Skip to content

Commit 89ddd96

Browse files
committed
Fix GH-15712: overflow on float print with precision ini large value.
When allocating enough room for floats, the allocator used overflows with large ndigits/EG(precision) value which used an signed integer to increase the size of thebuffer. Testing with the zend operator directly is enough to trigger the issue rather than higher level math interface.
1 parent 57f9041 commit 89ddd96

File tree

2 files changed

+12
-3
lines changed

2 files changed

+12
-3
lines changed

Zend/tests/gh15712.phpt

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
--TEST--
2+
GH-15712: overflow on real number printing
3+
--FILE--
4+
<?php
5+
ini_set('precision', 1100000000);
6+
echo -1 * (2 ** -10);
7+
?>
8+
--EXPECTF--
9+
%s

Zend/zend_strtod.c

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3613,11 +3613,11 @@ rv_alloc(i) int i;
36133613
rv_alloc(int i)
36143614
#endif
36153615
{
3616-
int j, k, *r;
3616+
int k, *r;
36173617

3618-
j = sizeof(ULong);
3618+
size_t j = sizeof(ULong);
36193619
for(k = 0;
3620-
sizeof(Bigint) - sizeof(ULong) - sizeof(int) + (size_t)j <= (size_t)i;
3620+
sizeof(Bigint) - sizeof(ULong) - sizeof(int) + j <= (size_t)i;
36213621
j <<= 1)
36223622
k++;
36233623
r = (int*)Balloc(k);

0 commit comments

Comments
 (0)