From: Gustavo André dos Santos Lopes <cataphract@php.net>
Date: Mon, 21 Feb 2011 06:53:24 +0000 (+0000)
Subject: - Fixed bug #54055 (buffer overrun with high values for precision ini
X-Git-Tag: php-5.3.6RC2~21
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1b2d14c5e10cc024f97a257a00fbefdb3a906501;p=php

- Fixed bug #54055 (buffer overrun with high values for precision ini
  setting).
#This fix (for g/G/k/H modes) is done at a different level than that for the
#modes e/E/f/F, at a bit higher level and therefore with less coverage. I
#chose this because it addresses the problem where it is -- the calling function
#that passes a buffer too small to php_gcvt.
---

diff --git a/NEWS b/NEWS
index 0bc73ddb6b..a1a780a64e 100644
--- a/NEWS
+++ b/NEWS
@@ -34,6 +34,8 @@
     authentication using stream_context/http/header/Proxy-Authorization (Dmitry)
   . Changed default value of ini directive serialize_precision from 100 to 17.
     (Gustavo)
+  . Fixed bug #54055 (buffer overrun with high values for precision ini
+    setting). (Gustavo)
   . Fixed bug #53959 (reflection data for fgetcsv out-of-date). (Richard)
   . Fixed bug #53577 (Regression introduced in 5.3.4 in open_basedir with a
     trailing forward slash). (lekensteyn at gmail dot com, Pierre)
diff --git a/ext/standard/tests/strings/bug54055.phpt b/ext/standard/tests/strings/bug54055.phpt
new file mode 100644
index 0000000000..7124c46875
--- /dev/null
+++ b/ext/standard/tests/strings/bug54055.phpt
@@ -0,0 +1,589 @@
+--TEST--
+Bug #54055: PHP crashes when executing strval when precision setting is very high
+--FILE--
+<?php
+for($i = 495; $i <= 1074; $i++) {
+  ini_set('precision', $i);
+  echo "$i: len=", strlen(strval(-1 * pow(2, -1074))), "\n";
+}
+--EXPECT--
+495: len=502
+496: len=503
+497: len=504
+498: len=505
+499: len=506
+500: len=507
+501: len=507
+502: len=507
+503: len=507
+504: len=507
+505: len=507
+506: len=507
+507: len=507
+508: len=507
+509: len=507
+510: len=507
+511: len=507
+512: len=507
+513: len=507
+514: len=507
+515: len=507
+516: len=507
+517: len=507
+518: len=507
+519: len=507
+520: len=507
+521: len=507
+522: len=507
+523: len=507
+524: len=507
+525: len=507
+526: len=507
+527: len=507
+528: len=507
+529: len=507
+530: len=507
+531: len=507
+532: len=507
+533: len=507
+534: len=507
+535: len=507
+536: len=507
+537: len=507
+538: len=507
+539: len=507
+540: len=507
+541: len=507
+542: len=507
+543: len=507
+544: len=507
+545: len=507
+546: len=507
+547: len=507
+548: len=507
+549: len=507
+550: len=507
+551: len=507
+552: len=507
+553: len=507
+554: len=507
+555: len=507
+556: len=507
+557: len=507
+558: len=507
+559: len=507
+560: len=507
+561: len=507
+562: len=507
+563: len=507
+564: len=507
+565: len=507
+566: len=507
+567: len=507
+568: len=507
+569: len=507
+570: len=507
+571: len=507
+572: len=507
+573: len=507
+574: len=507
+575: len=507
+576: len=507
+577: len=507
+578: len=507
+579: len=507
+580: len=507
+581: len=507
+582: len=507
+583: len=507
+584: len=507
+585: len=507
+586: len=507
+587: len=507
+588: len=507
+589: len=507
+590: len=507
+591: len=507
+592: len=507
+593: len=507
+594: len=507
+595: len=507
+596: len=507
+597: len=507
+598: len=507
+599: len=507
+600: len=507
+601: len=507
+602: len=507
+603: len=507
+604: len=507
+605: len=507
+606: len=507
+607: len=507
+608: len=507
+609: len=507
+610: len=507
+611: len=507
+612: len=507
+613: len=507
+614: len=507
+615: len=507
+616: len=507
+617: len=507
+618: len=507
+619: len=507
+620: len=507
+621: len=507
+622: len=507
+623: len=507
+624: len=507
+625: len=507
+626: len=507
+627: len=507
+628: len=507
+629: len=507
+630: len=507
+631: len=507
+632: len=507
+633: len=507
+634: len=507
+635: len=507
+636: len=507
+637: len=507
+638: len=507
+639: len=507
+640: len=507
+641: len=507
+642: len=507
+643: len=507
+644: len=507
+645: len=507
+646: len=507
+647: len=507
+648: len=507
+649: len=507
+650: len=507
+651: len=507
+652: len=507
+653: len=507
+654: len=507
+655: len=507
+656: len=507
+657: len=507
+658: len=507
+659: len=507
+660: len=507
+661: len=507
+662: len=507
+663: len=507
+664: len=507
+665: len=507
+666: len=507
+667: len=507
+668: len=507
+669: len=507
+670: len=507
+671: len=507
+672: len=507
+673: len=507
+674: len=507
+675: len=507
+676: len=507
+677: len=507
+678: len=507
+679: len=507
+680: len=507
+681: len=507
+682: len=507
+683: len=507
+684: len=507
+685: len=507
+686: len=507
+687: len=507
+688: len=507
+689: len=507
+690: len=507
+691: len=507
+692: len=507
+693: len=507
+694: len=507
+695: len=507
+696: len=507
+697: len=507
+698: len=507
+699: len=507
+700: len=507
+701: len=507
+702: len=507
+703: len=507
+704: len=507
+705: len=507
+706: len=507
+707: len=507
+708: len=507
+709: len=507
+710: len=507
+711: len=507
+712: len=507
+713: len=507
+714: len=507
+715: len=507
+716: len=507
+717: len=507
+718: len=507
+719: len=507
+720: len=507
+721: len=507
+722: len=507
+723: len=507
+724: len=507
+725: len=507
+726: len=507
+727: len=507
+728: len=507
+729: len=507
+730: len=507
+731: len=507
+732: len=507
+733: len=507
+734: len=507
+735: len=507
+736: len=507
+737: len=507
+738: len=507
+739: len=507
+740: len=507
+741: len=507
+742: len=507
+743: len=507
+744: len=507
+745: len=507
+746: len=507
+747: len=507
+748: len=507
+749: len=507
+750: len=507
+751: len=507
+752: len=507
+753: len=507
+754: len=507
+755: len=507
+756: len=507
+757: len=507
+758: len=507
+759: len=507
+760: len=507
+761: len=507
+762: len=507
+763: len=507
+764: len=507
+765: len=507
+766: len=507
+767: len=507
+768: len=507
+769: len=507
+770: len=507
+771: len=507
+772: len=507
+773: len=507
+774: len=507
+775: len=507
+776: len=507
+777: len=507
+778: len=507
+779: len=507
+780: len=507
+781: len=507
+782: len=507
+783: len=507
+784: len=507
+785: len=507
+786: len=507
+787: len=507
+788: len=507
+789: len=507
+790: len=507
+791: len=507
+792: len=507
+793: len=507
+794: len=507
+795: len=507
+796: len=507
+797: len=507
+798: len=507
+799: len=507
+800: len=507
+801: len=507
+802: len=507
+803: len=507
+804: len=507
+805: len=507
+806: len=507
+807: len=507
+808: len=507
+809: len=507
+810: len=507
+811: len=507
+812: len=507
+813: len=507
+814: len=507
+815: len=507
+816: len=507
+817: len=507
+818: len=507
+819: len=507
+820: len=507
+821: len=507
+822: len=507
+823: len=507
+824: len=507
+825: len=507
+826: len=507
+827: len=507
+828: len=507
+829: len=507
+830: len=507
+831: len=507
+832: len=507
+833: len=507
+834: len=507
+835: len=507
+836: len=507
+837: len=507
+838: len=507
+839: len=507
+840: len=507
+841: len=507
+842: len=507
+843: len=507
+844: len=507
+845: len=507
+846: len=507
+847: len=507
+848: len=507
+849: len=507
+850: len=507
+851: len=507
+852: len=507
+853: len=507
+854: len=507
+855: len=507
+856: len=507
+857: len=507
+858: len=507
+859: len=507
+860: len=507
+861: len=507
+862: len=507
+863: len=507
+864: len=507
+865: len=507
+866: len=507
+867: len=507
+868: len=507
+869: len=507
+870: len=507
+871: len=507
+872: len=507
+873: len=507
+874: len=507
+875: len=507
+876: len=507
+877: len=507
+878: len=507
+879: len=507
+880: len=507
+881: len=507
+882: len=507
+883: len=507
+884: len=507
+885: len=507
+886: len=507
+887: len=507
+888: len=507
+889: len=507
+890: len=507
+891: len=507
+892: len=507
+893: len=507
+894: len=507
+895: len=507
+896: len=507
+897: len=507
+898: len=507
+899: len=507
+900: len=507
+901: len=507
+902: len=507
+903: len=507
+904: len=507
+905: len=507
+906: len=507
+907: len=507
+908: len=507
+909: len=507
+910: len=507
+911: len=507
+912: len=507
+913: len=507
+914: len=507
+915: len=507
+916: len=507
+917: len=507
+918: len=507
+919: len=507
+920: len=507
+921: len=507
+922: len=507
+923: len=507
+924: len=507
+925: len=507
+926: len=507
+927: len=507
+928: len=507
+929: len=507
+930: len=507
+931: len=507
+932: len=507
+933: len=507
+934: len=507
+935: len=507
+936: len=507
+937: len=507
+938: len=507
+939: len=507
+940: len=507
+941: len=507
+942: len=507
+943: len=507
+944: len=507
+945: len=507
+946: len=507
+947: len=507
+948: len=507
+949: len=507
+950: len=507
+951: len=507
+952: len=507
+953: len=507
+954: len=507
+955: len=507
+956: len=507
+957: len=507
+958: len=507
+959: len=507
+960: len=507
+961: len=507
+962: len=507
+963: len=507
+964: len=507
+965: len=507
+966: len=507
+967: len=507
+968: len=507
+969: len=507
+970: len=507
+971: len=507
+972: len=507
+973: len=507
+974: len=507
+975: len=507
+976: len=507
+977: len=507
+978: len=507
+979: len=507
+980: len=507
+981: len=507
+982: len=507
+983: len=507
+984: len=507
+985: len=507
+986: len=507
+987: len=507
+988: len=507
+989: len=507
+990: len=507
+991: len=507
+992: len=507
+993: len=507
+994: len=507
+995: len=507
+996: len=507
+997: len=507
+998: len=507
+999: len=507
+1000: len=507
+1001: len=507
+1002: len=507
+1003: len=507
+1004: len=507
+1005: len=507
+1006: len=507
+1007: len=507
+1008: len=507
+1009: len=507
+1010: len=507
+1011: len=507
+1012: len=507
+1013: len=507
+1014: len=507
+1015: len=507
+1016: len=507
+1017: len=507
+1018: len=507
+1019: len=507
+1020: len=507
+1021: len=507
+1022: len=507
+1023: len=507
+1024: len=507
+1025: len=507
+1026: len=507
+1027: len=507
+1028: len=507
+1029: len=507
+1030: len=507
+1031: len=507
+1032: len=507
+1033: len=507
+1034: len=507
+1035: len=507
+1036: len=507
+1037: len=507
+1038: len=507
+1039: len=507
+1040: len=507
+1041: len=507
+1042: len=507
+1043: len=507
+1044: len=507
+1045: len=507
+1046: len=507
+1047: len=507
+1048: len=507
+1049: len=507
+1050: len=507
+1051: len=507
+1052: len=507
+1053: len=507
+1054: len=507
+1055: len=507
+1056: len=507
+1057: len=507
+1058: len=507
+1059: len=507
+1060: len=507
+1061: len=507
+1062: len=507
+1063: len=507
+1064: len=507
+1065: len=507
+1066: len=507
+1067: len=507
+1068: len=507
+1069: len=507
+1070: len=507
+1071: len=507
+1072: len=507
+1073: len=507
+1074: len=507
diff --git a/main/snprintf.c b/main/snprintf.c
index a1e0b0aee7..30456dd437 100644
--- a/main/snprintf.c
+++ b/main/snprintf.c
@@ -677,10 +677,6 @@ static int format_converter(register buffy * odp, const char *fmt, va_list ap) /
 
 				/*
 				 * Check if a precision was specified
-				 *
-				 * XXX: an unreasonable amount of precision may be specified
-				 * resulting in overflow of num_buf. Currently we
-				 * ignore this possibility.
 				 */
 				if (*fmt == '.') {
 					adjust_precision = YES;
@@ -694,6 +690,10 @@ static int format_converter(register buffy * odp, const char *fmt, va_list ap) /
 							precision = 0;
 					} else
 						precision = 0;
+					
+					if (precision > FORMAT_CONV_MAX_PRECISION) {
+						precision = FORMAT_CONV_MAX_PRECISION;
+					}
 				} else
 					adjust_precision = NO;
 			} else
diff --git a/main/snprintf.h b/main/snprintf.h
index 41fed76dd1..2bf7c2c180 100644
--- a/main/snprintf.h
+++ b/main/snprintf.h
@@ -12,7 +12,7 @@
    | obtain it through the world-wide-web, please send a note to          |
    | license@php.net so we can mail you a copy immediately.               |
    +----------------------------------------------------------------------+
-   | Author: Stig Sæther Bakken <ssb@php.net>                             |
+   | Author: Stig SÃ¦ther Bakken <ssb@php.net>                             |
    |         Marcus Boerger <helly@php.net>                               |
    +----------------------------------------------------------------------+
 */
@@ -158,6 +158,17 @@ extern char * ap_php_conv_10(register wide_int num, register bool_int is_unsigne
 extern char * ap_php_conv_p2(register u_wide_int num, register int nbits,
 		 char format, char *buf_end, register int *len);
 
+/* The maximum precision that's allowed for float conversion. Does not include
+ * decimal separator, exponent, sign, terminator. Currently does not affect
+ * the modes e/f, only g/k/H, as those have a different limit enforced at
+ * another level (see NDIG in php_conv_fp()).
+ * Applies to the formatting functions of both spprintf.c and snprintf.c, which
+ * use equally sized buffers of MAX_BUF_SIZE = 512 to hold the result of the
+ * call to php_gcvt().
+ * This should be reasonably smaller than MAX_BUF_SIZE (I think MAX_BUF_SIZE - 9
+ * should be enough, but let's give some more space) */
+#define FORMAT_CONV_MAX_PRECISION 500
+
 #endif /* SNPRINTF_H */
 
 /*
diff --git a/main/spprintf.c b/main/spprintf.c
index 635d17ca17..8c90fda378 100644
--- a/main/spprintf.c
+++ b/main/spprintf.c
@@ -285,10 +285,6 @@ static void xbuf_format_converter(smart_str *xbuf, const char *fmt, va_list ap)
 
 				/*
 				 * Check if a precision was specified
-				 *
-				 * XXX: an unreasonable amount of precision may be specified
-				 * resulting in overflow of num_buf. Currently we
-				 * ignore this possibility.
 				 */
 				if (*fmt == '.') {
 					adjust_precision = YES;
@@ -302,6 +298,10 @@ static void xbuf_format_converter(smart_str *xbuf, const char *fmt, va_list ap)
 							precision = 0;
 					} else
 						precision = 0;
+					
+					if (precision > FORMAT_CONV_MAX_PRECISION) {
+						precision = FORMAT_CONV_MAX_PRECISION;
+					}
 				} else
 					adjust_precision = NO;
 			} else