diff options
author | Stanislav Malyshev <stas@php.net> | 2016-04-26 23:48:41 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2016-04-26 23:48:41 -0700 |
commit | e315a162da99f59e82a5272714a6f3d4d724b037 (patch) | |
tree | 7c2e9af8912bc69dd95100f25138bc190090ed7b /ext/bcmath | |
parent | 9f389cccfd5b0e0b8407d6d12a1c6b5acd3c4206 (diff) | |
parent | 61c7a06e7c19d9b408db1129efa0959a0acbf0b1 (diff) | |
download | php-git-e315a162da99f59e82a5272714a6f3d4d724b037.tar.gz |
Merge branch 'PHP-5.5' into PHP-5.6
* PHP-5.5:
Fix memory leak
Fix bug #72099: xml_parse_into_struct segmentation fault
5.5.36 now
Fix bug #72094 - Out of bounds heap read access in exif header processing
Fix bug #72093: bcpowmod accepts negative scale and corrupts _one_ definition
Fix bug #72061 - Out-of-bounds reads in zif_grapheme_stripos with negative offset
Fix for bug #71912 (libgd: signedness vulnerability)
Typo in NEWS
Conflicts:
configure.in
main/php_version.h
Diffstat (limited to 'ext/bcmath')
-rw-r--r-- | ext/bcmath/bcmath.c | 60 | ||||
-rw-r--r-- | ext/bcmath/tests/bug72093.phpt | 13 |
2 files changed, 54 insertions, 19 deletions
diff --git a/ext/bcmath/bcmath.c b/ext/bcmath/bcmath.c index e40d302316..ea2c38e418 100644 --- a/ext/bcmath/bcmath.c +++ b/ext/bcmath/bcmath.c @@ -201,6 +201,21 @@ static void php_str2num(bc_num *num, char *str TSRMLS_DC) } /* }}} */ +/* {{{ split_bc_num + Convert to bc_num detecting scale */ +static bc_num split_bc_num(bc_num num) { + bc_num newnum; + if (num->n_refs >= 1) { + return num; + } + newnum = _bc_new_num_ex(0, 0, 0); + *newnum = *num; + newnum->n_refs = 1; + num->n_refs--; + return newnum; +} +/* }}} */ + /* {{{ proto string bcadd(string left_operand, string right_operand [, int scale]) Returns the sum of two arbitrary precision numbers */ PHP_FUNCTION(bcadd) @@ -214,7 +229,7 @@ PHP_FUNCTION(bcadd) if (zend_parse_parameters(argc TSRMLS_CC, "ss|l", &left, &left_len, &right, &right_len, &scale_param) == FAILURE) { return; } - + if (argc == 3) { scale = (int) ((int)scale_param < 0) ? 0 : scale_param; } @@ -225,11 +240,12 @@ PHP_FUNCTION(bcadd) php_str2num(&first, left TSRMLS_CC); php_str2num(&second, right TSRMLS_CC); bc_add (first, second, &result, scale); - + if (result->n_scale > scale) { + result = split_bc_num(result); result->n_scale = scale; } - + Z_STRVAL_P(return_value) = bc_num2str(result); Z_STRLEN_P(return_value) = strlen(Z_STRVAL_P(return_value)); Z_TYPE_P(return_value) = IS_STRING; @@ -253,7 +269,7 @@ PHP_FUNCTION(bcsub) if (zend_parse_parameters(argc TSRMLS_CC, "ss|l", &left, &left_len, &right, &right_len, &scale_param) == FAILURE) { return; } - + if (argc == 3) { scale = (int) ((int)scale_param < 0) ? 0 : scale_param; } @@ -266,6 +282,7 @@ PHP_FUNCTION(bcsub) bc_sub (first, second, &result, scale); if (result->n_scale > scale) { + result = split_bc_num(result); result->n_scale = scale; } @@ -292,11 +309,11 @@ PHP_FUNCTION(bcmul) if (zend_parse_parameters(argc TSRMLS_CC, "ss|l", &left, &left_len, &right, &right_len, &scale_param) == FAILURE) { return; } - + if (argc == 3) { scale = (int) ((int)scale_param < 0) ? 0 : scale_param; } - + bc_init_num(&first TSRMLS_CC); bc_init_num(&second TSRMLS_CC); bc_init_num(&result TSRMLS_CC); @@ -305,6 +322,7 @@ PHP_FUNCTION(bcmul) bc_multiply (first, second, &result, scale TSRMLS_CC); if (result->n_scale > scale) { + result = split_bc_num(result); result->n_scale = scale; } @@ -331,11 +349,11 @@ PHP_FUNCTION(bcdiv) if (zend_parse_parameters(argc TSRMLS_CC, "ss|l", &left, &left_len, &right, &right_len, &scale_param) == FAILURE) { return; } - + if (argc == 3) { scale = (int) ((int)scale_param < 0) ? 0 : scale_param; } - + bc_init_num(&first TSRMLS_CC); bc_init_num(&second TSRMLS_CC); bc_init_num(&result TSRMLS_CC); @@ -345,6 +363,7 @@ PHP_FUNCTION(bcdiv) switch (bc_divide(first, second, &result, scale TSRMLS_CC)) { case 0: /* OK */ if (result->n_scale > scale) { + result = split_bc_num(result); result->n_scale = scale; } Z_STRVAL_P(return_value) = bc_num2str(result); @@ -374,13 +393,13 @@ PHP_FUNCTION(bcmod) if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &left, &left_len, &right, &right_len) == FAILURE) { return; } - + bc_init_num(&first TSRMLS_CC); bc_init_num(&second TSRMLS_CC); bc_init_num(&result TSRMLS_CC); bc_str2num(&first, left, 0 TSRMLS_CC); bc_str2num(&second, right, 0 TSRMLS_CC); - + switch (bc_modulo(first, second, &result, 0 TSRMLS_CC)) { case 0: Z_STRVAL_P(return_value) = bc_num2str(result); @@ -391,7 +410,7 @@ PHP_FUNCTION(bcmod) php_error_docref(NULL TSRMLS_CC, E_WARNING, "Division by zero"); break; } - + bc_free_num(&first); bc_free_num(&second); bc_free_num(&result); @@ -424,8 +443,9 @@ PHP_FUNCTION(bcpowmod) scale_int = (int) ((int)scale < 0) ? 0 : scale; if (bc_raisemod(first, second, mod, &result, scale_int TSRMLS_CC) != -1) { - if (result->n_scale > scale) { - result->n_scale = scale; + if (result->n_scale > scale_int) { + result = split_bc_num(result); + result->n_scale = scale_int; } Z_STRVAL_P(return_value) = bc_num2str(result); Z_STRLEN_P(return_value) = strlen(Z_STRVAL_P(return_value)); @@ -433,7 +453,7 @@ PHP_FUNCTION(bcpowmod) } else { RETVAL_FALSE; } - + bc_free_num(&first); bc_free_num(&second); bc_free_num(&mod); @@ -455,7 +475,7 @@ PHP_FUNCTION(bcpow) if (zend_parse_parameters(argc TSRMLS_CC, "ss|l", &left, &left_len, &right, &right_len, &scale_param) == FAILURE) { return; } - + if (argc == 3) { scale = (int) ((int)scale_param < 0) ? 0 : scale_param; } @@ -468,6 +488,7 @@ PHP_FUNCTION(bcpow) bc_raise (first, second, &result, scale TSRMLS_CC); if (result->n_scale > scale) { + result = split_bc_num(result); result->n_scale = scale; } @@ -494,16 +515,17 @@ PHP_FUNCTION(bcsqrt) if (zend_parse_parameters(argc TSRMLS_CC, "s|l", &left, &left_len, &scale_param) == FAILURE) { return; } - + if (argc == 2) { scale = (int) ((int)scale_param < 0) ? 0 : scale_param; } bc_init_num(&result TSRMLS_CC); php_str2num(&result, left TSRMLS_CC); - + if (bc_sqrt (&result, scale TSRMLS_CC) != 0) { if (result->n_scale > scale) { + result = split_bc_num(result); result->n_scale = scale; } Z_STRVAL_P(return_value) = bc_num2str(result); @@ -531,7 +553,7 @@ PHP_FUNCTION(bccomp) if (zend_parse_parameters(argc TSRMLS_CC, "ss|l", &left, &left_len, &right, &right_len, &scale_param) == FAILURE) { return; } - + if (argc == 3) { scale = (int) ((int)scale_param < 0) ? 0 : scale_param; } @@ -555,7 +577,7 @@ PHP_FUNCTION(bccomp) PHP_FUNCTION(bcscale) { long new_scale; - + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "l", &new_scale) == FAILURE) { return; } diff --git a/ext/bcmath/tests/bug72093.phpt b/ext/bcmath/tests/bug72093.phpt new file mode 100644 index 0000000000..be664b8114 --- /dev/null +++ b/ext/bcmath/tests/bug72093.phpt @@ -0,0 +1,13 @@ +--TEST-- +Bug 72093: bcpowmod accepts negative scale and corrupts _one_ definition +--SKIPIF-- +<?php if(!extension_loaded("bcmath")) print "skip"; ?> +--FILE-- +<?php +var_dump(bcpowmod(1, "A", 128, -200)); +var_dump(bcpowmod(1, 1.2, 1, 1)); +?> +--EXPECTF-- +string(1) "1" +bc math warning: non-zero scale in exponent +string(3) "0.0" |