Merge branch 'PHP-7.0' into PHP-7.1

* PHP-7.0: Fix bug #73190: memcpy negative parameter _bc_new_num_ex (cherry picked from commit af1bf873fe4fc70be17fa9f270e8f30666f2d2db)
author: Anatol Belski <ab@php.net> 2016-10-12 20:09:24 +0200
committer: Anatol Belski <ab@php.net> 2016-10-14 01:46:18 +0200
commit: a8a11b669d86ee276e0942a5a9d5aa504cf49fd3 (patch)
tree: 8cb82321b1f21f8bc5a040daab7182465a43a52a /ext/bcmath/libbcmath/src/init.c
parent: 06e7c9983a272e420e9437383ec4283607288c61 (diff)
download: php-git-a8a11b669d86ee276e0942a5a9d5aa504cf49fd3.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/ext/bcmath/libbcmath/src/init.c b/ext/bcmath/libbcmath/src/init.c
index e1aeeddf89..d3a2e580e5 100644
--- a/ext/bcmath/libbcmath/src/init.c
+++ b/ext/bcmath/libbcmath/src/init.c
@@ -49,7 +49,10 @@ _bc_new_num_ex (length, scale, persistent)
      int length, scale, persistent;
 {
   bc_num temp;
-
+  /* PHP Change:  add length check */
+  if ((size_t)length+(size_t)scale > INT_MAX) {
+   zend_error(E_ERROR, "Result too long, max is %d", INT_MAX);
+  }
   /* PHP Change:  malloc() -> pemalloc(), removed free_list code */
   temp = (bc_num) safe_pemalloc (1, sizeof(bc_struct)+length, scale, persistent);
 #if 0
author	Anatol Belski <ab@php.net>	2016-10-12 20:09:24 +0200
committer	Anatol Belski <ab@php.net>	2016-10-14 01:46:18 +0200
commit	a8a11b669d86ee276e0942a5a9d5aa504cf49fd3 (patch)
tree	8cb82321b1f21f8bc5a040daab7182465a43a52a /ext/bcmath/libbcmath/src/init.c
parent	06e7c9983a272e420e9437383ec4283607288c61 (diff)
download	php-git-a8a11b669d86ee276e0942a5a9d5aa504cf49fd3.tar.gz