Fix GH-15712: overflow on float print with precision ini large value.

devnexen · devnexen · commit 503d9145e0b6 · 2024-09-11T21:19:07.000+01:00
When allocating enough room for floats, the allocator used overflows with large ndigits/EG(precision) value which used an signed integer to increase the size of thebuffer. Testing with the zend operator directly is enough to trigger the issue rather than higher level math interface. close GH-15715
diff --git a/NEWS b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.2.25
 
+- Core:
+  . Fixed bug GH-15712: zend_strtod overflow with precision INI set on
+    large value. (David Carlier)
+
 - Date:
   . Fixed bug GH-15582: Crash when not calling parent constructor of
     DateTimeZone. (Derick)
diff --git a/Zend/tests/gh15712.phpt b/Zend/tests/gh15712.phpt
@@ -0,0 +1,9 @@
+--TEST--
+GH-15712: overflow on real number printing
+--FILE--
+<?php
+ini_set('precision', 1100000000);
+echo  -1 * (2 ** -10);
+?>
+--EXPECTF--
+%s
diff --git a/Zend/zend_strtod.c b/Zend/zend_strtod.c
@@ -3613,11 +3613,11 @@ rv_alloc(i) int i;
 rv_alloc(int i)
 #endif
 {
-	int j, k, *r;
+	int k, *r;
 
-	j = sizeof(ULong);
+	size_t j = sizeof(ULong);
 	for(k = 0;
-		sizeof(Bigint) - sizeof(ULong) - sizeof(int) + (size_t)j <= (size_t)i;
+		sizeof(Bigint) - sizeof(ULong) - sizeof(int) + j <= (size_t)i;
 		j <<= 1)
 			k++;
 	r = (int*)Balloc(k);
