Skip to content

Instantly share code, notes, and snippets.

/73240.diff Secret

Created Oct 11, 2016
Embed
What would you like to do?
Patch for 73240
commit 3b5262ec4c9a6f985f8ff1fb4a7bed18f1b48f75
Author: Stanislav Malyshev <stas@php.net>
Date: Mon Oct 10 23:42:50 2016 -0700
Fix for #73240 - Write out of bounds at number_format
diff --git a/ext/standard/math.c b/ext/standard/math.c
index ac77610..e4b1160 100644
--- a/ext/standard/math.c
+++ b/ext/standard/math.c
@@ -1123,8 +1123,8 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, char *dec_poin
zend_string *tmpbuf;
char *s, *t; /* source, target */
char *dp;
- int integral;
- int reslen = 0;
+ size_t integral;
+ size_t reslen = 0;
int count = 0;
int is_negative=0;
@@ -1159,7 +1159,11 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, char *dec_poin
/* allow for thousand separators */
if (thousand_sep) {
- integral += (int)(thousand_sep_len * ((integral-1) / 3));
+ if (integral + thousand_sep_len * ((integral-1) / 3) < integral) {
+ /* overflow */
+ php_error_docref(NULL, E_ERROR, "String overflow");
+ }
+ integral += thousand_sep_len * ((integral-1) / 3);
}
reslen = integral;
@@ -1168,7 +1172,11 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, char *dec_poin
reslen += dec;
if (dec_point) {
- reslen += (int)dec_point_len;
+ if (reslen + dec_point_len < dec_point_len) {
+ /* overflow */
+ php_error_docref(NULL, E_ERROR, "String overflow");
+ }
+ reslen += dec_point_len;
}
}
@@ -1270,7 +1278,6 @@ PHP_FUNCTION(number_format)
break;
default:
WRONG_PARAM_COUNT;
- break;
}
}
/* }}} */
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment