diff options
author | Stanislav Malyshev <stas@php.net> | 2016-11-05 13:59:35 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2016-11-05 13:59:35 -0700 |
commit | f7f8aae33cdaf74ca2d360ccf24256d6afd99b39 (patch) | |
tree | 482f035296f161367dfdf769f1520364716d5118 /ext/standard/math.c | |
parent | 86ae78d7c67cf9b43dbee0033557058e5901047f (diff) | |
parent | 669763d88a8bb9707a45f0937a129b63a161d2f0 (diff) | |
download | php-git-f7f8aae33cdaf74ca2d360ccf24256d6afd99b39.tar.gz |
Merge branch 'PHP-7.0' into PHP-7.1
* PHP-7.0:
More int->size_t and string overflow fixes
Diffstat (limited to 'ext/standard/math.c')
-rw-r--r-- | ext/standard/math.c | 20 |
1 files changed, 6 insertions, 14 deletions
diff --git a/ext/standard/math.c b/ext/standard/math.c index 83145a4dc9..231d5aa0a0 100644 --- a/ext/standard/math.c +++ b/ext/standard/math.c @@ -1139,19 +1139,15 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, char *dec_poin /* calculate the length of the return buffer */ if (dp) { - integral = (int)(dp - ZSTR_VAL(tmpbuf)); + integral = (dp - ZSTR_VAL(tmpbuf)); } else { /* no decimal point was found */ - integral = (int)ZSTR_LEN(tmpbuf); + integral = ZSTR_LEN(tmpbuf); } /* allow for thousand separators */ if (thousand_sep) { - if (integral + thousand_sep_len * ((integral-1) / 3) < integral) { - /* overflow */ - php_error_docref(NULL, E_ERROR, "String overflow"); - } - integral += thousand_sep_len * ((integral-1) / 3); + integral = zend_safe_addmult((integral-1)/3, thousand_sep_len, integral, "number formatting"); } reslen = integral; @@ -1160,11 +1156,7 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, char *dec_poin reslen += dec; if (dec_point) { - if (reslen + dec_point_len < dec_point_len) { - /* overflow */ - php_error_docref(NULL, E_ERROR, "String overflow"); - } - reslen += dec_point_len; + reslen = zend_safe_addmult(reslen, 1, dec_point_len, "number formatting"); } } @@ -1182,8 +1174,8 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, char *dec_poin * Take care, as the sprintf implementation may return less places than * we requested due to internal buffer limitations */ if (dec) { - int declen = (int)(dp ? s - dp : 0); - int topad = dec > declen ? dec - declen : 0; + size_t declen = (dp ? s - dp : 0); + size_t topad = dec > declen ? dec - declen : 0; /* pad with '0's */ while (topad--) { |