Created
November 30, 2019 11:30
-
-
Save cmb69/4796c38a08cb17aef5daaa57bcf75041 to your computer and use it in GitHub Desktop.
PHP bug #78878
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| From 0943487617dcd25878163e6183e6fc2566429554 Mon Sep 17 00:00:00 2001 | |
| From: "Christoph M. Becker" <cmbecker69@gmx.de> | |
| Date: Sat, 30 Nov 2019 12:26:37 +0100 | |
| Subject: [PATCH] Fix #78878: Buffer underflow in bc_shift_addsub | |
| We must not rely on `isdigit()` to detect digits, since we only support | |
| decimal ASCII digits in the following processing. | |
| --- | |
| ext/bcmath/libbcmath/src/str2num.c | 4 ++-- | |
| ext/bcmath/tests/bug78878.phpt | 13 +++++++++++++ | |
| 2 files changed, 15 insertions(+), 2 deletions(-) | |
| create mode 100644 ext/bcmath/tests/bug78878.phpt | |
| diff --git a/ext/bcmath/libbcmath/src/str2num.c b/ext/bcmath/libbcmath/src/str2num.c | |
| index f38d341570..03aec15930 100644 | |
| --- a/ext/bcmath/libbcmath/src/str2num.c | |
| +++ b/ext/bcmath/libbcmath/src/str2num.c | |
| @@ -57,9 +57,9 @@ bc_str2num (bc_num *num, char *str, int scale) | |
| zero_int = FALSE; | |
| if ( (*ptr == '+') || (*ptr == '-')) ptr++; /* Sign */ | |
| while (*ptr == '0') ptr++; /* Skip leading zeros. */ | |
| - while (isdigit((int)*ptr)) ptr++, digits++; /* digits */ | |
| + while (*ptr >= '0' && *ptr <= '9') ptr++, digits++; /* digits */ | |
| if (*ptr == '.') ptr++; /* decimal point */ | |
| - while (isdigit((int)*ptr)) ptr++, strscale++; /* digits */ | |
| + while (*ptr >= '0' && *ptr <= '9') ptr++, strscale++; /* digits */ | |
| if ((*ptr != '\0') || (digits+strscale == 0)) | |
| { | |
| *num = bc_copy_num (BCG(_zero_)); | |
| diff --git a/ext/bcmath/tests/bug78878.phpt b/ext/bcmath/tests/bug78878.phpt | |
| new file mode 100644 | |
| index 0000000000..2c9d72b946 | |
| --- /dev/null | |
| +++ b/ext/bcmath/tests/bug78878.phpt | |
| @@ -0,0 +1,13 @@ | |
| +--TEST-- | |
| +Bug #78878 (Buffer underflow in bc_shift_addsub) | |
| +--SKIPIF-- | |
| +<?php | |
| +if (!extension_loaded('bcmath')) die('skip bcmath extension not available'); | |
| +?> | |
| +--FILE-- | |
| +<?php | |
| +print @bcmul("\xB26483605105519922841849335928742092", bcpowmod(2, 65535, -4e-4)); | |
| +?> | |
| +--EXPECT-- | |
| +bc math warning: non-zero scale in modulus | |
| +0 | |
| -- | |
| 2.24.0.windows.1 | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ext/bcmath/tests/bug78878.phpt | 1 - | |
| 1 file changed, 1 deletion(-) | |
| diff --git a/ext/bcmath/tests/bug78878.phpt b/ext/bcmath/tests/bug78878.phpt | |
| index 2c9d72b946..066d411c90 100644 | |
| --- a/ext/bcmath/tests/bug78878.phpt | |
| +++ b/ext/bcmath/tests/bug78878.phpt | |
| @@ -9,5 +9,4 @@ if (!extension_loaded('bcmath')) die('skip bcmath extension not available'); | |
| print @bcmul("\xB26483605105519922841849335928742092", bcpowmod(2, 65535, -4e-4)); | |
| ?> | |
| --EXPECT-- | |
| -bc math warning: non-zero scale in modulus | |
| 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment