Fix GH-16290: session cookie_lifetime ini value overflow.

Author: devnexen

ext/session/session.c

@@ -40,6 +40,7 @@
 #include "ext/standard/php_var.h"
 #include "ext/date/php_date.h"
 #include "ext/standard/url_scanner_ex.h"
+#include "ext/standard/file.h"
 #include "ext/standard/info.h"
 #include "zend_smart_str.h"
 #include "ext/standard/url.h"
@@ -693,8 +694,11 @@ static PHP_INI_MH(OnUpdateCookieLifetime) /* {{{ */
 {
 	SESSION_CHECK_ACTIVE_STATE;
 	SESSION_CHECK_OUTPUT_STATE;
-	if (atol(ZSTR_VAL(new_value)) < 0) {
-		php_error_docref(NULL, E_WARNING, "CookieLifetime cannot be negative");
+
+	const zend_long maxcookie = ZEND_LONG_MAX - (PHP_TIMEOUT_ULL_MAX / 1000000);
+	zend_long v = (zend_long)atol(ZSTR_VAL(new_value));
+	if (v < 0 || v > maxcookie) {
+		php_error_docref(NULL, E_WARNING, "CookieLifetime must be between 0 and " ZEND_LONG_FMT, maxcookie);
 		return FAILURE;
 	}
 	return OnUpdateLongGEZero(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage);

ext/session/tests/session_set_cookie_params_variation8.phpt

@@ -25,7 +25,7 @@ bool(true)
 string(1) "0"
 string(1) "0"
 
-Warning: session_set_cookie_params(): CookieLifetime cannot be negative in %s on line %d
+Warning: session_set_cookie_params(): CookieLifetime must be between 0 and %d in %s on line %d
 bool(false)
 string(1) "0"
 Done