Fixed bug #77742

By avoiding integer overflow in the implementation entirely. The multiplication was already explicitly checked for overflow, so also add a check for the addition and remove the overflow checks after the calculation.
author: Nikita Popov <nikita.ppv@gmail.com> 2019-03-14 17:24:50 +0100
committer: Nikita Popov <nikita.ppv@gmail.com> 2019-03-14 17:24:50 +0100
commit: e7d40afb7a7984174eb132a14b7a6621c8e76258 (patch)
tree: 267eab6db563e12db6dd5e9e82387fbfcdad9a63 /ext/bcmath/libbcmath/src
parent: c7920aba3e1892accca7cd13ef5b8a8fbf48b5c2 (diff)
download: php-git-e7d40afb7a7984174eb132a14b7a6621c8e76258.tar.gz
1 files changed, 12 insertions, 5 deletions
diff --git a/ext/bcmath/libbcmath/src/num2long.c b/ext/bcmath/libbcmath/src/num2long.c
index 81e82a6fac..228f6645a2 100644
--- a/ext/bcmath/libbcmath/src/num2long.c
+++ b/ext/bcmath/libbcmath/src/num2long.c
@@ -54,12 +54,19 @@ bc_num2long (num)
   /* Extract the int value, ignore the fraction. */
   val = 0;
   nptr = num->n_value;
-  for (index=num->n_len; (index>0) && (val<=(LONG_MAX/BASE)); index--)
-    val = val*BASE + *nptr++;
+  for (index = num->n_len; index > 0; index--) {
+    char n = *nptr++;
 
-  /* Check for overflow.  If overflow, return zero. */
-  if (index>0) val = 0;
-  if (val < 0) val = 0;
+    if (val > LONG_MAX/BASE) {
+      return 0;
+    }
+    val *= BASE;
+
+    if (val > LONG_MAX - n) {
+      return 0;
+    }
+    val += n;
+  }
 
   /* Return the value. */
   if (num->n_sign == PLUS)
author	Nikita Popov <nikita.ppv@gmail.com>	2019-03-14 17:24:50 +0100
committer	Nikita Popov <nikita.ppv@gmail.com>	2019-03-14 17:24:50 +0100
commit	e7d40afb7a7984174eb132a14b7a6621c8e76258 (patch)
tree	267eab6db563e12db6dd5e9e82387fbfcdad9a63 /ext/bcmath/libbcmath/src
parent	c7920aba3e1892accca7cd13ef5b8a8fbf48b5c2 (diff)
download	php-git-e7d40afb7a7984174eb132a14b7a6621c8e76258.tar.gz