d