Fix GH-19320: FPM uid and gid overflow

bukka · bukka · commit 91826fd5828a · 2025-07-30T20:51:01.000+02:00
Closes GH-19321
diff --git a/sapi/fpm/fpm/fpm_unix.c b/sapi/fpm/fpm/fpm_unix.c
@@ -354,7 +354,13 @@ static int fpm_unix_conf_wp(struct fpm_worker_pool_s *wp) /* {{{ */
 	if (is_root) {
 		if (wp->config->user && *wp->config->user) {
 			if (fpm_unix_is_id(wp->config->user)) {
-				wp->set_uid = strtoul(wp->config->user, 0, 10);
+				unsigned long uid_val = strtoul(wp->config->user, 0, 10);
+				if (uid_val > INT_MAX) {
+					zlog(ZLOG_ERROR, "[pool %s] invalid user ID '%s': value too large",
+					     wp->config->name, wp->config->user);
+					return -1;
+				}
+				wp->set_uid = (int)uid_val;
 				pwd = getpwuid(wp->set_uid);
 				if (pwd) {
 					wp->set_gid = pwd->pw_gid;
@@ -378,7 +384,13 @@ static int fpm_unix_conf_wp(struct fpm_worker_pool_s *wp) /* {{{ */
 
 		if (wp->config->group && *wp->config->group) {
 			if (fpm_unix_is_id(wp->config->group)) {
-				wp->set_gid = strtoul(wp->config->group, 0, 10);
+				unsigned long gid_val = strtoul(wp->config->group, 0, 10);
+				if (gid_val > INT_MAX) {
+					zlog(ZLOG_ERROR, "[pool %s] invalid group ID '%s': value too large",
+					     wp->config->name, wp->config->group);
+					return -1;
+				}
+				wp->set_gid = (int)gid_val;
 			} else {
 				struct group *grp;
 
diff --git a/sapi/fpm/tests/gh19320-user-group-overflow.phpt b/sapi/fpm/tests/gh19320-user-group-overflow.phpt
@@ -0,0 +1,58 @@
+--TEST--
+FPM: gh19320 - config test UID/GID overflow validation
+--SKIPIF--
+<?php
+include "skipif.inc";
+FPM\Tester::skipIfNotRoot();
+?>
+--FILE--
+<?php
+require_once "tester.inc";
+
+// Test with UID that exceeds INT_MAX (2147483647)
+$cfg_uid = <<<EOT
+[global]
+error_log = {{FILE:LOG}}
+[unconfined]
+listen = {{ADDR:UDS}}
+user = 2147483648
+group = root
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+EOT;
+
+$tester = new FPM\Tester($cfg_uid);
+$tester->start();
+$tester->expectLogError("\[pool unconfined\] invalid user ID '2147483648': value too large");
+
+// Test with GID that exceeds INT_MAX
+$cfg_gid = <<<EOT
+[global]
+error_log = {{FILE:LOG}}
+[unconfined]
+listen = {{ADDR:UDS}}
+user = root
+group = 4294967295
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+EOT;
+
+$tester = new FPM\Tester($cfg_gid);
+$tester->start();
+$tester->expectLogError("\[pool unconfined\] invalid group ID '4294967295': value too large");
+?>
+Done
+--EXPECT--
+Done
+--CLEAN--
+<?php
+require_once "tester.inc";
+FPM\Tester::clean();
+?>
+
