From e74e66e3f7b2774fde34d526e9ce372939d210a1 Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Mon, 16 Sep 2024 12:26:48 +0100
Subject: [PATCH] Fix oss-fuzz report triggered by GH-15712 commit.

It triggered allocation overflow which, even fixed, in turn gives memory
leak on 32 bits but the allocator relies on signed integers.

close GH-15915
---
 NEWS               |  2 ++
 Zend/zend_strtod.c | 15 +++++++++++----
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/NEWS b/NEWS
index 8d967754ee4..b9ed3187b78 100644
--- a/NEWS
+++ b/NEWS
@@ -28,6 +28,8 @@ PHP                                                                        NEWS
   . Fixed bug GH-16508 (Incorrect line number in inheritance errors of delayed
     early bound classes). (ilutov)
   . Fixed bug GH-16648 (Use-after-free during array sorting). (ilutov)
+  . Fixed bug GH-15915 (overflow with a high value for precision INI).
+    (David Carlier / cmb)
 
 - Curl:
   . Fixed bug GH-16302 (CurlMultiHandle holds a reference to CurlHandle if
diff --git a/Zend/zend_strtod.c b/Zend/zend_strtod.c
index eb3a94332ae..38caef0b10f 100644
--- a/Zend/zend_strtod.c
+++ b/Zend/zend_strtod.c
@@ -3613,13 +3613,20 @@ rv_alloc(i) int i;
 rv_alloc(int i)
 #endif
 {
-	int k, *r;
 
-	size_t j = sizeof(ULong);
+	int j, k, *r;
+	size_t rem;
+
+	rem = sizeof(Bigint) - sizeof(ULong) - sizeof(int);
+
+
+	j = sizeof(ULong);
+	if (i > ((INT_MAX >> 2) + rem))
+		zend_error_noreturn(E_ERROR, "rv_alloc() allocation overflow %d", i);
 	for(k = 0;
-		sizeof(Bigint) - sizeof(ULong) - sizeof(int) + j <= (size_t)i;
-		j <<= 1)
+		rem + j <= (size_t)i; j <<= 1)
 			k++;
+
 	r = (int*)Balloc(k);
 	*r = k;
 	return