From 503d9145e0b6343c45fd17132519dde478293c1a Mon Sep 17 00:00:00 2001 From: David Carlier Date: Mon, 2 Sep 2024 18:03:28 +0100 Subject: [PATCH] Fix GH-15712: overflow on float print with precision ini large value. When allocating enough room for floats, the allocator used overflows with large ndigits/EG(precision) value which used an signed integer to increase the size of thebuffer. Testing with the zend operator directly is enough to trigger the issue rather than higher level math interface. close GH-15715 --- NEWS | 4 ++++ Zend/tests/gh15712.phpt | 9 +++++++++ Zend/zend_strtod.c | 6 +++--- 3 files changed, 16 insertions(+), 3 deletions(-) create mode 100644 Zend/tests/gh15712.phpt diff --git a/NEWS b/NEWS index 001f5ba9cca..194e89b7e4b 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,10 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? ????, PHP 8.2.25 +- Core: + . Fixed bug GH-15712: zend_strtod overflow with precision INI set on + large value. (David Carlier) + - Date: . Fixed bug GH-15582: Crash when not calling parent constructor of DateTimeZone. (Derick) diff --git a/Zend/tests/gh15712.phpt b/Zend/tests/gh15712.phpt new file mode 100644 index 00000000000..7c4bd0b22ac --- /dev/null +++ b/Zend/tests/gh15712.phpt @@ -0,0 +1,9 @@ +--TEST-- +GH-15712: overflow on real number printing +--FILE-- + +--EXPECTF-- +%s diff --git a/Zend/zend_strtod.c b/Zend/zend_strtod.c index 3e7f90378ef..eb3a94332ae 100644 --- a/Zend/zend_strtod.c +++ b/Zend/zend_strtod.c @@ -3613,11 +3613,11 @@ rv_alloc(i) int i; rv_alloc(int i) #endif { - int j, k, *r; + int k, *r; - j = sizeof(ULong); + size_t j = sizeof(ULong); for(k = 0; - sizeof(Bigint) - sizeof(ULong) - sizeof(int) + (size_t)j <= (size_t)i; + sizeof(Bigint) - sizeof(ULong) - sizeof(int) + j <= (size_t)i; j <<= 1) k++; r = (int*)Balloc(k);