Fixed bug #54332 (Crash in zend_mm_check_ptr // Heap corruption)

diff --git a/ext/standard/tests/strings/bug54332.phpt b/ext/standard/tests/strings/bug54332.phpt
new file mode 100644 (file)
index 0000000..122b387
--- /dev/null
+++ b/ext/standard/tests/strings/bug54332.phpt
@@ -0,0 +1,8 @@
+--TEST--
+Bug #54332 (Crash in zend_mm_check_ptr // Heap corruption)
+--FILE--
+<?php
+echo number_format(1e300, 2006, '', ' ') . "\n";
+?>
+--EXPECT--
+1 000 000 000 000 000 052 504 760 255 204 420 248 704 468 581 108 159 154 915 854 115 511 802 457 988 908 195 786 371 375 080 447 864 043 704 443 832 883 878 176 942 523 235 360 430 575 644 792 184 786 706 982 848 387 200 926 575 803 737 830 233 794 788 090 059 368 953 234 970 799 945 081 119 038 967 640 880 074 652 742 780 142 494 579 258 788 820 056 842 838 115 669 472 196 386 865 459 400 540 16000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

diff --git a/main/snprintf.c b/main/snprintf.c
index a1b253cfdaef2f700c4b844dcf639b380bc8fb5c..6e5a89a34cbd159b8c15b491d4973ed4d24d7c2c 100644 (file)
--- a/main/snprintf.c
+++ b/main/snprintf.c
@@ -497,8 +497,11 @@ char * ap_php_conv_p2(register u_wide_int num, register int nbits, char format,
  * NUM_BUF_SIZE is the size of the buffer used for arithmetic conversions
  *
  * XXX: this is a magic number; do not decrease it
+ * Emax = 1023
+ * NDIG = 320
+ * NUM_BUF_SIZE >= strlen("-") + Emax + strlrn(".") + NDIG + strlen("E+1023") + 1;
  */
-#define NUM_BUF_SIZE           512
+#define NUM_BUF_SIZE           2048
 
 
 /*

diff --git a/main/spprintf.c b/main/spprintf.c
index 8c90fda3780c5a1ee8473b6ab22f78016a096681..8599d890eed244e9abc68ca53c2eeba065956923 100644 (file)
--- a/main/spprintf.c
+++ b/main/spprintf.c
@@ -119,8 +119,11 @@
  * NUM_BUF_SIZE is the size of the buffer used for arithmetic conversions
  *
  * XXX: this is a magic number; do not decrease it
+ * Emax = 1023
+ * NDIG = 320
+ * NUM_BUF_SIZE >= strlen("-") + Emax + strlrn(".") + NDIG + strlen("E+1023") + 1;
  */
-#define NUM_BUF_SIZE    512
+#define NUM_BUF_SIZE           2048
 
 /*
  * The INS_CHAR macro inserts a character in the buffer.