Fixed GH-16978: Avoid unnecessary padding with leading zeros (#16988)

Fixed an issue where leading zeros were padded beyond the allocated memory. fixes #16978 closes #16988
2024-11-29 21:28:38 +09:00
parent 8d25978d65
commit d17ed3445d
3 changed files with 17 additions and 0 deletions
--- a/4
+++ b/4
@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.4.2

+- BcMath:
+  . Fixed bug GH-16978 (Avoid unnecessary padding with leading zeros)
+    (Saki Takamachi)
+
 - Core:
  . Fixed bug GH-16344 (setRawValueWithoutLazyInitialization() and
    skipLazyInitialization() may change initialized proxy). (Arnaud)
--- a/ext/bcmath/libbcmath/src/div.c
+++ b/ext/bcmath/libbcmath/src/div.c
@ -436,6 +436,7 @@ bool bc_divide(bc_num numerator, bc_num divisor, bc_num *quot, size_t scale)
 			numerator_bottom_extension = 0;
 			numeratorend -= scale_diff > numerator_top_extension ? scale_diff - numerator_top_extension : 0;
 		}
+		numerator_top_extension = MIN(numerator_top_extension, scale);
 	} else {
 		numerator_bottom_extension += scale - numerator_scale;
 	}
--- a/ext/bcmath/tests/gh16978.phpt
+++ b/ext/bcmath/tests/gh16978.phpt
@ -0,0 +1,12 @@
+--TEST--
+GH-16978 Stack buffer overflow ext/bcmath/libbcmath/src/div.c:464:12 in bc_divide
+--EXTENSIONS--
+bcmath
+--FILE--
+<?php
+echo bcpow('10', '-112', 10) . "\n";
+echo bcdiv('1', '10000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000', 1);
+?>
+--EXPECT--
+0.0000000000
+0.0