diff options
| author | Dmitry Stogov <dmitry@php.net> | 2011-07-11 09:47:59 +0000 |
|---|---|---|
| committer | Dmitry Stogov <dmitry@php.net> | 2011-07-11 09:47:59 +0000 |
| commit | adb87c8d060f7300cbf64484d5fa02c8d75f13fd (patch) | |
| tree | 7d7611eea2f28cabdebd54726ea5620606bb1bc2 | |
| parent | b9b749b70409e26d7b2fd6d92b3e9175455a5574 (diff) | |
| download | php-git-adb87c8d060f7300cbf64484d5fa02c8d75f13fd.tar.gz | |
Fixed bug #54332 (Crash in zend_mm_check_ptr // Heap corruption)
| -rw-r--r-- | ext/standard/tests/strings/bug54332.phpt | 8 | ||||
| -rw-r--r-- | main/snprintf.c | 5 | ||||
| -rw-r--r-- | main/spprintf.c | 5 |
3 files changed, 16 insertions, 2 deletions
diff --git a/ext/standard/tests/strings/bug54332.phpt b/ext/standard/tests/strings/bug54332.phpt new file mode 100644 index 0000000000..122b387ec5 --- /dev/null +++ b/ext/standard/tests/strings/bug54332.phpt @@ -0,0 +1,8 @@ +--TEST-- +Bug #54332 (Crash in zend_mm_check_ptr // Heap corruption) +--FILE-- +<?php +echo number_format(1e300, 2006, '', ' ') . "\n"; +?> +--EXPECT-- +1 000 000 000 000 000 052 504 760 255 204 420 248 704 468 581 108 159 154 915 854 115 511 802 457 988 908 195 786 371 375 080 447 864 043 704 443 832 883 878 176 942 523 235 360 430 575 644 792 184 786 706 982 848 387 200 926 575 803 737 830 233 794 788 090 059 368 953 234 970 799 945 081 119 038 967 640 880 074 652 742 780 142 494 579 258 788 820 056 842 838 115 669 472 196 386 865 459 400 540 16000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 diff --git a/main/snprintf.c b/main/snprintf.c index a1b253cfda..6e5a89a34c 100644 --- a/main/snprintf.c +++ b/main/snprintf.c @@ -497,8 +497,11 @@ char * ap_php_conv_p2(register u_wide_int num, register int nbits, char format, * NUM_BUF_SIZE is the size of the buffer used for arithmetic conversions * * XXX: this is a magic number; do not decrease it + * Emax = 1023 + * NDIG = 320 + * NUM_BUF_SIZE >= strlen("-") + Emax + strlrn(".") + NDIG + strlen("E+1023") + 1; */ -#define NUM_BUF_SIZE 512 +#define NUM_BUF_SIZE 2048 /* diff --git a/main/spprintf.c b/main/spprintf.c index 8c90fda378..8599d890ee 100644 --- a/main/spprintf.c +++ b/main/spprintf.c @@ -119,8 +119,11 @@ * NUM_BUF_SIZE is the size of the buffer used for arithmetic conversions * * XXX: this is a magic number; do not decrease it + * Emax = 1023 + * NDIG = 320 + * NUM_BUF_SIZE >= strlen("-") + Emax + strlrn(".") + NDIG + strlen("E+1023") + 1; */ -#define NUM_BUF_SIZE 512 +#define NUM_BUF_SIZE 2048 /* * The INS_CHAR macro inserts a character in the buffer. |