ext/gmp: Reject too-large inputs in gmp_fact() to avoid overflow

Fixes GH-16878

Author: khaledalam

ext/gmp/gmp.c

@@ -1276,6 +1276,7 @@ ZEND_FUNCTION(gmp_fact)
 {
 	zval *a_arg;
 	mpz_ptr gmpnum_result;
+	zend_long num_long;
 
 	if (zend_parse_parameters(ZEND_NUM_ARGS(), "z", &a_arg) == FAILURE){
 		RETURN_THROWS();
@@ -1286,21 +1287,36 @@ ZEND_FUNCTION(gmp_fact)
 			zend_argument_value_error(1, "must be greater than or equal to 0");
 			RETURN_THROWS();
 		}
+		num_long = Z_LVAL_P(a_arg);
 	} else {
 		mpz_ptr gmpnum;
 		gmp_temp_t temp_a;
 
 		FETCH_GMP_ZVAL(gmpnum, a_arg, temp_a, 1);
-		FREE_GMP_TEMP(temp_a);
 
 		if (mpz_sgn(gmpnum) < 0) {
+			FREE_GMP_TEMP(temp_a);
 			zend_argument_value_error(1, "must be greater than or equal to 0");
 			RETURN_THROWS();
 		}
+
+		if (!mpz_fits_ulong_p(gmpnum)) {
+			FREE_GMP_TEMP(temp_a);
+			zend_argument_value_error(1, "is too large");
+			RETURN_THROWS();
+		}
+
+		num_long = (zend_long) mpz_get_ui(gmpnum);
+		FREE_GMP_TEMP(temp_a);
+	}
+
+	if (num_long > 100000) {
+		zend_argument_value_error(1, "is too large");
+		RETURN_THROWS();
 	}
 
 	INIT_GMP_RETVAL(gmpnum_result);
-	mpz_fac_ui(gmpnum_result, zval_get_long(a_arg));
+	mpz_fac_ui(gmpnum_result, (unsigned long) num_long);
 }
 /* }}} */
 

ext/gmp/tests/gh16878.phpt

@@ -0,0 +1,58 @@
+--TEST--
+GH-16878: Core dump when gmp_fact allocates huge memory
+--EXTENSIONS--
+gmp
+--FILE--
+<?php
+echo "Test 1: Factorial of 2^50 + 1\n";
+try {
+    $value = 2**50 + 1;
+    echo "Calculating factorial of: $value\n";
+    $result = gmp_fact($value);
+    echo "Result: " . gmp_strval($result) . "\n";
+} catch (\ValueError $e) {
+    echo "ValueError: " . $e->getMessage() . "\n";
+} catch (\Error $e) {
+    echo "Error: " . $e->getMessage() . "\n";
+}
+
+echo "\nTest 2: Another large value\n";
+try {
+    $value = 1000000000000;  // 1 trillion
+    echo "Calculating factorial of: $value\n";
+    $result = gmp_fact($value);
+    echo "Result: " . gmp_strval($result) . "\n";
+} catch (\ValueError $e) {
+    echo "ValueError: " . $e->getMessage() . "\n";
+} catch (\Error $e) {
+    echo "Error: " . $e->getMessage() . "\n";
+}
+
+echo "\nTest 3: Moderately large value that should work\n";
+try {
+    $value = 100;
+    echo "Calculating factorial of: $value\n";
+    $result = gmp_fact($value);
+    echo "Result length: " . strlen(gmp_strval($result)) . " digits\n";
+} catch (\ValueError $e) {
+    echo "ValueError: " . $e->getMessage() . "\n";
+} catch (\Error $e) {
+    echo "Error: " . $e->getMessage() . "\n";
+}
+
+echo "\nDone\n";
+?>
+--EXPECTF--
+Test 1: Factorial of 2^50 + 1
+Calculating factorial of: 1125899906842625
+ValueError: %s
+
+Test 2: Another large value
+Calculating factorial of: 1000000000000
+ValueError: %s
+
+Test 3: Moderately large value that should work
+Calculating factorial of: 100
+Result length: 158 digits
+
+Done