From 89ddd969ba42590e37c007d72871cf8f7727fcba Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Mon, 2 Sep 2024 18:03:28 +0100
Subject: [PATCH] Fix GH-15712: overflow on float print with precision ini
 large value.

When allocating enough room for floats, the allocator used overflows with
large ndigits/EG(precision) value which used an signed integer to
increase the size of thebuffer.
Testing with the zend operator directly is enough to trigger
the issue rather than higher level math interface.
---
 Zend/tests/gh15712.phpt | 9 +++++++++
 Zend/zend_strtod.c      | 6 +++---
 2 files changed, 12 insertions(+), 3 deletions(-)
 create mode 100644 Zend/tests/gh15712.phpt

diff --git a/Zend/tests/gh15712.phpt b/Zend/tests/gh15712.phpt
new file mode 100644
index 0000000000000..7c4bd0b22ac11
--- /dev/null
+++ b/Zend/tests/gh15712.phpt
@@ -0,0 +1,9 @@
+--TEST--
+GH-15712: overflow on real number printing
+--FILE--
+<?php
+ini_set('precision', 1100000000);
+echo  -1 * (2 ** -10);
+?>
+--EXPECTF--
+%s
diff --git a/Zend/zend_strtod.c b/Zend/zend_strtod.c
index 3e7f90378ef5e..eb3a94332ae35 100644
--- a/Zend/zend_strtod.c
+++ b/Zend/zend_strtod.c
@@ -3613,11 +3613,11 @@ rv_alloc(i) int i;
 rv_alloc(int i)
 #endif
 {
-	int j, k, *r;
+	int k, *r;
 
-	j = sizeof(ULong);
+	size_t j = sizeof(ULong);
 	for(k = 0;
-		sizeof(Bigint) - sizeof(ULong) - sizeof(int) + (size_t)j <= (size_t)i;
+		sizeof(Bigint) - sizeof(ULong) - sizeof(int) + j <= (size_t)i;
 		j <<= 1)
 			k++;
 	r = (int*)Balloc(k);