php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Return to Bug #75208
Patch fix-gdtoa-overflow-2.diff revision 2017-09-14 12:28 UTC by jedisct1@php.net
Patch fix-gdtoa-overflow.diff revision 2017-09-14 12:12 UTC by jedisct1@php.net

Patch fix-gdtoa-overflow-2.diff for Reproducible crash Bug #75208

Patch version 2017-09-14 12:28 UTC

Return to Bug #75208 | Download this patch
Patch Revisions:

Developer: jedisct1@php.net

commit 731c218e3ffe617d60875208524bc6d67d9a2fed
Author: Frank Denis <github@pureftpd.org>
Date:   Thu Sep 14 14:07:35 2017 +0200

    Check for exponent overflow in zend_strtod()

diff --git a/Zend/zend_strtod.c b/Zend/zend_strtod.c
index 3aa99f8d98..24ae50f4ce 100644
--- a/Zend/zend_strtod.c
+++ b/Zend/zend_strtod.c
@@ -192,9 +192,11 @@
 
 #ifndef Long
 #define Long int32_t
+#define Long_MAX INT32_MAX
 #endif
 #ifndef ULong
 #define ULong uint32_t
+#define ULong_MAX UINT32_MAX
 #endif
 
 #ifdef DEBUG
@@ -2704,8 +2706,17 @@ zend_strtod
 			if (c > '0' && c <= '9') {
 				L = c - '0';
 				s1 = s;
-				while((c = *++s) >= '0' && c <= '9')
-					L = 10*L + c - '0';
+				while((c = *++s) >= '0' && c <= '9') {
+					if (y != 0 || z != 0) {
+						if (Long_MAX / 10 - (c - '0') < L) {
+							word0(&rv) = 0x7ff00000;
+							word1(&rv) = 0;
+							errno = ERANGE;
+							goto ret;
+						}
+						L = 10*L + c - '0';
+					}
+				}
 				if (s - s1 > 8 || L > 19999)
 					/* Avoid confusion from exponents
 					 * so large that e might overflow.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 15:01:30 2024 UTC