Merge branch 'PHP-8.4' into PHP-8.5

* PHP-8.4:
  ext/bcmath: bounds-check $precision in bcround() and Number::round() (php#22182)

Author: SakiTakamachi

NEWS

@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.5.8
 
+- BCMath:
+  . Fixed issues with oversized allocations and signed overflow in bcround()
+    and BcMath\Number::round(). (edorian)
+
 - GD:
   . Fixed bug GH-22121 (Double free in gdImageSetStyle() after
     overflow-triggered early return). (iliaal)

UPGRADING

@@ -597,6 +597,10 @@ PHP 8.5 UPGRADE NOTES
 5. Changed Functions
 ========================================
 
+- BCMath:
+  . bcround() and BcMath\Number::round() now throw a ValueError when the precision
+    argument is out of range.
+
 - Intl:
   . IntlDateFormatter::setTimeZone()/datefmt_set_timezone()
     throws an IntlException on uninitialised classes/clone failures.

ext/bcmath/bcmath.c

@@ -157,6 +157,16 @@ static zend_always_inline zend_result bcmath_check_scale(zend_long scale, uint32
 	return SUCCESS;
 }
 
+static zend_result bcmath_check_precision(zend_long precision, uint32_t arg_num)
+{
+	if (ZEND_LONG_INT_OVFL(precision)) {
+		zend_argument_value_error(arg_num, "must be between " ZEND_LONG_FMT " and %d",
+			(zend_long) ZEND_LONG_MIN, INT_MAX);
+		return FAILURE;
+	}
+	return SUCCESS;
+}
+
 static void php_long2num(bc_num *num, zend_long lval)
 {
 	*num = bc_long2num(lval);
@@ -798,6 +808,10 @@ PHP_FUNCTION(bcround)
 		Z_PARAM_OBJ_OF_CLASS(mode_object, rounding_mode_ce)
 	ZEND_PARSE_PARAMETERS_END();
 
+	if (bcmath_check_precision(precision, 2) == FAILURE) {
+		RETURN_THROWS();
+	}
+
 	if (mode_object != NULL) {
 		mode = php_math_round_mode_from_enum(mode_object);
 	}
@@ -1805,6 +1819,10 @@ PHP_METHOD(BcMath_Number, round)
 		Z_PARAM_OBJ_OF_CLASS(mode_object, rounding_mode_ce);
 	ZEND_PARSE_PARAMETERS_END();
 
+	if (bcmath_check_precision(precision, 1) == FAILURE) {
+		RETURN_THROWS();
+	}
+
 	if (mode_object != NULL) {
 		rounding_mode = php_math_round_mode_from_enum(mode_object);
 	}

ext/bcmath/libbcmath/src/round.c

@@ -71,12 +71,10 @@ size_t bc_round(bc_num num, zend_long precision, zend_long mode, bc_num *result)
 			return 0;
 		}
 
-		/* If precision is -3, it becomes 1000. */
-		if (UNEXPECTED(precision == ZEND_LONG_MIN)) {
-			*result = bc_new_num((size_t) ZEND_LONG_MAX + 2, 0);
-		} else {
-			*result = bc_new_num(-precision + 1, 0);
-		}
+		/* If precision is -3, it becomes 1000. Negate in unsigned space so
+		 * precision == ZEND_LONG_MIN doesn't overflow signed long. */
+		zend_ulong magnitude = -(zend_ulong) precision;
+		*result = bc_new_num((size_t) magnitude + 1, 0);
 		(*result)->n_value[0] = 1;
 		(*result)->n_sign = num->n_sign;
 		return 0;

ext/bcmath/tests/bcround_precision_bounds.phpt

@@ -0,0 +1,28 @@
+--TEST--
+bcround() and BcMath\Number::round() reject $precision above INT_MAX
+--EXTENSIONS--
+bcmath
+--SKIPIF--
+<?php if (PHP_INT_SIZE != 8) die("skip: 64-bit only"); ?>
+--FILE--
+<?php
+try {
+    bcround('1', PHP_INT_MAX);
+} catch (\ValueError $e) {
+    echo $e->getMessage() . \PHP_EOL;
+}
+try {
+    (new BcMath\Number('1'))->round(PHP_INT_MAX);
+} catch (\ValueError $e) {
+    echo $e->getMessage() . \PHP_EOL;
+}
+try {
+    (new BcMath\Number('1'))->round(2147483648); // INT_MAX + 1
+} catch (\ValueError $e) {
+    echo $e->getMessage() . \PHP_EOL;
+}
+?>
+--EXPECTF--
+bcround(): Argument #2 ($precision) must be between %i and %d
+BcMath\Number::round(): Argument #1 ($precision) must be between %i and %d
+BcMath\Number::round(): Argument #1 ($precision) must be between %i and %d