Fix GH-15712: overflow on float print with precision ini large value.

When allocating enough room for floats, the allocator used overflows with large ndigits/EG(precision) value which used an signed integer to increase the size of thebuffer. Testing with the zend operator directly is enough to trigger the issue rather than higher level math interface. close GH-15715
2026-03-24 00:02:20 +01:00 · 2024-09-02 18:03:28 +01:00
parent 791a6ef19c
commit 503d9145e0
3 changed files with 16 additions and 3 deletions
--- a/4
+++ b/4
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.2.25

+- Core:
+  . Fixed bug GH-15712: zend_strtod overflow with precision INI set on
+    large value. (David Carlier)
+
 - Date:
  . Fixed bug GH-15582: Crash when not calling parent constructor of
    DateTimeZone. (Derick)
--- a/Zend/tests/gh15712.phpt
+++ b/Zend/tests/gh15712.phpt
@@ -0,0 +1,9 @@
+--TEST--
+GH-15712: overflow on real number printing
+--FILE--
+<?php
+ini_set('precision', 1100000000);
+echo  -1 * (2 ** -10);
+?>
+--EXPECTF--
+%s
--- a/Zend/zend_strtod.c
+++ b/Zend/zend_strtod.c
@@ -3613,11 +3613,11 @@ rv_alloc(i) int i;
 rv_alloc(int i)
 #endif
 {
-	int j, k, *r;
+	int k, *r;

-	j = sizeof(ULong);
+	size_t j = sizeof(ULong);
 	for(k = 0;
-		sizeof(Bigint) - sizeof(ULong) - sizeof(int) + (size_t)j <= (size_t)i;
+		sizeof(Bigint) - sizeof(ULong) - sizeof(int) + j <= (size_t)i;
 		j <<= 1)
 			k++;
 	r = (int*)Balloc(k);