diff --git a/Zend/tests/bug77738.phpt b/Zend/tests/bug77738.phpt new file mode 100644 index 00000000000..e3a453c4055 --- /dev/null +++ b/Zend/tests/bug77738.phpt @@ -0,0 +1,8 @@ +--TEST-- +Bug #77738 (Nullptr deref in zend_compile_expr) +--FILE-- +attr != ZEND_NAME_RELATIVE && zend_string_equals_literal(orig_name, "__COMPILER_HALT_OFFSET__"))) { zend_ast *last = CG(ast); - while (last->kind == ZEND_AST_STMT_LIST) { + while (last && last->kind == ZEND_AST_STMT_LIST) { zend_ast_list *list = zend_ast_get_list(last); last = list->child[list->children-1]; } - if (last->kind == ZEND_AST_HALT_COMPILER) { + if (last && last->kind == ZEND_AST_HALT_COMPILER) { result->op_type = IS_CONST; ZVAL_LONG(&result->u.constant, Z_LVAL_P(zend_ast_get_zval(last->child[0]))); zend_string_release_ex(resolved_name, 0); diff --git a/ext/bcmath/libbcmath/src/num2long.c b/ext/bcmath/libbcmath/src/num2long.c index 3974dcf286a..9b6c0d6e8bc 100644 --- a/ext/bcmath/libbcmath/src/num2long.c +++ b/ext/bcmath/libbcmath/src/num2long.c @@ -53,12 +53,19 @@ bc_num2long (num) /* Extract the int value, ignore the fraction. */ val = 0; nptr = num->n_value; - for (index=num->n_len; (index>0) && (val<=(LONG_MAX/BASE)); index--) - val = val*BASE + *nptr++; + for (index = num->n_len; index > 0; index--) { + char n = *nptr++; - /* Check for overflow. If overflow, return zero. */ - if (index>0) val = 0; - if (val < 0) val = 0; + if (val > LONG_MAX/BASE) { + return 0; + } + val *= BASE; + + if (val > LONG_MAX - n) { + return 0; + } + val += n; + } /* Return the value. */ if (num->n_sign == PLUS)