cataphract Mon, 21 Feb 2011 06:53:24 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=308525
Log: - Fixed bug #54055 (buffer overrun with high values for precision ini setting). #This fix (for g/G/k/H modes) is done at a different level than that for the #modes e/E/f/F, at a bit higher level and therefore with less coverage. I #chose this because it addresses the problem where it is -- the calling function #that passes a buffer too small to php_gcvt. Bug: http://bugs.php.net/54055 (Open) PHP crashes when executing strval when `precision' setting is very hig Changed paths: U php/php-src/branches/PHP_5_3/NEWS A php/php-src/branches/PHP_5_3/ext/standard/tests/strings/bug54055.phpt U php/php-src/branches/PHP_5_3/main/snprintf.c U php/php-src/branches/PHP_5_3/main/snprintf.h U php/php-src/branches/PHP_5_3/main/spprintf.c A php/php-src/trunk/ext/standard/tests/strings/bug54055.phpt U php/php-src/trunk/main/snprintf.c U php/php-src/trunk/main/snprintf.h U php/php-src/trunk/main/spprintf.c
Modified: php/php-src/branches/PHP_5_3/NEWS =================================================================== --- php/php-src/branches/PHP_5_3/NEWS 2011-02-21 06:22:00 UTC (rev 308524) +++ php/php-src/branches/PHP_5_3/NEWS 2011-02-21 06:53:24 UTC (rev 308525) @@ -34,6 +34,8 @@ authentication using stream_context/http/header/Proxy-Authorization (Dmitry) . Changed default value of ini directive serialize_precision from 100 to 17. (Gustavo) + . Fixed bug #54055 (buffer overrun with high values for precision ini + setting). (Gustavo) . Fixed bug #53959 (reflection data for fgetcsv out-of-date). (Richard) . Fixed bug #53577 (Regression introduced in 5.3.4 in open_basedir with a trailing forward slash). (lekensteyn at gmail dot com, Pierre) Added: php/php-src/branches/PHP_5_3/ext/standard/tests/strings/bug54055.phpt =================================================================== --- php/php-src/branches/PHP_5_3/ext/standard/tests/strings/bug54055.phpt (rev 0) +++ php/php-src/branches/PHP_5_3/ext/standard/tests/strings/bug54055.phpt 2011-02-21 06:53:24 UTC (rev 308525) @@ -0,0 +1,589 @@ +--TEST-- +Bug #54055: PHP crashes when executing strval when precision setting is very high +--FILE-- +<?php +for($i = 495; $i <= 1074; $i++) { + ini_set('precision', $i); + echo "$i: len=", strlen(strval(-1 * pow(2, -1074))), "\n"; +} +--EXPECT-- +495: len=502 +496: len=503 +497: len=504 +498: len=505 +499: len=506 +500: len=507 +501: len=507 +502: len=507 +503: len=507 +504: len=507 +505: len=507 +506: len=507 +507: len=507 +508: len=507 +509: len=507 +510: len=507 +511: len=507 +512: len=507 +513: len=507 +514: len=507 +515: len=507 +516: len=507 +517: len=507 +518: len=507 +519: len=507 +520: len=507 +521: len=507 +522: len=507 +523: len=507 +524: len=507 +525: len=507 +526: len=507 +527: len=507 +528: len=507 +529: len=507 +530: len=507 +531: len=507 +532: len=507 +533: len=507 +534: len=507 +535: len=507 +536: len=507 +537: len=507 +538: len=507 +539: len=507 +540: len=507 +541: len=507 +542: len=507 +543: len=507 +544: len=507 +545: len=507 +546: len=507 +547: len=507 +548: len=507 +549: len=507 +550: len=507 +551: len=507 +552: len=507 +553: len=507 +554: len=507 +555: len=507 +556: len=507 +557: len=507 +558: len=507 +559: len=507 +560: len=507 +561: len=507 +562: len=507 +563: len=507 +564: len=507 +565: len=507 +566: len=507 +567: len=507 +568: len=507 +569: len=507 +570: len=507 +571: len=507 +572: len=507 +573: len=507 +574: len=507 +575: len=507 +576: len=507 +577: len=507 +578: len=507 +579: len=507 +580: len=507 +581: len=507 +582: len=507 +583: len=507 +584: len=507 +585: len=507 +586: len=507 +587: len=507 +588: len=507 +589: len=507 +590: len=507 +591: len=507 +592: len=507 +593: len=507 +594: len=507 +595: len=507 +596: len=507 +597: len=507 +598: len=507 +599: len=507 +600: len=507 +601: len=507 +602: len=507 +603: len=507 +604: len=507 +605: len=507 +606: len=507 +607: len=507 +608: len=507 +609: len=507 +610: len=507 +611: len=507 +612: len=507 +613: len=507 +614: len=507 +615: len=507 +616: len=507 +617: len=507 +618: len=507 +619: len=507 +620: len=507 +621: len=507 +622: len=507 +623: len=507 +624: len=507 +625: len=507 +626: len=507 +627: len=507 +628: len=507 +629: len=507 +630: len=507 +631: len=507 +632: len=507 +633: len=507 +634: len=507 +635: len=507 +636: len=507 +637: len=507 +638: len=507 +639: len=507 +640: len=507 +641: len=507 +642: len=507 +643: len=507 +644: len=507 +645: len=507 +646: len=507 +647: len=507 +648: len=507 +649: len=507 +650: len=507 +651: len=507 +652: len=507 +653: len=507 +654: len=507 +655: len=507 +656: len=507 +657: len=507 +658: len=507 +659: len=507 +660: len=507 +661: len=507 +662: len=507 +663: len=507 +664: len=507 +665: len=507 +666: len=507 +667: len=507 +668: len=507 +669: len=507 +670: len=507 +671: len=507 +672: len=507 +673: len=507 +674: len=507 +675: len=507 +676: len=507 +677: len=507 +678: len=507 +679: len=507 +680: len=507 +681: len=507 +682: len=507 +683: len=507 +684: len=507 +685: len=507 +686: len=507 +687: len=507 +688: len=507 +689: len=507 +690: len=507 +691: len=507 +692: len=507 +693: len=507 +694: len=507 +695: len=507 +696: len=507 +697: len=507 +698: len=507 +699: len=507 +700: len=507 +701: len=507 +702: len=507 +703: len=507 +704: len=507 +705: len=507 +706: len=507 +707: len=507 +708: len=507 +709: len=507 +710: len=507 +711: len=507 +712: len=507 +713: len=507 +714: len=507 +715: len=507 +716: len=507 +717: len=507 +718: len=507 +719: len=507 +720: len=507 +721: len=507 +722: len=507 +723: len=507 +724: len=507 +725: len=507 +726: len=507 +727: len=507 +728: len=507 +729: len=507 +730: len=507 +731: len=507 +732: len=507 +733: len=507 +734: len=507 +735: len=507 +736: len=507 +737: len=507 +738: len=507 +739: len=507 +740: len=507 +741: len=507 +742: len=507 +743: len=507 +744: len=507 +745: len=507 +746: len=507 +747: len=507 +748: len=507 +749: len=507 +750: len=507 +751: len=507 +752: len=507 +753: len=507 +754: len=507 +755: len=507 +756: len=507 +757: len=507 +758: len=507 +759: len=507 +760: len=507 +761: len=507 +762: len=507 +763: len=507 +764: len=507 +765: len=507 +766: len=507 +767: len=507 +768: len=507 +769: len=507 +770: len=507 +771: len=507 +772: len=507 +773: len=507 +774: len=507 +775: len=507 +776: len=507 +777: len=507 +778: len=507 +779: len=507 +780: len=507 +781: len=507 +782: len=507 +783: len=507 +784: len=507 +785: len=507 +786: len=507 +787: len=507 +788: len=507 +789: len=507 +790: len=507 +791: len=507 +792: len=507 +793: len=507 +794: len=507 +795: len=507 +796: len=507 +797: len=507 +798: len=507 +799: len=507 +800: len=507 +801: len=507 +802: len=507 +803: len=507 +804: len=507 +805: len=507 +806: len=507 +807: len=507 +808: len=507 +809: len=507 +810: len=507 +811: len=507 +812: len=507 +813: len=507 +814: len=507 +815: len=507 +816: len=507 +817: len=507 +818: len=507 +819: len=507 +820: len=507 +821: len=507 +822: len=507 +823: len=507 +824: len=507 +825: len=507 +826: len=507 +827: len=507 +828: len=507 +829: len=507 +830: len=507 +831: len=507 +832: len=507 +833: len=507 +834: len=507 +835: len=507 +836: len=507 +837: len=507 +838: len=507 +839: len=507 +840: len=507 +841: len=507 +842: len=507 +843: len=507 +844: len=507 +845: len=507 +846: len=507 +847: len=507 +848: len=507 +849: len=507 +850: len=507 +851: len=507 +852: len=507 +853: len=507 +854: len=507 +855: len=507 +856: len=507 +857: len=507 +858: len=507 +859: len=507 +860: len=507 +861: len=507 +862: len=507 +863: len=507 +864: len=507 +865: len=507 +866: len=507 +867: len=507 +868: len=507 +869: len=507 +870: len=507 +871: len=507 +872: len=507 +873: len=507 +874: len=507 +875: len=507 +876: len=507 +877: len=507 +878: len=507 +879: len=507 +880: len=507 +881: len=507 +882: len=507 +883: len=507 +884: len=507 +885: len=507 +886: len=507 +887: len=507 +888: len=507 +889: len=507 +890: len=507 +891: len=507 +892: len=507 +893: len=507 +894: len=507 +895: len=507 +896: len=507 +897: len=507 +898: len=507 +899: len=507 +900: len=507 +901: len=507 +902: len=507 +903: len=507 +904: len=507 +905: len=507 +906: len=507 +907: len=507 +908: len=507 +909: len=507 +910: len=507 +911: len=507 +912: len=507 +913: len=507 +914: len=507 +915: len=507 +916: len=507 +917: len=507 +918: len=507 +919: len=507 +920: len=507 +921: len=507 +922: len=507 +923: len=507 +924: len=507 +925: len=507 +926: len=507 +927: len=507 +928: len=507 +929: len=507 +930: len=507 +931: len=507 +932: len=507 +933: len=507 +934: len=507 +935: len=507 +936: len=507 +937: len=507 +938: len=507 +939: len=507 +940: len=507 +941: len=507 +942: len=507 +943: len=507 +944: len=507 +945: len=507 +946: len=507 +947: len=507 +948: len=507 +949: len=507 +950: len=507 +951: len=507 +952: len=507 +953: len=507 +954: len=507 +955: len=507 +956: len=507 +957: len=507 +958: len=507 +959: len=507 +960: len=507 +961: len=507 +962: len=507 +963: len=507 +964: len=507 +965: len=507 +966: len=507 +967: len=507 +968: len=507 +969: len=507 +970: len=507 +971: len=507 +972: len=507 +973: len=507 +974: len=507 +975: len=507 +976: len=507 +977: len=507 +978: len=507 +979: len=507 +980: len=507 +981: len=507 +982: len=507 +983: len=507 +984: len=507 +985: len=507 +986: len=507 +987: len=507 +988: len=507 +989: len=507 +990: len=507 +991: len=507 +992: len=507 +993: len=507 +994: len=507 +995: len=507 +996: len=507 +997: len=507 +998: len=507 +999: len=507 +1000: len=507 +1001: len=507 +1002: len=507 +1003: len=507 +1004: len=507 +1005: len=507 +1006: len=507 +1007: len=507 +1008: len=507 +1009: len=507 +1010: len=507 +1011: len=507 +1012: len=507 +1013: len=507 +1014: len=507 +1015: len=507 +1016: len=507 +1017: len=507 +1018: len=507 +1019: len=507 +1020: len=507 +1021: len=507 +1022: len=507 +1023: len=507 +1024: len=507 +1025: len=507 +1026: len=507 +1027: len=507 +1028: len=507 +1029: len=507 +1030: len=507 +1031: len=507 +1032: len=507 +1033: len=507 +1034: len=507 +1035: len=507 +1036: len=507 +1037: len=507 +1038: len=507 +1039: len=507 +1040: len=507 +1041: len=507 +1042: len=507 +1043: len=507 +1044: len=507 +1045: len=507 +1046: len=507 +1047: len=507 +1048: len=507 +1049: len=507 +1050: len=507 +1051: len=507 +1052: len=507 +1053: len=507 +1054: len=507 +1055: len=507 +1056: len=507 +1057: len=507 +1058: len=507 +1059: len=507 +1060: len=507 +1061: len=507 +1062: len=507 +1063: len=507 +1064: len=507 +1065: len=507 +1066: len=507 +1067: len=507 +1068: len=507 +1069: len=507 +1070: len=507 +1071: len=507 +1072: len=507 +1073: len=507 +1074: len=507 Modified: php/php-src/branches/PHP_5_3/main/snprintf.c =================================================================== --- php/php-src/branches/PHP_5_3/main/snprintf.c 2011-02-21 06:22:00 UTC (rev 308524) +++ php/php-src/branches/PHP_5_3/main/snprintf.c 2011-02-21 06:53:24 UTC (rev 308525) @@ -677,10 +677,6 @@ /* * Check if a precision was specified - * - * XXX: an unreasonable amount of precision may be specified - * resulting in overflow of num_buf. Currently we - * ignore this possibility. */ if (*fmt == '.') { adjust_precision = YES; @@ -694,6 +690,10 @@ precision = 0; } else precision = 0; + + if (precision > FORMAT_CONV_MAX_PRECISION) { + precision = FORMAT_CONV_MAX_PRECISION; + } } else adjust_precision = NO; } else Modified: php/php-src/branches/PHP_5_3/main/snprintf.h =================================================================== --- php/php-src/branches/PHP_5_3/main/snprintf.h 2011-02-21 06:22:00 UTC (rev 308524) +++ php/php-src/branches/PHP_5_3/main/snprintf.h 2011-02-21 06:53:24 UTC (rev 308525) @@ -12,7 +12,7 @@ | obtain it through the world-wide-web, please send a note to | | lice...@php.net so we can mail you a copy immediately. | +----------------------------------------------------------------------+ - | Author: Stig Sæther Bakken <s...@php.net> | + | Author: Stig Sæther Bakken <s...@php.net> | | Marcus Boerger <he...@php.net> | +----------------------------------------------------------------------+ */ @@ -158,6 +158,17 @@ extern char * ap_php_conv_p2(register u_wide_int num, register int nbits, char format, char *buf_end, register int *len); +/* The maximum precision that's allowed for float conversion. Does not include + * decimal separator, exponent, sign, terminator. Currently does not affect + * the modes e/f, only g/k/H, as those have a different limit enforced at + * another level (see NDIG in php_conv_fp()). + * Applies to the formatting functions of both spprintf.c and snprintf.c, which + * use equally sized buffers of MAX_BUF_SIZE = 512 to hold the result of the + * call to php_gcvt(). + * This should be reasonably smaller than MAX_BUF_SIZE (I think MAX_BUF_SIZE - 9 + * should be enough, but let's give some more space) */ +#define FORMAT_CONV_MAX_PRECISION 500 + #endif /* SNPRINTF_H */ /* Modified: php/php-src/branches/PHP_5_3/main/spprintf.c =================================================================== --- php/php-src/branches/PHP_5_3/main/spprintf.c 2011-02-21 06:22:00 UTC (rev 308524) +++ php/php-src/branches/PHP_5_3/main/spprintf.c 2011-02-21 06:53:24 UTC (rev 308525) @@ -285,10 +285,6 @@ /* * Check if a precision was specified - * - * XXX: an unreasonable amount of precision may be specified - * resulting in overflow of num_buf. Currently we - * ignore this possibility. */ if (*fmt == '.') { adjust_precision = YES; @@ -302,6 +298,10 @@ precision = 0; } else precision = 0; + + if (precision > FORMAT_CONV_MAX_PRECISION) { + precision = FORMAT_CONV_MAX_PRECISION; + } } else adjust_precision = NO; } else Added: php/php-src/trunk/ext/standard/tests/strings/bug54055.phpt =================================================================== --- php/php-src/trunk/ext/standard/tests/strings/bug54055.phpt (rev 0) +++ php/php-src/trunk/ext/standard/tests/strings/bug54055.phpt 2011-02-21 06:53:24 UTC (rev 308525) @@ -0,0 +1,589 @@ +--TEST-- +Bug #54055: PHP crashes when executing strval when precision setting is very high +--FILE-- +<?php +for($i = 495; $i <= 1074; $i++) { + ini_set('precision', $i); + echo "$i: len=", strlen(strval(-1 * pow(2, -1074))), "\n"; +} +--EXPECT-- +495: len=502 +496: len=503 +497: len=504 +498: len=505 +499: len=506 +500: len=507 +501: len=507 +502: len=507 +503: len=507 +504: len=507 +505: len=507 +506: len=507 +507: len=507 +508: len=507 +509: len=507 +510: len=507 +511: len=507 +512: len=507 +513: len=507 +514: len=507 +515: len=507 +516: len=507 +517: len=507 +518: len=507 +519: len=507 +520: len=507 +521: len=507 +522: len=507 +523: len=507 +524: len=507 +525: len=507 +526: len=507 +527: len=507 +528: len=507 +529: len=507 +530: len=507 +531: len=507 +532: len=507 +533: len=507 +534: len=507 +535: len=507 +536: len=507 +537: len=507 +538: len=507 +539: len=507 +540: len=507 +541: len=507 +542: len=507 +543: len=507 +544: len=507 +545: len=507 +546: len=507 +547: len=507 +548: len=507 +549: len=507 +550: len=507 +551: len=507 +552: len=507 +553: len=507 +554: len=507 +555: len=507 +556: len=507 +557: len=507 +558: len=507 +559: len=507 +560: len=507 +561: len=507 +562: len=507 +563: len=507 +564: len=507 +565: len=507 +566: len=507 +567: len=507 +568: len=507 +569: len=507 +570: len=507 +571: len=507 +572: len=507 +573: len=507 +574: len=507 +575: len=507 +576: len=507 +577: len=507 +578: len=507 +579: len=507 +580: len=507 +581: len=507 +582: len=507 +583: len=507 +584: len=507 +585: len=507 +586: len=507 +587: len=507 +588: len=507 +589: len=507 +590: len=507 +591: len=507 +592: len=507 +593: len=507 +594: len=507 +595: len=507 +596: len=507 +597: len=507 +598: len=507 +599: len=507 +600: len=507 +601: len=507 +602: len=507 +603: len=507 +604: len=507 +605: len=507 +606: len=507 +607: len=507 +608: len=507 +609: len=507 +610: len=507 +611: len=507 +612: len=507 +613: len=507 +614: len=507 +615: len=507 +616: len=507 +617: len=507 +618: len=507 +619: len=507 +620: len=507 +621: len=507 +622: len=507 +623: len=507 +624: len=507 +625: len=507 +626: len=507 +627: len=507 +628: len=507 +629: len=507 +630: len=507 +631: len=507 +632: len=507 +633: len=507 +634: len=507 +635: len=507 +636: len=507 +637: len=507 +638: len=507 +639: len=507 +640: len=507 +641: len=507 +642: len=507 +643: len=507 +644: len=507 +645: len=507 +646: len=507 +647: len=507 +648: len=507 +649: len=507 +650: len=507 +651: len=507 +652: len=507 +653: len=507 +654: len=507 +655: len=507 +656: len=507 +657: len=507 +658: len=507 +659: len=507 +660: len=507 +661: len=507 +662: len=507 +663: len=507 +664: len=507 +665: len=507 +666: len=507 +667: len=507 +668: len=507 +669: len=507 +670: len=507 +671: len=507 +672: len=507 +673: len=507 +674: len=507 +675: len=507 +676: len=507 +677: len=507 +678: len=507 +679: len=507 +680: len=507 +681: len=507 +682: len=507 +683: len=507 +684: len=507 +685: len=507 +686: len=507 +687: len=507 +688: len=507 +689: len=507 +690: len=507 +691: len=507 +692: len=507 +693: len=507 +694: len=507 +695: len=507 +696: len=507 +697: len=507 +698: len=507 +699: len=507 +700: len=507 +701: len=507 +702: len=507 +703: len=507 +704: len=507 +705: len=507 +706: len=507 +707: len=507 +708: len=507 +709: len=507 +710: len=507 +711: len=507 +712: len=507 +713: len=507 +714: len=507 +715: len=507 +716: len=507 +717: len=507 +718: len=507 +719: len=507 +720: len=507 +721: len=507 +722: len=507 +723: len=507 +724: len=507 +725: len=507 +726: len=507 +727: len=507 +728: len=507 +729: len=507 +730: len=507 +731: len=507 +732: len=507 +733: len=507 +734: len=507 +735: len=507 +736: len=507 +737: len=507 +738: len=507 +739: len=507 +740: len=507 +741: len=507 +742: len=507 +743: len=507 +744: len=507 +745: len=507 +746: len=507 +747: len=507 +748: len=507 +749: len=507 +750: len=507 +751: len=507 +752: len=507 +753: len=507 +754: len=507 +755: len=507 +756: len=507 +757: len=507 +758: len=507 +759: len=507 +760: len=507 +761: len=507 +762: len=507 +763: len=507 +764: len=507 +765: len=507 +766: len=507 +767: len=507 +768: len=507 +769: len=507 +770: len=507 +771: len=507 +772: len=507 +773: len=507 +774: len=507 +775: len=507 +776: len=507 +777: len=507 +778: len=507 +779: len=507 +780: len=507 +781: len=507 +782: len=507 +783: len=507 +784: len=507 +785: len=507 +786: len=507 +787: len=507 +788: len=507 +789: len=507 +790: len=507 +791: len=507 +792: len=507 +793: len=507 +794: len=507 +795: len=507 +796: len=507 +797: len=507 +798: len=507 +799: len=507 +800: len=507 +801: len=507 +802: len=507 +803: len=507 +804: len=507 +805: len=507 +806: len=507 +807: len=507 +808: len=507 +809: len=507 +810: len=507 +811: len=507 +812: len=507 +813: len=507 +814: len=507 +815: len=507 +816: len=507 +817: len=507 +818: len=507 +819: len=507 +820: len=507 +821: len=507 +822: len=507 +823: len=507 +824: len=507 +825: len=507 +826: len=507 +827: len=507 +828: len=507 +829: len=507 +830: len=507 +831: len=507 +832: len=507 +833: len=507 +834: len=507 +835: len=507 +836: len=507 +837: len=507 +838: len=507 +839: len=507 +840: len=507 +841: len=507 +842: len=507 +843: len=507 +844: len=507 +845: len=507 +846: len=507 +847: len=507 +848: len=507 +849: len=507 +850: len=507 +851: len=507 +852: len=507 +853: len=507 +854: len=507 +855: len=507 +856: len=507 +857: len=507 +858: len=507 +859: len=507 +860: len=507 +861: len=507 +862: len=507 +863: len=507 +864: len=507 +865: len=507 +866: len=507 +867: len=507 +868: len=507 +869: len=507 +870: len=507 +871: len=507 +872: len=507 +873: len=507 +874: len=507 +875: len=507 +876: len=507 +877: len=507 +878: len=507 +879: len=507 +880: len=507 +881: len=507 +882: len=507 +883: len=507 +884: len=507 +885: len=507 +886: len=507 +887: len=507 +888: len=507 +889: len=507 +890: len=507 +891: len=507 +892: len=507 +893: len=507 +894: len=507 +895: len=507 +896: len=507 +897: len=507 +898: len=507 +899: len=507 +900: len=507 +901: len=507 +902: len=507 +903: len=507 +904: len=507 +905: len=507 +906: len=507 +907: len=507 +908: len=507 +909: len=507 +910: len=507 +911: len=507 +912: len=507 +913: len=507 +914: len=507 +915: len=507 +916: len=507 +917: len=507 +918: len=507 +919: len=507 +920: len=507 +921: len=507 +922: len=507 +923: len=507 +924: len=507 +925: len=507 +926: len=507 +927: len=507 +928: len=507 +929: len=507 +930: len=507 +931: len=507 +932: len=507 +933: len=507 +934: len=507 +935: len=507 +936: len=507 +937: len=507 +938: len=507 +939: len=507 +940: len=507 +941: len=507 +942: len=507 +943: len=507 +944: len=507 +945: len=507 +946: len=507 +947: len=507 +948: len=507 +949: len=507 +950: len=507 +951: len=507 +952: len=507 +953: len=507 +954: len=507 +955: len=507 +956: len=507 +957: len=507 +958: len=507 +959: len=507 +960: len=507 +961: len=507 +962: len=507 +963: len=507 +964: len=507 +965: len=507 +966: len=507 +967: len=507 +968: len=507 +969: len=507 +970: len=507 +971: len=507 +972: len=507 +973: len=507 +974: len=507 +975: len=507 +976: len=507 +977: len=507 +978: len=507 +979: len=507 +980: len=507 +981: len=507 +982: len=507 +983: len=507 +984: len=507 +985: len=507 +986: len=507 +987: len=507 +988: len=507 +989: len=507 +990: len=507 +991: len=507 +992: len=507 +993: len=507 +994: len=507 +995: len=507 +996: len=507 +997: len=507 +998: len=507 +999: len=507 +1000: len=507 +1001: len=507 +1002: len=507 +1003: len=507 +1004: len=507 +1005: len=507 +1006: len=507 +1007: len=507 +1008: len=507 +1009: len=507 +1010: len=507 +1011: len=507 +1012: len=507 +1013: len=507 +1014: len=507 +1015: len=507 +1016: len=507 +1017: len=507 +1018: len=507 +1019: len=507 +1020: len=507 +1021: len=507 +1022: len=507 +1023: len=507 +1024: len=507 +1025: len=507 +1026: len=507 +1027: len=507 +1028: len=507 +1029: len=507 +1030: len=507 +1031: len=507 +1032: len=507 +1033: len=507 +1034: len=507 +1035: len=507 +1036: len=507 +1037: len=507 +1038: len=507 +1039: len=507 +1040: len=507 +1041: len=507 +1042: len=507 +1043: len=507 +1044: len=507 +1045: len=507 +1046: len=507 +1047: len=507 +1048: len=507 +1049: len=507 +1050: len=507 +1051: len=507 +1052: len=507 +1053: len=507 +1054: len=507 +1055: len=507 +1056: len=507 +1057: len=507 +1058: len=507 +1059: len=507 +1060: len=507 +1061: len=507 +1062: len=507 +1063: len=507 +1064: len=507 +1065: len=507 +1066: len=507 +1067: len=507 +1068: len=507 +1069: len=507 +1070: len=507 +1071: len=507 +1072: len=507 +1073: len=507 +1074: len=507 Modified: php/php-src/trunk/main/snprintf.c =================================================================== --- php/php-src/trunk/main/snprintf.c 2011-02-21 06:22:00 UTC (rev 308524) +++ php/php-src/trunk/main/snprintf.c 2011-02-21 06:53:24 UTC (rev 308525) @@ -677,10 +677,6 @@ /* * Check if a precision was specified - * - * XXX: an unreasonable amount of precision may be specified - * resulting in overflow of num_buf. Currently we - * ignore this possibility. */ if (*fmt == '.') { adjust_precision = YES; @@ -694,6 +690,10 @@ precision = 0; } else precision = 0; + + if (precision > FORMAT_CONV_MAX_PRECISION) { + precision = FORMAT_CONV_MAX_PRECISION; + } } else adjust_precision = NO; } else Modified: php/php-src/trunk/main/snprintf.h =================================================================== --- php/php-src/trunk/main/snprintf.h 2011-02-21 06:22:00 UTC (rev 308524) +++ php/php-src/trunk/main/snprintf.h 2011-02-21 06:53:24 UTC (rev 308525) @@ -12,7 +12,7 @@ | obtain it through the world-wide-web, please send a note to | | lice...@php.net so we can mail you a copy immediately. | +----------------------------------------------------------------------+ - | Author: Stig Sæther Bakken <s...@php.net> | + | Author: Stig Sæther Bakken <s...@php.net> | | Marcus Boerger <he...@php.net> | +----------------------------------------------------------------------+ */ @@ -158,6 +158,17 @@ extern char * ap_php_conv_p2(register u_wide_int num, register int nbits, char format, char *buf_end, register int *len); +/* The maximum precision that's allowed for float conversion. Does not include + * decimal separator, exponent, sign, terminator. Currently does not affect + * the modes e/f, only g/k/H, as those have a different limit enforced at + * another level (see NDIG in php_conv_fp()). + * Applies to the formatting functions of both spprintf.c and snprintf.c, which + * use equally sized buffers of MAX_BUF_SIZE = 512 to hold the result of the + * call to php_gcvt(). + * This should be reasonably smaller than MAX_BUF_SIZE (I think MAX_BUF_SIZE - 9 + * should be enough, but let's give some more space) */ +#define FORMAT_CONV_MAX_PRECISION 500 + #endif /* SNPRINTF_H */ /* Modified: php/php-src/trunk/main/spprintf.c =================================================================== --- php/php-src/trunk/main/spprintf.c 2011-02-21 06:22:00 UTC (rev 308524) +++ php/php-src/trunk/main/spprintf.c 2011-02-21 06:53:24 UTC (rev 308525) @@ -285,10 +285,6 @@ /* * Check if a precision was specified - * - * XXX: an unreasonable amount of precision may be specified - * resulting in overflow of num_buf. Currently we - * ignore this possibility. */ if (*fmt == '.') { adjust_precision = YES; @@ -302,6 +298,10 @@ precision = 0; } else precision = 0; + + if (precision > FORMAT_CONV_MAX_PRECISION) { + precision = FORMAT_CONV_MAX_PRECISION; + } } else adjust_precision = NO; } else
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php