Permalink
Browse files

[Security] Prevent write out of bounds at number_format

  • Loading branch information...
fredemmott committed Dec 18, 2017
1 parent 5d4df40 commit 9de2e69ef51bf40f66b4ad8b3f927f3e97ccaeb6
Showing with 9 additions and 0 deletions.
  1. +9 −0 hphp/runtime/base/zend-string.cpp
@@ -1800,6 +1800,11 @@ String string_number_format(double d, int dec,
/* allow for thousand separators */
if (!thousand_sep.empty()) {
if (integral + thousand_sep.size() * ((integral-1) / 3) < integral) {
/* overflow */
raise_error("String overflow");
}
integral += ((integral-1) / 3) * thousand_sep.size();
}
@@ -1809,6 +1814,10 @@ String string_number_format(double d, int dec,
reslen += dec;
if (!dec_point.empty()) {
if (reslen + dec_point.size() < dec_point.size()) {
/* overflow */
raise_error("String overflow");
}
reslen += dec_point.size();
}
}

0 comments on commit 9de2e69

Please sign in to comment.