php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Return to Bug #75208
Patch fix-gdtoa-overflow-2.diff revision 2017-09-14 12:28 UTC by jedisct1@php.net
Patch fix-gdtoa-overflow.diff revision 2017-09-14 12:12 UTC by jedisct1@php.net

Patch fix-gdtoa-overflow.diff for Reproducible crash Bug #75208

Patch version 2017-09-14 12:12 UTC

Return to Bug #75208 | Download this patch
Patch Revisions:

Developer: jedisct1@php.net

commit 737b717d51a7a4e566cf8d093988b972faa6e6f7
Author: Frank Denis <github@pureftpd.org>
Date:   Thu Sep 14 14:07:35 2017 +0200

    Check for exponent overflow in zend_strtod()

diff --git a/Zend/zend_strtod.c b/Zend/zend_strtod.c
index 3aa99f8d98..f01c3ca363 100644
--- a/Zend/zend_strtod.c
+++ b/Zend/zend_strtod.c
@@ -192,9 +192,11 @@
 
 #ifndef Long
 #define Long int32_t
+#define Long_MAX INT32_MAX
 #endif
 #ifndef ULong
 #define ULong uint32_t
+#define ULong_MAX UINT32_MAX
 #endif
 
 #ifdef DEBUG
@@ -2704,8 +2706,15 @@ zend_strtod
 			if (c > '0' && c <= '9') {
 				L = c - '0';
 				s1 = s;
-				while((c = *++s) >= '0' && c <= '9')
+				while((c = *++s) >= '0' && c <= '9') {
+					if (Long_MAX / 10 - (c - '0') < L) {
+						word0(&rv) = 0x7ff00000;
+						word1(&rv) = 0;
+						errno = ERANGE;
+						goto ret;
+					}
 					L = 10*L + c - '0';
+				}
 				if (s - s1 > 8 || L > 19999)
 					/* Avoid confusion from exponents
 					 * so large that e might overflow.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Thu Sep 19 12:01:26 2019 UTC