From adb87c8d060f7300cbf64484d5fa02c8d75f13fd Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@php.net>
Date: Mon, 11 Jul 2011 09:47:59 +0000
Subject: Fixed bug #54332 (Crash in zend_mm_check_ptr // Heap corruption)

---
 main/snprintf.c | 5 ++++-
 main/spprintf.c | 5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

(limited to 'main')

diff --git a/main/snprintf.c b/main/snprintf.c
index a1b253cfda..6e5a89a34c 100644
--- a/main/snprintf.c
+++ b/main/snprintf.c
@@ -497,8 +497,11 @@ char * ap_php_conv_p2(register u_wide_int num, register int nbits, char format,
  * NUM_BUF_SIZE is the size of the buffer used for arithmetic conversions
  *
  * XXX: this is a magic number; do not decrease it
+ * Emax = 1023
+ * NDIG = 320
+ * NUM_BUF_SIZE >= strlen("-") + Emax + strlrn(".") + NDIG + strlen("E+1023") + 1;
  */
-#define NUM_BUF_SIZE		512
+#define NUM_BUF_SIZE		2048
 
 
 /*
diff --git a/main/spprintf.c b/main/spprintf.c
index 8c90fda378..8599d890ee 100644
--- a/main/spprintf.c
+++ b/main/spprintf.c
@@ -119,8 +119,11 @@
  * NUM_BUF_SIZE is the size of the buffer used for arithmetic conversions
  *
  * XXX: this is a magic number; do not decrease it
+ * Emax = 1023
+ * NDIG = 320
+ * NUM_BUF_SIZE >= strlen("-") + Emax + strlrn(".") + NDIG + strlen("E+1023") + 1;
  */
-#define NUM_BUF_SIZE    512
+#define NUM_BUF_SIZE		2048
 
 /*
  * The INS_CHAR macro inserts a character in the buffer.
-- 
cgit v1.2.1