diff options
author | Stanislav Malyshev <stas@php.net> | 2016-10-10 23:42:50 -0700 |
---|---|---|
committer | Anatol Belski <ab@php.net> | 2016-10-14 01:41:48 +0200 |
commit | 8e2c9024a6755c092f80b385aa7b7487efdc8acc (patch) | |
tree | 9b599ec5856cb9ab8312b7158a18b36149205021 | |
parent | 0cf880e70ccae598b7f5d303c2728d2b150c9b9a (diff) | |
download | php-git-8e2c9024a6755c092f80b385aa7b7487efdc8acc.tar.gz |
Fix for #73240 - Write out of bounds at number_format
(cherry picked from commit 8259130b6bc752968856b352c9e7f8e03a8c0a8e)
(cherry picked from commit 01280f8deb837a61237a619cffa886d7f8c31963)
-rw-r--r-- | ext/standard/math.c | 13 |
1 files changed, 3 insertions, 10 deletions
diff --git a/ext/standard/math.c b/ext/standard/math.c index 83145a4dc9..753656c56f 100644 --- a/ext/standard/math.c +++ b/ext/standard/math.c @@ -1139,18 +1139,14 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, char *dec_poin /* calculate the length of the return buffer */ if (dp) { - integral = (int)(dp - ZSTR_VAL(tmpbuf)); + integral = (dp - ZSTR_VAL(tmpbuf)); } else { /* no decimal point was found */ - integral = (int)ZSTR_LEN(tmpbuf); + integral = ZSTR_LEN(tmpbuf); } /* allow for thousand separators */ if (thousand_sep) { - if (integral + thousand_sep_len * ((integral-1) / 3) < integral) { - /* overflow */ - php_error_docref(NULL, E_ERROR, "String overflow"); - } integral += thousand_sep_len * ((integral-1) / 3); } @@ -1160,10 +1156,6 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, char *dec_poin reslen += dec; if (dec_point) { - if (reslen + dec_point_len < dec_point_len) { - /* overflow */ - php_error_docref(NULL, E_ERROR, "String overflow"); - } reslen += dec_point_len; } } @@ -1266,6 +1258,7 @@ PHP_FUNCTION(number_format) break; default: WRONG_PARAM_COUNT; + break; } } /* }}} */ |