From ec3ccb5c3827f77dcda5684c1903b3e943a89b66 Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Sat, 19 Oct 2024 06:01:32 +0100
Subject: [PATCH 1/2] Fix GH-16501: gmp_random_bits overflow.

we do the same calculation in advance as mpz_realloc overflow check to
avoid abort.
---
 ext/gmp/gmp.c              | 12 +++++++++---
 ext/gmp/tests/gh16501.phpt | 14 ++++++++++++++
 2 files changed, 23 insertions(+), 3 deletions(-)
 create mode 100644 ext/gmp/tests/gh16501.phpt

diff --git a/ext/gmp/gmp.c b/ext/gmp/gmp.c
index bae141b574af6..ba62b37ad2c8a 100644
--- a/ext/gmp/gmp.c
+++ b/ext/gmp/gmp.c
@@ -1803,15 +1803,21 @@ ZEND_FUNCTION(gmp_random_bits)
 		RETURN_THROWS();
 	}
 
-	if (bits <= 0) {
-		zend_argument_value_error(1, "must be greater than or equal to 1");
+#if SIZEOF_SIZE_T == 4
+	const zend_long maxbits = ULONG_MAX / GMP_NUMB_BITS;
+#else
+	const zend_long maxbits = INT_MAX;
+#endif
+
+	if (bits <= 0 || bits > maxbits) {
+		zend_argument_value_error(1, "must be between 1 and " ZEND_LONG_FMT, maxbits);
 		RETURN_THROWS();
 	}
 
 	INIT_GMP_RETVAL(gmpnum_result);
 	gmp_init_random();
 
-	mpz_urandomb(gmpnum_result, GMPG(rand_state), bits);
+	mpz_urandomb(gmpnum_result, GMPG(rand_state), (mp_bitcnt_t)bits);
 }
 /* }}} */
 
diff --git a/ext/gmp/tests/gh16501.phpt b/ext/gmp/tests/gh16501.phpt
new file mode 100644
index 0000000000000..325be85d1917e
--- /dev/null
+++ b/ext/gmp/tests/gh16501.phpt
@@ -0,0 +1,14 @@
+--TEST--
+GH-16501 (gmp_random_bits overflow)
+--EXTENSIONS--
+gmp
+--FILE--
+<?php
+try {
+	gmp_random_bits(PHP_INT_MAX);
+} catch (\ValueError $e) {
+	echo $e->getMessage();
+}
+?>
+--EXPECTF--
+gmp_random_bits(): Argument #1 ($bits) must be between 1 and %d

From fa54bc417546105101652e65e30a387a8e620674 Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Sat, 19 Oct 2024 06:28:10 +0100
Subject: [PATCH 2/2] fix existing test

---
 ext/gmp/tests/gmp_random_bits.phpt | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ext/gmp/tests/gmp_random_bits.phpt b/ext/gmp/tests/gmp_random_bits.phpt
index 3dbfc097d28d5..4e7f337983891 100644
--- a/ext/gmp/tests/gmp_random_bits.phpt
+++ b/ext/gmp/tests/gmp_random_bits.phpt
@@ -40,7 +40,7 @@ while (1) {
 
 echo "Done\n";
 ?>
---EXPECT--
-gmp_random_bits(): Argument #1 ($bits) must be greater than or equal to 1
-gmp_random_bits(): Argument #1 ($bits) must be greater than or equal to 1
+--EXPECTF--
+gmp_random_bits(): Argument #1 ($bits) must be between 1 and %d
+gmp_random_bits(): Argument #1 ($bits) must be between 1 and %d
 Done