gmp_export() can cause overflow #16411

YuanchengJiang · 2024-10-13T13:53:34Z

Description

The following code:

<?php
gmp_export(-9223372036854775808, 9223372036854775807, -9223372036854775808);

Resulted in this output:

/php-src/ext/gmp/gmp.c:1015:31: runtime error: signed integer overflow: 9223372036854775807 * 8 cannot be represented in type 'long'

PHP Version

nightly

Operating System

ubuntu 22.04

The text was updated successfully, but these errors were encountered:

cmb69 · 2024-10-13T14:48:36Z

 ext/gmp/gmp.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ext/gmp/gmp.c b/ext/gmp/gmp.c
index 04bfafe869..bbea70225e 100644
--- a/ext/gmp/gmp.c
+++ b/ext/gmp/gmp.c
@@ -920,9 +920,9 @@ ZEND_FUNCTION(gmp_init)
 
 static bool gmp_import_export_validate(zend_long size, zend_long options, int *order, int *endian)
 {
-	if (size < 1) {
+	if (size < 1 || size > ZEND_LONG_MAX / 4) {
 		/* size argument is in second position */
-		zend_argument_value_error(2, "must be greater than or equal to 1");
+		zend_argument_value_error(2, "must be greater than or equal to 1 and less than or equal to " ZEND_LONG_FMT, ZEND_LONG_MAX / 4);
 		return false;
 	}
 
@@ -1012,7 +1012,7 @@ ZEND_FUNCTION(gmp_export)
 	if (mpz_sgn(gmpnumber) == 0) {
 		RETVAL_EMPTY_STRING();
 	} else {
-		size_t bits_per_word = size * 8;
+		size_t bits_per_word = (size_t) size * 8;
 		size_t count = (mpz_sizeinbase(gmpnumber, 2) + bits_per_word - 1) / bits_per_word;
 
 		zend_string *out_string = zend_string_safe_alloc(count, size, 0, 0);

would prevent this overflow, but still an unexpected unsigned overflow would occur on the next line, so size needs to be smaller than ZEND_LONG_MAX/4.

nielsdos · 2024-10-13T15:56:11Z

@cmb69 Feel free to make a PR, although I don't understand yet how you arrived at ZEND_LONG_MAX/4.

cmb69 · 2024-10-13T16:05:27Z

Would need to divide by 8, but since size is signed, we can double to fit into unsigned; thus divide by 4.

However, as I said, that value may still be to large for

php-src/ext/gmp/gmp.c

Line 1016 in 79c71c9

    
           size_t count = (mpz_sizeinbase(gmpnumber, 2) + bits_per_word - 1) / bits_per_word;

Would probably need another check here.

nielsdos · 2024-10-13T16:10:04Z

Right that makes sense indeed

We need not only to avoid the signed overflow while calculating `bits_per_word` (reported issue), but also the unsigned overflow when calculating `count`. While the former has a fixed threshold, the latter does not, since it also depends on the size in base 2. Thus we use a somewhat unconventional error message.

* PHP-8.2: Fix GH-16411: gmp_export() can cause overflow

* PHP-8.3: Fix GH-16411: gmp_export() can cause overflow

* PHP-8.4: Fix GH-16411: gmp_export() can cause overflow

YuanchengJiang added Bug Status: Needs Triage labels Oct 13, 2024

nielsdos added Extension: gmp Status: Verified and removed Status: Needs Triage labels Oct 13, 2024

cmb69 self-assigned this Oct 13, 2024

cmb69 changed the title ~~Signed integer overflow in ext/gmp/gmp.c~~ gmp_export() can cause overflow Oct 13, 2024

cmb69 linked a pull request Oct 13, 2024 that will close this issue

Fix GH-16411: gmp_export() can cause overflow #16418

Closed

cmb69 added a commit that referenced this issue Oct 15, 2024

Merge branch 'PHP-8.2' into PHP-8.3

ea6f78e

* PHP-8.2: Fix GH-16411: gmp_export() can cause overflow

cmb69 closed this as completed in ab595c0 Oct 15, 2024

cmb69 added a commit that referenced this issue Oct 15, 2024

Merge branch 'PHP-8.3' into PHP-8.4

b1fbdd8

* PHP-8.3: Fix GH-16411: gmp_export() can cause overflow

cmb69 added a commit that referenced this issue Oct 15, 2024

Merge branch 'PHP-8.4'

dbdcc95

* PHP-8.4: Fix GH-16411: gmp_export() can cause overflow

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

gmp_export() can cause overflow #16411

gmp_export() can cause overflow #16411

gmp_export() can cause overflow #16411

gmp_export() can cause overflow #16411

Comments

Description

PHP Version

Operating System