From 55e676e1811f9a3b0fefe090fa6c37245a18450e Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Tue, 4 Feb 2025 12:13:24 +0100 Subject: [PATCH] Fix GH-17503: Undefined float conversion in mb_convert_variables Conversion of floating point to integer values is undefined if the integral part of the float value cannot be represented by the integer type. We need to cater to that explicitly (in a manner similar to `zend_dval_to_lval_cap()`). Closes GH-17689. --- NEWS | 4 ++++ ext/mbstring/mbstring.c | 3 ++- ext/mbstring/tests/gh17503.phpt | 11 +++++++++++ 3 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 ext/mbstring/tests/gh17503.phpt diff --git a/NEWS b/NEWS index 963a20eedce..779a2e05523 100644 --- a/NEWS +++ b/NEWS @@ -12,6 +12,10 @@ PHP NEWS zend.exception_ignore_args=1 into account). (timwolla) . Fix fallback paths in fast_long_{add,sub}_function. (nielsdos) +- MBString: + . Fixed bug GH-17503 (Undefined float conversion in mb_convert_variables). + (cmb) + - Opcache: . Fixed bug GH-17654 (Multiple classes using same trait causes function JIT crash). (nielsdos) diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c index 2da957454a9..dbf012174c4 100644 --- a/ext/mbstring/mbstring.c +++ b/ext/mbstring/mbstring.c @@ -3092,7 +3092,8 @@ try_next_encoding:; } for (size_t i = 0; i < length; i++) { - array[i].demerits *= array[i].multiplier; + double demerits = array[i].demerits * (double) array[i].multiplier; + array[i].demerits = demerits < (double) UINT64_MAX ? (uint64_t) demerits : UINT64_MAX; } return length; diff --git a/ext/mbstring/tests/gh17503.phpt b/ext/mbstring/tests/gh17503.phpt new file mode 100644 index 00000000000..92a2cf39cb1 --- /dev/null +++ b/ext/mbstring/tests/gh17503.phpt @@ -0,0 +1,11 @@ +--TEST-- +GH-17503 (Undefined float conversion in mb_convert_variables) +--EXTENSIONS-- +mbstring +--FILE-- +"); +var_dump(mb_convert_variables("ASCII", ["UTF-8", "UTF-16"], $a)); +?> +--EXPECT-- +string(5) "UTF-8"