Merge branch 'PHP-8.3' into PHP-8.4

cmb69 · cmb69 · commit b1fbdd8a6739 · 2024-10-15T15:59:53.000+02:00
* PHP-8.3: Fix GH-16411: gmp_export() can cause overflow
diff --git a/NEWS b/NEWS
@@ -43,6 +43,7 @@ PHP                                                                        NEWS
 - GMP:
   . Fixed floating point exception bug with gmp_pow when using
     large exposant values. (David Carlier).
+  . Fixed bug GH-16411 (gmp_export() can cause overflow). (cmb)
 
 - MBstring:
   . Fixed bug GH-16361 (mb_substr overflow on start/length arguments).
diff --git a/ext/gmp/gmp.c b/ext/gmp/gmp.c
@@ -1012,8 +1012,14 @@ ZEND_FUNCTION(gmp_export)
 	if (mpz_sgn(gmpnumber) == 0) {
 		RETVAL_EMPTY_STRING();
 	} else {
-		size_t bits_per_word = size * 8;
-		size_t count = (mpz_sizeinbase(gmpnumber, 2) + bits_per_word - 1) / bits_per_word;
+		ZEND_ASSERT(size > 0);
+		size_t size_in_base_2 = mpz_sizeinbase(gmpnumber, 2);
+		if (size > ZEND_LONG_MAX / 4 || size_in_base_2 > SIZE_MAX - (size_t) size * 8 + 1) {
+			zend_argument_value_error(2, "is too large for argument #1 ($num)");
+			RETURN_THROWS();
+		}
+		size_t bits_per_word = (size_t) size * 8;
+		size_t count = (size_in_base_2 + bits_per_word - 1) / bits_per_word;
 
 		zend_string *out_string = zend_string_safe_alloc(count, size, 0, 0);
 		mpz_export(ZSTR_VAL(out_string), NULL, order, size, endian, 0, gmpnumber);
diff --git a/ext/gmp/tests/gh16411.phpt b/ext/gmp/tests/gh16411.phpt
@@ -0,0 +1,11 @@
+--TEST--
+GH-16411 (gmp_export() can cause overflow)
+--EXTENSIONS--
+gmp
+--FILE--
+<?php
+gmp_export("-9223372036854775808", PHP_INT_MAX, PHP_INT_MIN);
+?>
+--EXPECTF--
+Fatal error: Uncaught ValueError: gmp_export(): Argument #2 ($word_size) is too large for argument #1 ($num) in %s:%d
+%A
