number_format: prevent integer overflow on big decimal number

marc-mabe · marc-mabe · commit 2a69a8f0a33a · 2023-07-13T22:55:51.000+02:00
diff --git a/ext/standard/math.c b/ext/standard/math.c
@@ -286,7 +286,7 @@ PHP_FUNCTION(round)
 		if (precision >= 0) {
 			places = precision > INT_MAX ? INT_MAX : (int)precision;
 		} else {
-			places = precision <= INT_MIN ? INT_MIN+1 : (int)precision;
+			places = precision <= INT_MIN ? INT_MIN : (int)precision;
 		}
 #else
 		places = precision;
@@ -1007,12 +1007,12 @@ PHP_FUNCTION(base_convert)
 /* }}} */
 
 /* {{{ _php_math_number_format */
-PHPAPI zend_string *_php_math_number_format(double d, int dec, char dec_point, char thousand_sep)
+PHPAPI zend_string *_php_math_number_format(double d, zend_long dec, char dec_point, char thousand_sep)
 {
 	return _php_math_number_format_ex(d, dec, &dec_point, 1, &thousand_sep, 1);
 }
 
-PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, const char *dec_point,
+PHPAPI zend_string *_php_math_number_format_ex(double d, zend_long dec, const char *dec_point,
 		size_t dec_point_len, const char *thousand_sep, size_t thousand_sep_len)
 {
 	zend_string *res;
@@ -1023,15 +1023,30 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, const char *de
 	size_t reslen = 0;
 	int count = 0;
 	int is_negative = 0;
+	int dec_round;
+
+	// prevent integer overflow
+#if SIZEOF_ZEND_LONG > SIZEOF_INT
+	if (dec >= 0) {
+		dec_round = dec > INT_MAX ? INT_MAX : (int)dec;
+	} else {
+		dec_round = dec <= INT_MIN ? INT_MIN : (int)dec;
+	}
+#else
+	dec_round = dec;
+#endif
 
 	if (d < 0) {
 		is_negative = 1;
 		d = -d;
 	}
 
-	d = _php_math_round(d, dec, PHP_ROUND_HALF_UP);
+	d = _php_math_round(d, dec_round, PHP_ROUND_HALF_UP);
 	dec = MAX(0, dec);
-	tmpbuf = strpprintf(0, "%.*F", dec, d);
+	dec_round = MAX(0, dec_round);
+
+	tmpbuf = strpprintf(0, "%.*F", dec_round, d);
+
 	if (tmpbuf == NULL) {
 		return NULL;
 	} else if (!isdigit((int)ZSTR_VAL(tmpbuf)[0])) {
@@ -1114,7 +1129,7 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, const char *de
 	 * separator every three digits */
 	while (s >= ZSTR_VAL(tmpbuf)) {
 		*t-- = *s--;
-		if (thousand_sep && (++count%3)==0 && s >= ZSTR_VAL(tmpbuf)) {
+		if (thousand_sep && (++count % 3) == 0 && s >= ZSTR_VAL(tmpbuf)) {
 			t -= thousand_sep_len;
 			memcpy(t + 1, thousand_sep, thousand_sep_len);
 		}
@@ -1279,7 +1294,7 @@ PHP_FUNCTION(number_format)
 			break;
 
 		case IS_DOUBLE:
-			RETURN_STR(_php_math_number_format_ex(Z_DVAL_P(num), (int)dec, dec_point, dec_point_len, thousand_sep, thousand_sep_len));
+			RETURN_STR(_php_math_number_format_ex(Z_DVAL_P(num), dec, dec_point, dec_point_len, thousand_sep, thousand_sep_len));
 			break;
 
 		EMPTY_SWITCH_DEFAULT_CASE()
diff --git a/ext/standard/php_math.h b/ext/standard/php_math.h
@@ -19,8 +19,8 @@
 #define PHP_MATH_H
 
 PHPAPI double _php_math_round(double value, int places, int mode);
-PHPAPI zend_string *_php_math_number_format(double d, int dec, char dec_point, char thousand_sep);
-PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, const char *dec_point, size_t dec_point_len, const char *thousand_sep, size_t thousand_sep_len);
+PHPAPI zend_string *_php_math_number_format(double d, zend_long dec, char dec_point, char thousand_sep);
+PHPAPI zend_string *_php_math_number_format_ex(double d, zend_long dec, const char *dec_point, size_t dec_point_len, const char *thousand_sep, size_t thousand_sep_len);
 PHPAPI zend_string *_php_math_number_format_long(zend_long num, zend_long dec, const char *dec_point, size_t dec_point_len, const char *thousand_sep, size_t thousand_sep_len);
 PHPAPI zend_string * _php_math_longtobase(zend_long arg, int base);
 PHPAPI zend_long _php_math_basetolong(zval *arg, int base);
diff --git a/ext/standard/tests/math/number_format_basiclong_64bit.phpt b/ext/standard/tests/math/number_format_basiclong_64bit.phpt
@@ -15,7 +15,7 @@ define("MIN_32Bit", -2147483647 - 1);
 $longVals = array(
     MAX_64Bit, MIN_64Bit, MAX_32Bit, MIN_32Bit, MAX_64Bit - MAX_32Bit, MIN_64Bit - MIN_32Bit,
     MAX_32Bit + 1, MIN_32Bit - 1, MAX_32Bit * 2, (MAX_32Bit * 2) + 1, (MAX_32Bit * 2) - 1,
-    MAX_64Bit -1, MIN_64Bit + 1
+    MAX_64Bit -1, MAX_64Bit + 1, MIN_64Bit + 1, MIN_64Bit - 1
 );
 
 $precisions = array(
@@ -41,7 +41,7 @@ foreach ($longVals as $longVal) {
 }
 
 ?>
---EXPECTF--
+--EXPECT--
 --- testing: int(9223372036854775807)
 ... with precision 5: string(31) "9,223,372,036,854,775,807.00000"
 ... with precision 0: string(25) "9,223,372,036,854,775,807"
@@ -52,7 +52,7 @@ foreach ($longVals as $longVal) {
 ... with precision -17: string(25) "9,200,000,000,000,000,000"
 ... with precision -19: string(26) "10,000,000,000,000,000,000"
 ... with precision -20: string(1) "0"
-... with precision %i: string(1) "0"
+... with precision -9223372036854775808: string(1) "0"
 --- testing: int(-9223372036854775808)
 ... with precision 5: string(32) "-9,223,372,036,854,775,808.00000"
 ... with precision 0: string(26) "-9,223,372,036,854,775,808"
@@ -63,7 +63,7 @@ foreach ($longVals as $longVal) {
 ... with precision -17: string(26) "-9,200,000,000,000,000,000"
 ... with precision -19: string(27) "-10,000,000,000,000,000,000"
 ... with precision -20: string(1) "0"
-... with precision %i: string(1) "0"
+... with precision -9223372036854775808: string(1) "0"
 --- testing: int(2147483647)
 ... with precision 5: string(19) "2,147,483,647.00000"
 ... with precision 0: string(13) "2,147,483,647"
@@ -74,7 +74,7 @@ foreach ($longVals as $longVal) {
 ... with precision -17: string(1) "0"
 ... with precision -19: string(1) "0"
 ... with precision -20: string(1) "0"
-... with precision %i: string(1) "0"
+... with precision -9223372036854775808: string(1) "0"
 --- testing: int(-2147483648)
 ... with precision 5: string(20) "-2,147,483,648.00000"
 ... with precision 0: string(14) "-2,147,483,648"
@@ -85,7 +85,7 @@ foreach ($longVals as $longVal) {
 ... with precision -17: string(1) "0"
 ... with precision -19: string(1) "0"
 ... with precision -20: string(1) "0"
-... with precision %i: string(1) "0"
+... with precision -9223372036854775808: string(1) "0"
 --- testing: int(9223372034707292160)
 ... with precision 5: string(31) "9,223,372,034,707,292,160.00000"
 ... with precision 0: string(25) "9,223,372,034,707,292,160"
@@ -96,7 +96,7 @@ foreach ($longVals as $longVal) {
 ... with precision -17: string(25) "9,200,000,000,000,000,000"
 ... with precision -19: string(26) "10,000,000,000,000,000,000"
 ... with precision -20: string(1) "0"
-... with precision %i: string(1) "0"
+... with precision -9223372036854775808: string(1) "0"
 --- testing: int(-9223372034707292160)
 ... with precision 5: string(32) "-9,223,372,034,707,292,160.00000"
 ... with precision 0: string(26) "-9,223,372,034,707,292,160"
@@ -107,7 +107,7 @@ foreach ($longVals as $longVal) {
 ... with precision -17: string(26) "-9,200,000,000,000,000,000"
 ... with precision -19: string(27) "-10,000,000,000,000,000,000"
 ... with precision -20: string(1) "0"
-... with precision %i: string(1) "0"
+... with precision -9223372036854775808: string(1) "0"
 --- testing: int(2147483648)
 ... with precision 5: string(19) "2,147,483,648.00000"
 ... with precision 0: string(13) "2,147,483,648"
@@ -118,7 +118,7 @@ foreach ($longVals as $longVal) {
 ... with precision -17: string(1) "0"
 ... with precision -19: string(1) "0"
 ... with precision -20: string(1) "0"
-... with precision %i: string(1) "0"
+... with precision -9223372036854775808: string(1) "0"
 --- testing: int(-2147483649)
 ... with precision 5: string(20) "-2,147,483,649.00000"
 ... with precision 0: string(14) "-2,147,483,649"
@@ -129,7 +129,7 @@ foreach ($longVals as $longVal) {
 ... with precision -17: string(1) "0"
 ... with precision -19: string(1) "0"
 ... with precision -20: string(1) "0"
-... with precision %i: string(1) "0"
+... with precision -9223372036854775808: string(1) "0"
 --- testing: int(4294967294)
 ... with precision 5: string(19) "4,294,967,294.00000"
 ... with precision 0: string(13) "4,294,967,294"
@@ -140,7 +140,7 @@ foreach ($longVals as $longVal) {
 ... with precision -17: string(1) "0"
 ... with precision -19: string(1) "0"
 ... with precision -20: string(1) "0"
-... with precision %i: string(1) "0"
+... with precision -9223372036854775808: string(1) "0"
 --- testing: int(4294967295)
 ... with precision 5: string(19) "4,294,967,295.00000"
 ... with precision 0: string(13) "4,294,967,295"
@@ -151,7 +151,7 @@ foreach ($longVals as $longVal) {
 ... with precision -17: string(1) "0"
 ... with precision -19: string(1) "0"
 ... with precision -20: string(1) "0"
-... with precision %i: string(1) "0"
+... with precision -9223372036854775808: string(1) "0"
 --- testing: int(4294967293)
 ... with precision 5: string(19) "4,294,967,293.00000"
 ... with precision 0: string(13) "4,294,967,293"
@@ -162,7 +162,7 @@ foreach ($longVals as $longVal) {
 ... with precision -17: string(1) "0"
 ... with precision -19: string(1) "0"
 ... with precision -20: string(1) "0"
-... with precision %i: string(1) "0"
+... with precision -9223372036854775808: string(1) "0"
 --- testing: int(9223372036854775806)
 ... with precision 5: string(31) "9,223,372,036,854,775,806.00000"
 ... with precision 0: string(25) "9,223,372,036,854,775,806"
@@ -173,7 +173,18 @@ foreach ($longVals as $longVal) {
 ... with precision -17: string(25) "9,200,000,000,000,000,000"
 ... with precision -19: string(26) "10,000,000,000,000,000,000"
 ... with precision -20: string(1) "0"
-... with precision %i: string(1) "0"
+... with precision -9223372036854775808: string(1) "0"
+--- testing: float(9.223372036854776E+18)
+... with precision 5: string(31) "9,223,372,036,854,775,808.00000"
+... with precision 0: string(25) "9,223,372,036,854,775,808"
+... with precision -1: string(25) "9,223,372,036,854,775,808"
+... with precision -5: string(25) "9,223,372,036,854,800,384"
+... with precision -10: string(25) "9,223,372,040,000,000,000"
+... with precision -11: string(25) "9,223,372,000,000,000,000"
+... with precision -17: string(25) "9,200,000,000,000,000,000"
+... with precision -19: string(26) "10,000,000,000,000,000,000"
+... with precision -20: string(1) "0"
+... with precision -9223372036854775808: string(1) "0"
 --- testing: int(-9223372036854775807)
 ... with precision 5: string(32) "-9,223,372,036,854,775,807.00000"
 ... with precision 0: string(26) "-9,223,372,036,854,775,807"
@@ -184,4 +195,15 @@ foreach ($longVals as $longVal) {
 ... with precision -17: string(26) "-9,200,000,000,000,000,000"
 ... with precision -19: string(27) "-10,000,000,000,000,000,000"
 ... with precision -20: string(1) "0"
-... with precision %i: string(1) "0"
+... with precision -9223372036854775808: string(1) "0"
+--- testing: float(-9.223372036854776E+18)
+... with precision 5: string(32) "-9,223,372,036,854,775,808.00000"
+... with precision 0: string(26) "-9,223,372,036,854,775,808"
+... with precision -1: string(26) "-9,223,372,036,854,775,808"
+... with precision -5: string(26) "-9,223,372,036,854,800,384"
+... with precision -10: string(26) "-9,223,372,040,000,000,000"
+... with precision -11: string(26) "-9,223,372,000,000,000,000"
+... with precision -17: string(26) "-9,200,000,000,000,000,000"
+... with precision -19: string(27) "-10,000,000,000,000,000,000"
+... with precision -20: string(1) "0"
+... with precision -9223372036854775808: string(1) "0"
diff --git a/ext/standard/tests/math/number_format_decimals.phpt b/ext/standard/tests/math/number_format_decimals.phpt
