From: Stanislav Malyshev <stas@php.net>
Date: Tue, 11 Oct 2016 06:42:50 +0000 (-0700)
Subject: Fix for #73240 - Write out of bounds at number_format
X-Git-Tag: php-7.1.0RC4~21^2~28
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=01280f8deb837a61237a619cffa886d7f8c31963;p=php

Fix for #73240 - Write out of bounds at number_format

(cherry picked from commit 8259130b6bc752968856b352c9e7f8e03a8c0a8e)
---

diff --git a/ext/standard/math.c b/ext/standard/math.c
index e4b1160b75..62f6ea9cb2 100644
--- a/ext/standard/math.c
+++ b/ext/standard/math.c
@@ -1151,18 +1151,14 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, char *dec_poin
 
 	/* calculate the length of the return buffer */
 	if (dp) {
-		integral = (int)(dp - ZSTR_VAL(tmpbuf));
+		integral = (dp - ZSTR_VAL(tmpbuf));
 	} else {
 		/* no decimal point was found */
-		integral = (int)ZSTR_LEN(tmpbuf);
+		integral = ZSTR_LEN(tmpbuf);
 	}
 
 	/* allow for thousand separators */
 	if (thousand_sep) {
-		if (integral + thousand_sep_len * ((integral-1) / 3) < integral) {
-			/* overflow */
-			php_error_docref(NULL, E_ERROR, "String overflow");
-		}
 		integral += thousand_sep_len * ((integral-1) / 3);
 	}
 
@@ -1172,10 +1168,6 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, char *dec_poin
 		reslen += dec;
 
 		if (dec_point) {
-			if (reslen + dec_point_len < dec_point_len) {
-				/* overflow */
-				php_error_docref(NULL, E_ERROR, "String overflow");
-			}
 			reslen += dec_point_len;
 		}
 	}
@@ -1278,6 +1270,7 @@ PHP_FUNCTION(number_format)
 		break;
 	default:
 		WRONG_PARAM_COUNT;
+		break;
 	}
 }
 /* }}} */