Fix GH-19898: ubsan crash with zend_strtod()

devnexen · devnexen · commit 47997d943afb · 2025-09-20T19:34:28.000+01:00
When parsing the most significant numbers from a string, it can overflow
with large inputs with the number of digits in this case we exit from
the loop.
diff --git a/Zend/zend_strtod.c b/Zend/zend_strtod.c
@@ -2606,7 +2606,7 @@ zend_strtod
 		}
 	s0 = s;
 	y = z = 0;
-	for(nd = nf = 0; (c = *s) >= '0' && c <= '9'; nd++, s++)
+	for(nd = nf = 0; (c = *s) >= '0' && c <= '9' && nd < INT_MAX; nd++, s++)
 		if (nd < 9)
 			y = 10*y + c - '0';
 		else if (nd < DBL_DIG + 2)

Original file line number	Diff line number	Diff line change
`@@ -2606,7 +2606,7 @@ zend_strtod`
`2606`	`2606`	`}`
`2607`	`2607`	`s0 = s;`
`2608`	`2608`	`y = z = 0;`
`2609`		`- for(nd = nf = 0; (c = *s) >= '0' && c <= '9'; nd++, s++)`
	`2609`	`+ for(nd = nf = 0; (c = *s) >= '0' && c <= '9' && nd < INT_MAX; nd++, s++)`
`2610`	`2610`	`if (nd < 9)`
`2611`	`2611`	`y = 10*y + c - '0';`
`2612`	`2612`	`else if (nd < DBL_DIG + 2)`