Fix GH-15968: Avoid converting objects to strings in operator calculations. (#16021)

SakiTakamachi · web-flow · commit c5b258fedcb8 · 2024-09-24T22:33:36.000+09:00
diff --git a/NEWS b/NEWS
@@ -6,6 +6,8 @@ PHP                                                                        NEWS
   . bcpow() performance improvement. (Jorg Sowa)
   . ext/bcmath: Check for scale overflow. (SakiTakamachi)
   . [RFC] ext/bcmath: Added bcdivmod. (SakiTakamachi)
+  . Fix GH-15968 (Avoid converting objects to strings in operator calculations).
+    (SakiTakamachi)
 
 - Curl:
   . Added CURLOPT_DEBUGFUNCTION as a Curl option. (Ayesh Karunaratne)
diff --git a/ext/bcmath/bcmath.c b/ext/bcmath/bcmath.c
@@ -1178,7 +1178,7 @@ static zend_result bcmath_number_parse_num(zval *zv, zend_object **obj, zend_str
 				return FAILURE;
 
 			default:
-				return zend_parse_arg_str_or_long_slow(zv, str, lval, 1 /* dummy */) ? SUCCESS : FAILURE;
+				return zend_parse_arg_long_slow(zv, lval, 1 /* dummy */) ? SUCCESS : FAILURE;
 		}
 	}
 }
diff --git a/ext/bcmath/tests/gh15968.phpt b/ext/bcmath/tests/gh15968.phpt
@@ -0,0 +1,22 @@
+--TEST--
+GH-15968 BCMath\Number operators may typecast operand
+--EXTENSIONS--
+bcmath
+--FILE--
+<?php
+class MyString {
+    function __toString() {
+        return "2";
+    }
+}
+
+$a = new BCMath\Number("1");
+$b = new MyString();
+try {
+    var_dump($a + $b);
+} catch (Error $e) {
+    echo $e->getMessage();
+}
+?>
+--EXPECT--
+Unsupported operand types: BcMath\Number + MyString

Original file line number	Diff line number	Diff line change
`@@ -1178,7 +1178,7 @@ static zend_result bcmath_number_parse_num(zval zv, zend_object *obj, zend_str`
`1178`	`1178`	`return FAILURE;`
`1179`	`1179`
`1180`	`1180`	`default:`
`1181`		`- return zend_parse_arg_str_or_long_slow(zv, str, lval, 1 /* dummy */) ? SUCCESS : FAILURE;`
	`1181`	`+ return zend_parse_arg_long_slow(zv, lval, 1 /* dummy */) ? SUCCESS : FAILURE;`
`1182`	`1182`	`}`
`1183`	`1183`	`}`
`1184`	`1184`	`}`