From a276de4b7f542c502d5959202a38fd32495dc7d9 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Tue, 30 Sep 2025 13:37:19 +0200
Subject: [PATCH] Fix GH-20006: Power of 0 of BcMath number causes UB

---
 ext/bcmath/libbcmath/src/raise.c |  7 ++++++-
 ext/bcmath/tests/gh20006.phpt    | 16 ++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100644 ext/bcmath/tests/gh20006.phpt

diff --git a/ext/bcmath/libbcmath/src/raise.c b/ext/bcmath/libbcmath/src/raise.c
index 5df8130c24219..959ba924e57fd 100644
--- a/ext/bcmath/libbcmath/src/raise.c
+++ b/ext/bcmath/libbcmath/src/raise.c
@@ -193,7 +193,12 @@ bc_raise_status bc_raise(bc_num base, long exponent, bc_num *result, size_t scal
 
 	if (bc_is_zero(base)) {
 		/* If the exponent is negative, it divides by 0 */
-		return is_neg ? BC_RAISE_STATUS_DIVIDE_BY_ZERO : BC_RAISE_STATUS_OK;
+		if (is_neg) {
+			return BC_RAISE_STATUS_DIVIDE_BY_ZERO;
+		}
+		bc_free_num (result);
+		*result = bc_copy_num(BCG(_zero_));
+		return BC_RAISE_STATUS_OK;
 	}
 
 	/* check overflow */
diff --git a/ext/bcmath/tests/gh20006.phpt b/ext/bcmath/tests/gh20006.phpt
new file mode 100644
index 0000000000000..ab0db915152d3
--- /dev/null
+++ b/ext/bcmath/tests/gh20006.phpt
@@ -0,0 +1,16 @@
+--TEST--
+GH-20006 (Power of 0 of BcMath number causes crash)
+--EXTENSIONS--
+bcmath
+--FILE--
+<?php
+$n = new BcMath\Number("0");
+var_dump(pow($n, 2));
+?>
+--EXPECTF--
+object(BcMath\Number)#%d (2) {
+  ["value"]=>
+  string(1) "0"
+  ["scale"]=>
+  int(0)
+}