- Fixed bug #54055 (buffer overrun with high values for precision ini

  setting).
#This fix (for g/G/k/H modes) is done at a different level than that for the
#modes e/E/f/F, at a bit higher level and therefore with less coverage. I
#chose this because it addresses the problem where it is -- the calling function
#that passes a buffer too small to php_gcvt.

1 files changed, 12 insertions, 1 deletions

diff --git a/main/snprintf.h b/main/snprintf.h
index 41fed76dd1..2bf7c2c180 100644
--- a/main/snprintf.h
+++ b/main/snprintf.h
@@ -12,7 +12,7 @@
    | obtain it through the world-wide-web, please send a note to          |
    | license@php.net so we can mail you a copy immediately.               |
    +----------------------------------------------------------------------+
-   | Author: Stig Sæther Bakken <ssb@php.net>                             |
+   | Author: Stig Sæther Bakken <ssb@php.net>                             |
    |         Marcus Boerger <helly@php.net>                               |
    +----------------------------------------------------------------------+
 */
@@ -158,6 +158,17 @@ extern char * ap_php_conv_10(register wide_int num, register bool_int is_unsigne
 extern char * ap_php_conv_p2(register u_wide_int num, register int nbits,
 		 char format, char *buf_end, register int *len);
 
+/* The maximum precision that's allowed for float conversion. Does not include
+ * decimal separator, exponent, sign, terminator. Currently does not affect
+ * the modes e/f, only g/k/H, as those have a different limit enforced at
+ * another level (see NDIG in php_conv_fp()).
+ * Applies to the formatting functions of both spprintf.c and snprintf.c, which
+ * use equally sized buffers of MAX_BUF_SIZE = 512 to hold the result of the
+ * call to php_gcvt().
+ * This should be reasonably smaller than MAX_BUF_SIZE (I think MAX_BUF_SIZE - 9
+ * should be enough, but let's give some more space) */
+#define FORMAT_CONV_MAX_PRECISION 500
+
 #endif /* SNPRINTF_H */
 
 /*