From 9344bf193c6e35c8706923953f3e63bb01cc05ed Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Thu, 10 May 2012 23:58:10 -0700
Subject: [PATCH] fix bug #54547

---
 Zend/tests/bug54547.phpt | 21 +++++++++++++++++++++
 Zend/zend_operators.c    | 19 +++++++++++++++++--
 Zend/zend_operators.h    | 24 ++++++++++++++++++++++--
 3 files changed, 60 insertions(+), 4 deletions(-)
 create mode 100644 Zend/tests/bug54547.phpt

diff --git a/Zend/tests/bug54547.phpt b/Zend/tests/bug54547.phpt
new file mode 100644
index 0000000000..452cbb8a53
--- /dev/null
+++ b/Zend/tests/bug54547.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #54547: wrong equality of string numbers near LONG_MAX with 64-bit longs
+--SKIPIF--
+<?php
+if (PHP_INT_MAX !== 9223372036854775807)
+	die("skip for 64-bit long systems only");
+--FILE--
+<?php
+var_dump("9223372036854775807" == "9223372036854775808");
+var_dump("-9223372036854775808" == "-9223372036854775809");
+var_dump("0x7fffffffffffffff" == "9223372036854775808");
+
+/* not exactly what the bug is about, but closely related problem: */
+var_dump("999223372036854775807"=="999223372036854775808");
+var_dump("899223372036854775807">"00999223372036854775807");
+--EXPECT--
+bool(false)
+bool(false)
+bool(false)
+bool(false)
+bool(false)
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
index a849cccf13..8d4baa6ac8 100644
--- a/Zend/zend_operators.c
+++ b/Zend/zend_operators.c
@@ -2035,15 +2035,30 @@ ZEND_API int zend_binary_zval_strncasecmp(zval *s1, zval *s2, zval *s3) /* {{{ *
 ZEND_API void zendi_smart_strcmp(zval *result, zval *s1, zval *s2) /* {{{ */
 {
 	int ret1, ret2;
+	int oflow1, oflow2;
 	long lval1, lval2;
 	double dval1, dval2;
 
-	if ((ret1=is_numeric_string(Z_STRVAL_P(s1), Z_STRLEN_P(s1), &lval1, &dval1, 0)) &&
-		(ret2=is_numeric_string(Z_STRVAL_P(s2), Z_STRLEN_P(s2), &lval2, &dval2, 0))) {
+	if ((ret1=is_numeric_string_ex(Z_STRVAL_P(s1), Z_STRLEN_P(s1), &lval1, &dval1, 0, &oflow1)) &&
+		(ret2=is_numeric_string_ex(Z_STRVAL_P(s2), Z_STRLEN_P(s2), &lval2, &dval2, 0, &oflow2))) {
+		if (oflow1 != 0 && oflow1 == oflow2 && dval1 - dval2 == 0.) {
+			/* both values are integers overflown to the same side, and the
+			 * double comparison may have resulted in crucial accuracy lost */
+			goto string_cmp;
+		}
 		if ((ret1==IS_DOUBLE) || (ret2==IS_DOUBLE)) {
 			if (ret1!=IS_DOUBLE) {
+				if (oflow2) {
+					/* 2nd operand is integer > LONG_MAX (oflow2==1) or < LONG_MIN (-1) */
+					ZVAL_LONG(result, -1 * oflow2);
+					return;
+				}
 				dval1 = (double) lval1;
 			} else if (ret2!=IS_DOUBLE) {
+				if (oflow1) {
+					ZVAL_LONG(result, oflow1);
+					return; 
+				}
 				dval2 = (double) lval2;
 			} else if (dval1 == dval2 && !zend_finite(dval1)) {
 				/* Both values overflowed and have the same sign,
diff --git a/Zend/zend_operators.h b/Zend/zend_operators.h
index ebf959b25a..d28140e9e5 100644
--- a/Zend/zend_operators.h
+++ b/Zend/zend_operators.h
@@ -100,9 +100,12 @@ static zend_always_inline long zend_dval_to_lval(double d)
  * if the number was out of long range or contained a decimal point/exponent.
  * The number's value is returned into the respective pointer, *lval or *dval,
  * if that pointer is not NULL.
+ *
+ * This variant also gives information if a string that represents an integer
+ * could not be represented as such due to overflow. It writes 1 to oflow_info
+ * if the integer is larger than LONG_MAX and -1 if it's smaller than LONG_MIN.
  */
-
-static inline zend_uchar is_numeric_string(const char *str, int length, long *lval, double *dval, int allow_errors)
+static inline zend_uchar is_numeric_string_ex(const char *str, int length, long *lval, double *dval, int allow_errors, int *oflow_info)
 {
 	const char *ptr;
 	int base = 10, digits = 0, dp_or_e = 0;
@@ -113,6 +116,10 @@ static inline zend_uchar is_numeric_string(const char *str, int length, long *lv
 		return 0;
 	}
 
+	if (oflow_info != NULL) {
+		*oflow_info = 0;
+	}
+
 	/* Skip any whitespace
 	 * This is much faster than the isspace() function */
 	while (*str == ' ' || *str == '\t' || *str == '\n' || *str == '\r' || *str == '\v' || *str == '\f') {
@@ -165,6 +172,9 @@ check_digits:
 
 		if (base == 10) {
 			if (digits >= MAX_LENGTH_OF_LONG) {
+				if (oflow_info != NULL) {
+					*oflow_info = *str == '-' ? -1 : 1;
+				}
 				dp_or_e = -1;
 				goto process_double;
 			}
@@ -172,6 +182,9 @@ check_digits:
 			if (dval) {
 				local_dval = zend_hex_strtod(str, &ptr);
 			}
+			if (oflow_info != NULL) {
+				*oflow_info = 1;
+			}
 			type = IS_DOUBLE;
 		}
 	} else if (*ptr == '.' && ZEND_IS_DIGIT(ptr[1])) {
@@ -207,6 +220,9 @@ process_double:
 				if (dval) {
 					*dval = zend_strtod(str, NULL);
 				}
+				if (oflow_info != NULL) {
+					*oflow_info = *str == '-' ? -1 : 1;
+				}
 
 				return IS_DOUBLE;
 			}
@@ -226,6 +242,10 @@ process_double:
 	}
 }
 
+static inline zend_uchar is_numeric_string(const char *str, int length, long *lval, double *dval, int allow_errors) {
+    return is_numeric_string_ex(str, length, lval, dval, allow_errors, NULL);
+}
+
 static inline char *
 zend_memnstr(char *haystack, char *needle, int needle_len, char *end)
 {
-- 
2.40.0