Fixed bug #54332 (Crash in zend_mm_check_ptr // Heap corruption)

Author: dstogov

NEWS

@@ -6,6 +6,7 @@ PHP                                                                        NEWS
     though the class has none). (Felipe)
 
 - Core
+  . Fixed bug #54332 (Crash in zend_mm_check_ptr // Heap corruption). (Dmitry)
   . Fixed bug #53727 (Inconsistent behavior of is_subclass_of with interfaces)
     (Ralph Schindler, Dmitry)
   . Fixed buffer overflow on overlog salt in crypt(). (Clément LECIGNE, Stas)

ext/standard/tests/strings/bug54332.phpt

@@ -0,0 +1,8 @@
+--TEST--
+Bug #54332 (Crash in zend_mm_check_ptr // Heap corruption)
+--FILE--
+<?php
+echo number_format(1e300, 2006, '', ' ') . "\n";
+?>
+--EXPECT--
+1 000 000 000 000 000 052 504 760 255 204 420 248 704 468 581 108 159 154 915 854 115 511 802 457 988 908 195 786 371 375 080 447 864 043 704 443 832 883 878 176 942 523 235 360 430 575 644 792 184 786 706 982 848 387 200 926 575 803 737 830 233 794 788 090 059 368 953 234 970 799 945 081 119 038 967 640 880 074 652 742 780 142 494 579 258 788 820 056 842 838 115 669 472 196 386 865 459 400 540 16000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

main/snprintf.c

@@ -497,8 +497,11 @@ char * ap_php_conv_p2(register u_wide_int num, register int nbits, char format,
  * NUM_BUF_SIZE is the size of the buffer used for arithmetic conversions
  *
  * XXX: this is a magic number; do not decrease it
+ * Emax = 1023
+ * NDIG = 320
+ * NUM_BUF_SIZE >= strlen("-") + Emax + strlrn(".") + NDIG + strlen("E+1023") + 1;
  */
-#define NUM_BUF_SIZE		512
+#define NUM_BUF_SIZE		2048
 
 
 /*

main/spprintf.c

@@ -119,8 +119,11 @@
  * NUM_BUF_SIZE is the size of the buffer used for arithmetic conversions
  *
  * XXX: this is a magic number; do not decrease it
+ * Emax = 1023
+ * NDIG = 320
+ * NUM_BUF_SIZE >= strlen("-") + Emax + strlrn(".") + NDIG + strlen("E+1023") + 1;
  */
-#define NUM_BUF_SIZE    512
+#define NUM_BUF_SIZE    2048
 
 /*
  * The INS_CHAR macro inserts a character in the buffer.