diff options
author | Christoph M. Becker <cmbecker69@gmx.de> | 2019-11-30 12:26:37 +0100 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2019-12-16 00:05:03 -0800 |
commit | eb23c6008753b1cdc5359dead3a096dce46c9018 (patch) | |
tree | 2beb2368f539e79b4e1965c3b5d5cddbe7938dae /ext/bcmath | |
parent | b771a18133bdfd95ce36932e5b83a724f17a1427 (diff) | |
download | php-git-eb23c6008753b1cdc5359dead3a096dce46c9018.tar.gz |
Fix #78878: Buffer underflow in bc_shift_addsub
We must not rely on `isdigit()` to detect digits, since we only support
decimal ASCII digits in the following processing.
Diffstat (limited to 'ext/bcmath')
-rw-r--r-- | ext/bcmath/libbcmath/src/str2num.c | 4 | ||||
-rw-r--r-- | ext/bcmath/tests/bug78878.phpt | 13 |
2 files changed, 15 insertions, 2 deletions
diff --git a/ext/bcmath/libbcmath/src/str2num.c b/ext/bcmath/libbcmath/src/str2num.c index f38d341570..03aec15930 100644 --- a/ext/bcmath/libbcmath/src/str2num.c +++ b/ext/bcmath/libbcmath/src/str2num.c @@ -57,9 +57,9 @@ bc_str2num (bc_num *num, char *str, int scale) zero_int = FALSE; if ( (*ptr == '+') || (*ptr == '-')) ptr++; /* Sign */ while (*ptr == '0') ptr++; /* Skip leading zeros. */ - while (isdigit((int)*ptr)) ptr++, digits++; /* digits */ + while (*ptr >= '0' && *ptr <= '9') ptr++, digits++; /* digits */ if (*ptr == '.') ptr++; /* decimal point */ - while (isdigit((int)*ptr)) ptr++, strscale++; /* digits */ + while (*ptr >= '0' && *ptr <= '9') ptr++, strscale++; /* digits */ if ((*ptr != '\0') || (digits+strscale == 0)) { *num = bc_copy_num (BCG(_zero_)); diff --git a/ext/bcmath/tests/bug78878.phpt b/ext/bcmath/tests/bug78878.phpt new file mode 100644 index 0000000000..2c9d72b946 --- /dev/null +++ b/ext/bcmath/tests/bug78878.phpt @@ -0,0 +1,13 @@ +--TEST-- +Bug #78878 (Buffer underflow in bc_shift_addsub) +--SKIPIF-- +<?php +if (!extension_loaded('bcmath')) die('skip bcmath extension not available'); +?> +--FILE-- +<?php +print @bcmul("\xB26483605105519922841849335928742092", bcpowmod(2, 65535, -4e-4)); +?> +--EXPECT-- +bc math warning: non-zero scale in modulus +0 |