Fix for #73240 - Write out of bounds at number_format

(cherry picked from commit 8259130b6bc752968856b352c9e7f8e03a8c0a8e)

diff --git a/ext/standard/math.c b/ext/standard/math.c
index e4b1160b75b4c729d3a45097dacd5370191ec1da..62f6ea9cb260e12e2030d7a95814b71062f0bc2c 100644 (file)
--- a/ext/standard/math.c
+++ b/ext/standard/math.c
@@ -1151,18 +1151,14 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, char *dec_poin
 
        /* calculate the length of the return buffer */
        if (dp) {
-               integral = (int)(dp - ZSTR_VAL(tmpbuf));
+               integral = (dp - ZSTR_VAL(tmpbuf));
        } else {
                /* no decimal point was found */
-               integral = (int)ZSTR_LEN(tmpbuf);
+               integral = ZSTR_LEN(tmpbuf);
        }
 
        /* allow for thousand separators */
        if (thousand_sep) {
-               if (integral + thousand_sep_len * ((integral-1) / 3) < integral) {
-                       /* overflow */
-                       php_error_docref(NULL, E_ERROR, "String overflow");
-               }
                integral += thousand_sep_len * ((integral-1) / 3);
        }
 
@@ -1172,10 +1168,6 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, char *dec_poin
                reslen += dec;
 
                if (dec_point) {
-                       if (reslen + dec_point_len < dec_point_len) {
-                               /* overflow */
-                               php_error_docref(NULL, E_ERROR, "String overflow");
-                       }
                        reslen += dec_point_len;
                }
        }
@@ -1278,6 +1270,7 @@ PHP_FUNCTION(number_format)
                break;
        default:
                WRONG_PARAM_COUNT;
+               break;
        }
 }
 /* }}} */