Power of 0 of BcMath number causes UB

[chongwick]

Description

The following code:

<?php
function trace($v_1445,$v_1446,)
{
$v_1445 = $v_1445;
$v_1446 = $v_1446;
$v_1447 = define($v_1445,$v_1446,);
$v_1448 = "define $v_1445 ";
$v_1449 = $r ? "succeeded" : "failed";
$v_1450 = $v_1448 . $v_1449;
$v_1451 = defined($v_1445,);
if($v_1451){
$v_1453 = '; value is >';
$v_1454 = constant($v_1445,);
$v_1455 = $v_1453 . $v_1454;
$v_1456 = '<\n';
$v_1457 = $v_1455 . $v_1456;
}
else{
$v_1452 = '; not defined\n';
}
}
function foo($v_1549,)
{
$v_1549 = $v_1549;
return $v_1549;
}
$v_1540 = $value1;
$v_1547 = (string)($v_1540);
$v_1543 = $value2;
$v_1548 = new BcMath\Number($v_1543,);
$v_1549 = $v_1547 * $v_1548;
$v_324 = gmp_init($v_1549,);
$v_1541 = new BcMath\Number($v_1540,);
$v_1545 = (string)($v_1543);
$v_1546 = $v_1541 * $v_1545;
$v_323 = 2;
$v_326 = pow($v_1546,$v_323,);

Resulted in this output:

/home/w023dtc/nightly_php/php-src/ext/bcmath/libbcmath/src/rmzero.c:50:11: runtime error: member access within null pointer of type 'struct bc_struct'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/w023dtc/nightly_php/php-src/ext/bcmath/libbcmath/src/rmzero.c:50:11

PHP Version

nightly

Operating System

ubuntu 22.04

[chongwick]

#16236?

[ndossche]

Warning: Undefined variable $value1 in /home/niels/php-src/x.php on line 27

Warning: Undefined variable $value2 in /home/niels/php-src/x.php on line 29

Deprecated: BcMath\Number::__construct(): Passing null to parameter #1 ($num) of type string|int is deprecated in /home/niels/php-src/x.php on line 30

Deprecated: BcMath\Number::__construct(): Passing null to parameter #1 ($num) of type string|int is deprecated in /home/niels/php-src/x.php on line 33
/home/niels/php-src/ext/bcmath/libbcmath/src/rmzero.c:50:9: runtime error: member access within null pointer of type 'struct bc_struct'
    #0 0x5589e272343b in bc_rm_trailing_zeros /home/niels/php-src/ext/bcmath/libbcmath/src/rmzero.c:50
    #1 0x5589e2703686 in bcmath_number_pow_internal /home/niels/php-src/ext/bcmath/bcmath.c:1179
    #2 0x5589e27049e3 in bcmath_number_do_operation /home/niels/php-src/ext/bcmath/bcmath.c:1310
    #3 0x5589e48387b2 in pow_function /home/niels/php-src/Zend/zend_operators.c:1423
    #4 0x5589e3aa1954 in zif_pow /home/niels/php-src/ext/standard/math.c:604
    #5 0x5589e432997b in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/niels/php-src/Zend/zend_vm_execute.h:1421
    #6 0x5589e460918f in execute_ex /home/niels/php-src/Zend/zend_vm_execute.h:115951
    #7 0x5589e46282c7 in zend_execute /home/niels/php-src/Zend/zend_vm_execute.h:121434
    #8 0x5589e48bf916 in zend_execute_script /home/niels/php-src/Zend/zend.c:1977
    #9 0x5589e3d77c8d in php_execute_script_ex /home/niels/php-src/main/main.c:2640
    #10 0x5589e3d78220 in php_execute_script /home/niels/php-src/main/main.c:2680
    #11 0x5589e48c88bb in do_cli /home/niels/php-src/sapi/cli/php_cli.c:951
    #12 0x5589e48cc5cb in main /home/niels/php-src/sapi/cli/php_cli.c:1362
    #13 0x7f0a0d827674  (/usr/lib/libc.so.6+0x27674) (BuildId: 4fe011c94a88e8aeb6f2201b9eb369f42b4a1e9e)
    #14 0x7f0a0d827728 in __libc_start_main (/usr/lib/libc.so.6+0x27728) (BuildId: 4fe011c94a88e8aeb6f2201b9eb369f42b4a1e9e)
    #15 0x5589e22044b4 in _start (/home/niels/php-src/sapi/cli/php+0x38044b4) (BuildId: 53e9c40c58cd6b5ff6deccddd9f2e9339c68b803)

[ndossche]

Reduced to:

<?php
$n = new BcMath\Number("0");
pow($n, 2); // or $n**2