diff options
| -rw-r--r-- | ext/standard/math.c | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/ext/standard/math.c b/ext/standard/math.c index 62f6ea9cb2..e4b1160b75 100644 --- a/ext/standard/math.c +++ b/ext/standard/math.c @@ -1151,14 +1151,18 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, char *dec_poin /* calculate the length of the return buffer */ if (dp) { - integral = (dp - ZSTR_VAL(tmpbuf)); + integral = (int)(dp - ZSTR_VAL(tmpbuf)); } else { /* no decimal point was found */ - integral = ZSTR_LEN(tmpbuf); + integral = (int)ZSTR_LEN(tmpbuf); } /* allow for thousand separators */ if (thousand_sep) { + if (integral + thousand_sep_len * ((integral-1) / 3) < integral) { + /* overflow */ + php_error_docref(NULL, E_ERROR, "String overflow"); + } integral += thousand_sep_len * ((integral-1) / 3); } @@ -1168,6 +1172,10 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, char *dec_poin reslen += dec; if (dec_point) { + if (reslen + dec_point_len < dec_point_len) { + /* overflow */ + php_error_docref(NULL, E_ERROR, "String overflow"); + } reslen += dec_point_len; } } @@ -1270,7 +1278,6 @@ PHP_FUNCTION(number_format) break; default: WRONG_PARAM_COUNT; - break; } } /* }}} */ |