Fix GH-18309: ipv6 filter integer overflow

The intermediate computation can cause a signed integer overflow, but
the input is correctly rejected later on by the check on variable `n`.
Solve this by using an unsigned number.

Closes GH-18312.

Author: nielsdos

NEWS

@@ -6,6 +6,9 @@ PHP                                                                        NEWS
   . Fixed bug GH-18304 (Changing the properties of a DateInterval through
     dynamic properties triggers a SegFault). (nielsdos)
 
+- Filter:
+  . Fixed bug GH-18309 (ipv6 filter integer overflow). (nielsdos)
+
 - GD:
   . Fixed imagecrop() overflow with rect argument with x/width y/heigh usage
     in gdImageCrop(). (David Carlier)

ext/filter/logical_filters.c

@@ -762,7 +762,8 @@ static int _php_filter_validate_ipv6(const char *str, size_t str_len, int ip[8])
 {
 	int compressed_pos = -1;
 	int blocks = 0;
-	int num, n, i;
+	unsigned int num, n;
+	int i;
 	char *ipv4;
 	const char *end;
 	int ip4elm[4];

ext/filter/tests/gh18309.phpt

@@ -0,0 +1,10 @@
+--TEST--
+GH-18309 (ipv6 filter integer overflow)
+--EXTENSIONS--
+filter
+--FILE--
+<?php
+var_dump(filter_var('fffffffffffffffffffffffffffffffffffff::', FILTER_VALIDATE_IP, FILTER_FLAG_IPV6));
+?>
+--EXPECT--
+bool(false)