Fix bug #73190: memcpy negative parameter _bc_new_num_ex

author: Stanislav Malyshev <stas@php.net> 2016-10-03 00:09:02 -0700
committer: Stanislav Malyshev <stas@php.net> 2016-10-03 00:09:02 -0700
commit: 40e7baab3c90001beee4c8f0ed0ef79ad18ee0d6 (patch)
tree: 19da589c716aaa5133d2572530c0eeca0ea680e5 /ext/bcmath/libbcmath
parent: da7e89cde880c66887caacd0a3eae7ecdacf9b2a (diff)
download: php-git-40e7baab3c90001beee4c8f0ed0ef79ad18ee0d6.tar.gz
2 files changed, 5 insertions, 3 deletions
diff --git a/ext/bcmath/libbcmath/src/init.c b/ext/bcmath/libbcmath/src/init.c
index 986ad1df24..c51133be73 100644
--- a/ext/bcmath/libbcmath/src/init.c
+++ b/ext/bcmath/libbcmath/src/init.c
@@ -49,7 +49,10 @@ _bc_new_num_ex (length, scale, persistent)
      int length, scale, persistent;
 {
   bc_num temp;
-
+  /* PHP Change:  add length check */
+  if ((size_t)length+(size_t)scale > INT_MAX) {
+   zend_error(E_ERROR, "Result too long, max is %d", INT_MAX);
+  }
   /* PHP Change:  malloc() -> pemalloc(), removed free_list code */
   temp = (bc_num) safe_pemalloc (1, sizeof(bc_struct)+length, scale, persistent);
 #if 0
diff --git a/ext/bcmath/libbcmath/src/outofmem.c b/ext/bcmath/libbcmath/src/outofmem.c
index 799a32d2ae..05fa484e11 100644
--- a/ext/bcmath/libbcmath/src/outofmem.c
+++ b/ext/bcmath/libbcmath/src/outofmem.c
@@ -41,6 +41,5 @@
 
 void bc_out_of_memory (void)
 {
-  (void) fprintf (stderr, "bcmath: out of memory!\n");
-  exit (1);
+  zend_error_noreturn(E_ERROR, "bcmath: out of memory!");
 }
author	Stanislav Malyshev <stas@php.net>	2016-10-03 00:09:02 -0700
committer	Stanislav Malyshev <stas@php.net>	2016-10-03 00:09:02 -0700
commit	40e7baab3c90001beee4c8f0ed0ef79ad18ee0d6 (patch)
tree	19da589c716aaa5133d2572530c0eeca0ea680e5 /ext/bcmath/libbcmath
parent	da7e89cde880c66887caacd0a3eae7ecdacf9b2a (diff)
download	php-git-40e7baab3c90001beee4c8f0ed0ef79ad18ee0d6.tar.gz