php/CVE-2019-11046.patch

From eb23c6008753b1cdc5359dead3a096dce46c9018 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Sat, 30 Nov 2019 12:26:37 +0100
Subject: [PATCH] Fix #78878: Buffer underflow in bc_shift_addsub

We must not rely on `isdigit()` to detect digits, since we only support
decimal ASCII digits in the following processing.
---
 ext/bcmath/libbcmath/src/str2num.c |  4 ++--
 ext/bcmath/tests/bug78878.phpt     | 13 +++++++++++++
 2 files changed, 15 insertions(+), 2 deletions(-)
 create mode 100644 ext/bcmath/tests/bug78878.phpt

diff --git a/ext/bcmath/libbcmath/src/str2num.c b/ext/bcmath/libbcmath/src/str2num.c
index f38d341570..03aec15930 100644
--- a/ext/bcmath/libbcmath/src/str2num.c
+++ b/ext/bcmath/libbcmath/src/str2num.c
@@ -57,9 +57,9 @@ bc_str2num (bc_num *num, char *str, int scale)
   zero_int = FALSE;
   if ( (*ptr == '+') || (*ptr == '-'))  ptr++;  /* Sign */
   while (*ptr == '0') ptr++;			/* Skip leading zeros. */
-  while (isdigit((int)*ptr)) ptr++, digits++;	/* digits */
+  while (*ptr >= '0' && *ptr <= '9') ptr++, digits++;	/* digits */
   if (*ptr == '.') ptr++;			/* decimal point */
-  while (isdigit((int)*ptr)) ptr++, strscale++;	/* digits */
+  while (*ptr >= '0' && *ptr <= '9') ptr++, strscale++;	/* digits */
   if ((*ptr != '\0') || (digits+strscale == 0))
     {
       *num = bc_copy_num (BCG(_zero_));
diff --git a/ext/bcmath/tests/bug78878.phpt b/ext/bcmath/tests/bug78878.phpt
new file mode 100644
index 0000000000..2c9d72b946
--- /dev/null
+++ b/ext/bcmath/tests/bug78878.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #78878 (Buffer underflow in bc_shift_addsub)
+--SKIPIF--
+<?php
+if (!extension_loaded('bcmath')) die('skip bcmath extension not available');
+?>
+--FILE--
+<?php
+print @bcmul("\xB26483605105519922841849335928742092", bcpowmod(2, 65535, -4e-4));
+?>
+--EXPECT--
+bc math warning: non-zero scale in modulus
+0
-- 
2.19.1