From 1bacf9c311d5afb2ee83da2face0f90acac55283 Mon Sep 17 00:00:00 2001 From: Marc Bennewitz Date: Sun, 16 Jul 2023 20:03:01 +0200 Subject: [PATCH 1/2] Prevent int overflow on $decimals in number_format for PHP < 8.3 --- ext/standard/math.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/ext/standard/math.c b/ext/standard/math.c index ad2823ea49bf6..de013d2fa4beb 100644 --- a/ext/standard/math.c +++ b/ext/standard/math.c @@ -1136,6 +1136,7 @@ PHP_FUNCTION(number_format) { double num; zend_long dec = 0; + int dec_int; char *thousand_sep = NULL, *dec_point = NULL; size_t thousand_sep_len = 0, dec_point_len = 0; @@ -1156,7 +1157,17 @@ PHP_FUNCTION(number_format) thousand_sep_len = 1; } - RETURN_STR(_php_math_number_format_ex(num, (int)dec, dec_point, dec_point_len, thousand_sep, thousand_sep_len)); +#if SIZEOF_ZEND_LONG > SIZEOF_INT + if (dec >= 0) { + dec_int = dec > INT_MAX ? INT_MAX : (int)dec; + } else { + dec_int = dec <= INT_MIN ? INT_MIN : (int)dec; + } +#else + dec_int = dec; +#endif + + RETURN_STR(_php_math_number_format_ex(num, dec_int, dec_point, dec_point_len, thousand_sep, thousand_sep_len)); } /* }}} */ From 3d779ef6cdfbb0277c18681d22c87cd16016f6bc Mon Sep 17 00:00:00 2001 From: Marc Bennewitz Date: Wed, 19 Jul 2023 19:56:49 +0200 Subject: [PATCH 2/2] Use ZEND_LONG_INT_[UDVL|OVFL] --- ext/standard/math.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/ext/standard/math.c b/ext/standard/math.c index de013d2fa4beb..341b84396447b 100644 --- a/ext/standard/math.c +++ b/ext/standard/math.c @@ -1157,15 +1157,11 @@ PHP_FUNCTION(number_format) thousand_sep_len = 1; } -#if SIZEOF_ZEND_LONG > SIZEOF_INT if (dec >= 0) { - dec_int = dec > INT_MAX ? INT_MAX : (int)dec; + dec_int = ZEND_LONG_INT_OVFL(dec) ? INT_MAX : (int)dec; } else { - dec_int = dec <= INT_MIN ? INT_MIN : (int)dec; + dec_int = ZEND_LONG_INT_UDFL(dec) ? INT_MIN : (int)dec; } -#else - dec_int = dec; -#endif RETURN_STR(_php_math_number_format_ex(num, dec_int, dec_point, dec_point_len, thousand_sep, thousand_sep_len)); }