search

php / php-src

The PHP Interpreter
https://www.php.net
Other
38.13k stars 7.74k forks source link

Segmentation fault (index oob) in ext/bcmath/libbcmath/src/convert.c:155 #16265

Open YuanchengJiang opened 2 weeks ago

YuanchengJiang commented 2 weeks ago

Description

The following code:

<?php
$variation_array = array(
'float -12.3456789000e10' => -12.3456789000e10,
);
$fusion = $variation_array;
require(__DIR__ . "/run_bcmath_tests_function.inc");
$dividends = ["15", "-15", "1", "-9", "14.14", "-16.60", "0.15", "-0.01"];
run_bcmath_tests($dividends, $fusion, "/", bcdiv(...));

Resulted in this output:

/php-src/ext/bcmath/libbcmath/src/convert.c:155:68: runtime error: index 8791595 out of bounds for type 'const unsigned char[100]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /php-src/ext/bcmath/libbcmath/src/convert.c:155:68

PHP Version

PHP 8.4.0-dev

Operating System

ubuntu 22.04

nielsdos commented 2 weeks ago

Likely same root cause as https://github.com/php/php-src/issues/16262

cmb69 commented 2 weeks ago

Simplified reproducer:

bcdiv("-0.01", -12.3456789000e10, 9);
nielsdos commented 2 weeks ago

No, slightly different cause than #16262. The problem here is that quot_real_arr_size is 0, so the loop for (i = 0; i < quot_real_arr_size - 1; i++) { goes OOB. However, the loop must write bytes because otherwise the numbers in bc_num are uninitialized.