Fix GH-16870: gmp_pow(64, 11) throws overflow exception #16884
Next
Next commit
Fix GH-16870: gmp_pow(64, 11) throws overflow exception
The current guard to prevent FPEs is way too restrictive; `64 ** 11` is a perfectly reasonable operation. Instead, we now estimate the number of bytes of the resulting GMP (assuming that numbers are stored base 256 encoded), and fail if that exceeds a given threshold. The chosen threshold is somewhat arbitrary. We also ensure that we do not prematurely convert a given non int base to an int to avoid overflow which could circumvent our early check.
- Loading branch information
commit d5ed93b1186d33f261b40189c7932863a4ee3c12
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| --TEST-- | ||
| GH-16870 (gmp_pow(64, 11) throws overflow exception) | ||
| --EXTENSIONS-- | ||
| gmp | ||
| --FILE-- | ||
| <?php | ||
| var_dump((string) gmp_pow(64, 11)); | ||
| try { | ||
| gmp_pow("18446744073709551616", 0x7fffffff); | ||
| } catch (ValueError $e) { | ||
| echo $e->getMessage(), "\n"; | ||
| } | ||
| ?> | ||
| --EXPECT-- | ||
| string(20) "73786976294838206464" | ||
| base and exponent overflow |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't we just care if it can be "allocated reasonably" ?
Which is actually somewhat described in section 5.14 of the GMP manual (
mpz_export)Wonder if we shouldn't use a heuristic based on that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is basically what is already happening in this patch. The difference is that I'm counting bytes, not bits. The logic is to estimate the number of bytes the result would have, and if this is greater than some threshold (
powmaxis badly named; should be rathermax_size_in_bytesor so), trigger a value error.mpz_sizeinbase()is only used in the else branch, because if the input is azend_long, that wouldn't work. So I'm calculatinglog256(base_arg) * expinstead.I'll update to counting bytes.