From fc9982062527b1a58206d826449273dd2bd850cf Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 17 Dec 2019 10:46:45 +0100
Subject: [PATCH] Fix #78878: Buffer underflow in bc_shift_addsub

We must not rely on `isdigit()` to detect digits, since we only support
decimal ASCII digits in the following processing.

(cherry picked from commit eb23c6008753b1cdc5359dead3a096dce46c9018)
---
 NEWS                               |  6 ++++++
 ext/bcmath/libbcmath/src/str2num.c |  4 ++--
 ext/bcmath/tests/bug78878.phpt     | 13 +++++++++++++
 3 files changed, 21 insertions(+), 2 deletions(-)
 create mode 100644 ext/bcmath/tests/bug78878.phpt

diff --git a/NEWS b/NEWS
index 0fd96d0c91..ec0247e1f1 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,12 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
+Backported from 7.2.26
+
+- Bcmath:
+  . Fixed bug #78878 (Buffer underflow in bc_shift_addsub). (CVE-2019-11046).
+    (cmb)
+
 24 Oct 2019, PHP 7.1.33
 
 - FPM:
diff --git a/ext/bcmath/libbcmath/src/str2num.c b/ext/bcmath/libbcmath/src/str2num.c
index f38d341570..03aec15930 100644
--- a/ext/bcmath/libbcmath/src/str2num.c
+++ b/ext/bcmath/libbcmath/src/str2num.c
@@ -57,9 +57,9 @@ bc_str2num (bc_num *num, char *str, int scale)
   zero_int = FALSE;
   if ( (*ptr == '+') || (*ptr == '-'))  ptr++;  /* Sign */
   while (*ptr == '0') ptr++;			/* Skip leading zeros. */
-  while (isdigit((int)*ptr)) ptr++, digits++;	/* digits */
+  while (*ptr >= '0' && *ptr <= '9') ptr++, digits++;	/* digits */
   if (*ptr == '.') ptr++;			/* decimal point */
-  while (isdigit((int)*ptr)) ptr++, strscale++;	/* digits */
+  while (*ptr >= '0' && *ptr <= '9') ptr++, strscale++;	/* digits */
   if ((*ptr != '\0') || (digits+strscale == 0))
     {
       *num = bc_copy_num (BCG(_zero_));
diff --git a/ext/bcmath/tests/bug78878.phpt b/ext/bcmath/tests/bug78878.phpt
new file mode 100644
index 0000000000..2c9d72b946
--- /dev/null
+++ b/ext/bcmath/tests/bug78878.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #78878 (Buffer underflow in bc_shift_addsub)
+--SKIPIF--
+<?php
+if (!extension_loaded('bcmath')) die('skip bcmath extension not available');
+?>
+--FILE--
+<?php
+print @bcmul("\xB26483605105519922841849335928742092", bcpowmod(2, 65535, -4e-4));
+?>
+--EXPECT--
+bc math warning: non-zero scale in modulus
+0