Merge branch 'PHP-8.1' into PHP-8.2

* PHP-8.1: Prevent int overflow on $decimals in number_format
php · Jul 21, 2023 · 31bd628 · 31bd628
2 parents 404f1d3 + 429f20e
commit 31bd628
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 7 deletions.
diff --git a/NEWS b/NEWS
@@ -13,6 +13,9 @@ PHP                                                                        NEWS
   . Fixed bug GH-11715 (opcache.interned_strings_buffer either has no effect or
     opcache_get_status() / phpinfo() is wrong). (nielsdos)
 
+- Standard:
+  . Prevent int overflow on $decimals in number_format. (Marc Bennewitz)
+
 03 Aug 2023, PHP 8.2.9
 
 - Build:

diff --git a/ext/standard/math.c b/ext/standard/math.c
@@ -283,15 +283,11 @@ PHP_FUNCTION(round)
 	ZEND_PARSE_PARAMETERS_END();
 
 	if (ZEND_NUM_ARGS() >= 2) {
-#if SIZEOF_ZEND_LONG > SIZEOF_INT
 		if (precision >= 0) {
-			places = precision > INT_MAX ? INT_MAX : (int)precision;
+			places = ZEND_LONG_INT_OVFL(precision) ? INT_MAX : (int)precision;
 		} else {
-			places = precision <= INT_MIN ? INT_MIN+1 : (int)precision;
+			places = ZEND_LONG_INT_UDFL(precision) ? INT_MIN : (int)precision;
 		}
-#else
-		places = precision;
-#endif
 	}
 
 	switch (Z_TYPE_P(value)) {
@@ -1136,6 +1132,7 @@ PHP_FUNCTION(number_format)
 {
 	double num;
 	zend_long dec = 0;
+	int dec_int;
 	char *thousand_sep = NULL, *dec_point = NULL;
 	size_t thousand_sep_len = 0, dec_point_len = 0;
 
@@ -1156,7 +1153,13 @@ PHP_FUNCTION(number_format)
 		thousand_sep_len = 1;
 	}
 
-	RETURN_STR(_php_math_number_format_ex(num, (int)dec, dec_point, dec_point_len, thousand_sep, thousand_sep_len));
+	if (dec >= 0) {
+		dec_int = ZEND_LONG_INT_OVFL(dec) ? INT_MAX : (int)dec;
+	} else {
+		dec_int = ZEND_LONG_INT_UDFL(dec) ? INT_MIN : (int)dec;
+	}
+
+	RETURN_STR(_php_math_number_format_ex(num, dec_int, dec_point, dec_point_len, thousand_sep, thousand_sep_len));
 }
 /* }}} */