From: Stanislav Malyshev <stas@php.net>
Date: Tue, 11 Oct 2016 06:42:50 +0000 (-0700)
Subject: Fix for #73240 - Write out of bounds at number_format
X-Git-Tag: php-7.0.12~21
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=3b5262ec4c9a6f985f8ff1fb4a7bed18f1b48f75;p=php

Fix for #73240 - Write out of bounds at number_format
---

diff --git a/ext/standard/math.c b/ext/standard/math.c
index ac776104b5..e4b1160b75 100644
--- a/ext/standard/math.c
+++ b/ext/standard/math.c
@@ -1123,8 +1123,8 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, char *dec_poin
 	zend_string *tmpbuf;
 	char *s, *t;  /* source, target */
 	char *dp;
-	int integral;
-	int reslen = 0;
+	size_t integral;
+	size_t reslen = 0;
 	int count = 0;
 	int is_negative=0;
 
@@ -1159,7 +1159,11 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, char *dec_poin
 
 	/* allow for thousand separators */
 	if (thousand_sep) {
-		integral += (int)(thousand_sep_len * ((integral-1) / 3));
+		if (integral + thousand_sep_len * ((integral-1) / 3) < integral) {
+			/* overflow */
+			php_error_docref(NULL, E_ERROR, "String overflow");
+		}
+		integral += thousand_sep_len * ((integral-1) / 3);
 	}
 
 	reslen = integral;
@@ -1168,7 +1172,11 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, char *dec_poin
 		reslen += dec;
 
 		if (dec_point) {
-			reslen += (int)dec_point_len;
+			if (reslen + dec_point_len < dec_point_len) {
+				/* overflow */
+				php_error_docref(NULL, E_ERROR, "String overflow");
+			}
+			reslen += dec_point_len;
 		}
 	}
 
@@ -1270,7 +1278,6 @@ PHP_FUNCTION(number_format)
 		break;
 	default:
 		WRONG_PARAM_COUNT;
-		break;
 	}
 }
 /* }}} */