From 15bea9ed74dd1024cd31cfec1bd8c92d7486c4de Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Wed, 3 Jul 2024 06:39:29 +0100
Subject: [PATCH] Fix GH-14775: range overflow on negative step.

overflow occurs since we only deal with positive steps.

close GH-14778
---
 NEWS                                  |  6 +++++-
 ext/standard/array.c                  |  4 ++++
 ext/standard/tests/array/gh14775.phpt | 12 ++++++++++++
 3 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 ext/standard/tests/array/gh14775.phpt

diff --git a/NEWS b/NEWS
index ac6bf6c108cc0..cb382e9c83591 100644
--- a/NEWS
+++ b/NEWS
@@ -29,7 +29,11 @@ PHP                                                                        NEWS
     (David Carlier)
 
 - Shmop:
-   . Fixed bug GH-14537 (shmop Windows 11 crashes the process). (nielsdos)
+  . Fixed bug GH-14537 (shmop Windows 11 crashes the process). (nielsdos)
+
+- Standard:
+  . Fixed bug GH-14775 (range function overflow with negative step argument).
+    (David Carlier)
 
 20 Jun 2024, PHP 8.3.9
 
diff --git a/ext/standard/array.c b/ext/standard/array.c
index 30868a47b5932..b6f78fad28611 100644
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -2887,6 +2887,10 @@ PHP_FUNCTION(range)
 			step = Z_LVAL_P(user_step);
 			/* We only want positive step values. */
 			if (step < 0) {
+				if (UNEXPECTED(step == ZEND_LONG_MIN)) {
+					zend_argument_value_error(3, "must be greater than " ZEND_LONG_FMT, step);
+					RETURN_THROWS();
+				}
 				is_step_negative = true;
 				step *= -1;
 			}
diff --git a/ext/standard/tests/array/gh14775.phpt b/ext/standard/tests/array/gh14775.phpt
new file mode 100644
index 0000000000000..df4db76031ecb
--- /dev/null
+++ b/ext/standard/tests/array/gh14775.phpt
@@ -0,0 +1,12 @@
+--TEST--
+GH-14775: Range negative step overflow
+--FILE--
+<?php
+$var = -PHP_INT_MAX - 1;
+try {
+	range($var,1,$var);
+} catch (\ValueError $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+--EXPECTF--
+range(): Argument #3 ($step) must be greater than %s