Skip to content

Commit

Permalink
Merge branch 'PHP-8.4'
Browse files Browse the repository at this point in the history
* PHP-8.4:
  Fixed a bug where size_t underflows (php#16696)
  Added early return case when result is 0 (php#16697)
  • Loading branch information
SakiTakamachi committed Nov 4, 2024
2 parents 173bdb2 + fd1dff9 commit f464298
Show file tree
Hide file tree
Showing 3 changed files with 176 additions and 1 deletion.
7 changes: 6 additions & 1 deletion ext/bcmath/libbcmath/src/div.c
Original file line number Diff line number Diff line change
Expand Up @@ -434,7 +434,7 @@ bool bc_divide(bc_num numerator, bc_num divisor, bc_num *quot, size_t scale)
numerator_bottom_extension -= scale_diff;
} else {
numerator_bottom_extension = 0;
numeratorend -= scale_diff - numerator_bottom_extension;
numeratorend -= scale_diff > numerator_top_extension ? scale_diff - numerator_top_extension : 0;
}
} else {
numerator_bottom_extension += scale - numerator_scale;
Expand All @@ -444,6 +444,11 @@ bool bc_divide(bc_num numerator, bc_num divisor, bc_num *quot, size_t scale)
/* Length of numerator data that can be read */
size_t numerator_readable_len = numeratorend - numeratorptr + 1;

if (divisor_len > numerator_readable_len + numerator_bottom_extension) {
*quot = bc_copy_num(BCG(_zero_));
return true;
}

/* If divisor is 1 here, return the result of adjusting the decimal point position of numerator. */
if (divisor_len == 1 && *divisorptr == 1) {
if (numerator_len == 0) {
Expand Down
158 changes: 158 additions & 0 deletions ext/bcmath/tests/gh16262.phpt
Original file line number Diff line number Diff line change
@@ -0,0 +1,158 @@
--TEST--
GH-16262 Stack buffer overflow in ext/bcmath/libbcmath/src/div.c:459
--EXTENSIONS--
bcmath
--INI--
bcmath.scale=0
--FILE--
<?php
$scales = [
null,
0,
1,
2,
3,
4,
5,
];
foreach ($scales as $scale) {
echo '========== scale: ', $scale ?? 'null', " ==========\n";
echo "1 / 1000:\n";
var_dump(
bcdiv('1', '1000', $scale),
(new BcMath\Number('1'))->div('1000', $scale),
);
echo "1 / 2000:\n";
var_dump(
bcdiv('1', '2000', $scale),
(new BcMath\Number('1'))->div('2000', $scale),
);
echo "\n";
}
?>
--EXPECT--
========== scale: null ==========
1 / 1000:
string(1) "0"
object(BcMath\Number)#2 (2) {
["value"]=>
string(5) "0.001"
["scale"]=>
int(3)
}
1 / 2000:
string(1) "0"
object(BcMath\Number)#1 (2) {
["value"]=>
string(6) "0.0005"
["scale"]=>
int(4)
}

========== scale: 0 ==========
1 / 1000:
string(1) "0"
object(BcMath\Number)#2 (2) {
["value"]=>
string(1) "0"
["scale"]=>
int(0)
}
1 / 2000:
string(1) "0"
object(BcMath\Number)#1 (2) {
["value"]=>
string(1) "0"
["scale"]=>
int(0)
}

========== scale: 1 ==========
1 / 1000:
string(3) "0.0"
object(BcMath\Number)#2 (2) {
["value"]=>
string(3) "0.0"
["scale"]=>
int(1)
}
1 / 2000:
string(3) "0.0"
object(BcMath\Number)#1 (2) {
["value"]=>
string(3) "0.0"
["scale"]=>
int(1)
}

========== scale: 2 ==========
1 / 1000:
string(4) "0.00"
object(BcMath\Number)#2 (2) {
["value"]=>
string(4) "0.00"
["scale"]=>
int(2)
}
1 / 2000:
string(4) "0.00"
object(BcMath\Number)#1 (2) {
["value"]=>
string(4) "0.00"
["scale"]=>
int(2)
}

========== scale: 3 ==========
1 / 1000:
string(5) "0.001"
object(BcMath\Number)#2 (2) {
["value"]=>
string(5) "0.001"
["scale"]=>
int(3)
}
1 / 2000:
string(5) "0.000"
object(BcMath\Number)#1 (2) {
["value"]=>
string(5) "0.000"
["scale"]=>
int(3)
}

========== scale: 4 ==========
1 / 1000:
string(6) "0.0010"
object(BcMath\Number)#2 (2) {
["value"]=>
string(6) "0.0010"
["scale"]=>
int(4)
}
1 / 2000:
string(6) "0.0005"
object(BcMath\Number)#1 (2) {
["value"]=>
string(6) "0.0005"
["scale"]=>
int(4)
}

========== scale: 5 ==========
1 / 1000:
string(7) "0.00100"
object(BcMath\Number)#2 (2) {
["value"]=>
string(7) "0.00100"
["scale"]=>
int(5)
}
1 / 2000:
string(7) "0.00050"
object(BcMath\Number)#1 (2) {
["value"]=>
string(7) "0.00050"
["scale"]=>
int(5)
}
12 changes: 12 additions & 0 deletions ext/bcmath/tests/gh16265.phpt
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
--TEST--
GH-16265 Segmentation fault (index oob) in ext/bcmath/libbcmath/src/convert.c:155
--EXTENSIONS--
bcmath
--INI--
bcmath.scale=0
--FILE--
<?php
echo bcdiv('-0.01', -12.3456789000e10, 9);
?>
--EXPECT--
0.000000000

0 comments on commit f464298

Please sign in to comment.