archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 13:38:49 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'PHP-8.4'

Browse source 
* PHP-8.4:
  Fix GH-16411: gmp_export() can cause overflow
This commit is contained in:
Christoph M. Becker 2024-10-15 16:00:26 +02:00
commit dbdcc95c9c
No known key found for this signature in database
GPG key ID: D66C9593118BCCB6
2 changed files with 19 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

10
ext/gmp/gmp.c
View file

@ -1012,8 +1012,14 @@ ZEND_FUNCTION(gmp_export)
if (mpz_sgn(gmpnumber) == 0) { if (mpz_sgn(gmpnumber) == 0) {
RETVAL_EMPTY_STRING(); RETVAL_EMPTY_STRING();
} else { } else {
size_t bits_per_word = size * 8; ZEND_ASSERT(size > 0);
size_t count = (mpz_sizeinbase(gmpnumber, 2) + bits_per_word - 1) / bits_per_word; size_t size_in_base_2 = mpz_sizeinbase(gmpnumber, 2);
if (size > ZEND_LONG_MAX / 4 || size_in_base_2 > SIZE_MAX - (size_t) size * 8 + 1) {
zend_argument_value_error(2, "is too large for argument #1 ($num)");
RETURN_THROWS();
}
size_t bits_per_word = (size_t) size * 8;
size_t count = (size_in_base_2 + bits_per_word - 1) / bits_per_word;
zend_string *out_string = zend_string_safe_alloc(count, size, 0, 0); zend_string *out_string = zend_string_safe_alloc(count, size, 0, 0);
mpz_export(ZSTR_VAL(out_string), NULL, order, size, endian, 0, gmpnumber); mpz_export(ZSTR_VAL(out_string), NULL, order, size, endian, 0, gmpnumber);

11
ext/gmp/tests/gh16411.phpt Normal file
View file

@ -0,0 +1,11 @@
--TEST--
GH-16411 (gmp_export() can cause overflow)
--EXTENSIONS--
gmp
--FILE--
<?php
gmp_export("-9223372036854775808", PHP_INT_MAX, PHP_INT_MIN);
?>
--EXPECTF--
Fatal error: Uncaught ValueError: gmp_export(): Argument #2 ($word_size) is too large for argument #1 ($num) in %s:%d
%A