ext/gmp: Fix crash in gmp_pow with excessively large exponent

Author: arshidkv12

ext/gmp/gmp.c

@@ -1126,14 +1126,22 @@ ZEND_FUNCTION(gmp_pow)
 	mpz_ptr gmpnum_result;
 	mpz_ptr gmpnum_base;
 	zend_long exp;
+	size_t bits;
 
 	ZEND_PARSE_PARAMETERS_START(2, 2)
 		GMP_Z_PARAM_INTO_MPZ_PTR(gmpnum_base)
 		Z_PARAM_LONG(exp)
 	ZEND_PARSE_PARAMETERS_END();
 
-	if (exp < 0 || exp > GMP_POW_MAX_EXP) {
-		zend_argument_value_error(2, "must be between 0 and %lu", GMP_POW_MAX_EXP);
+	if (exp < 0) {
+		zend_argument_value_error(2, "must be greater than or equal to 0");
+		RETURN_THROWS();
+	}
+	
+	bits = mpz_sizeinbase(gmpnum_base, 2);
+
+	if (exp < 0 || exp > (SIZE_MAX - 5) / bits) {
+		zend_argument_value_error(2, "results in a value that exceeds the supported size");
 		RETURN_THROWS();
 	}
 

ext/gmp/tests/gh22351.phpt

@@ -18,5 +18,5 @@ echo "Done\n";
 ?>
 --EXPECTF--
 Testing gmp_pow overflow safety
-ValueError: gmp_pow(): Argument #2 ($exponent) must be between 0 and 1000000
+ValueError: gmp_pow(): Argument #2 ($exponent) results in a value that exceeds the supported size
 Done

ext/gmp/tests/gmp_pow.phpt

@@ -49,11 +49,11 @@ string(4) "1024"
 string(5) "-2048"
 string(4) "1024"
 string(1) "1"
-gmp_pow(): Argument #2 ($exponent) must be between 0 and %d
+gmp_pow(): Argument #2 ($exponent) must be greater than or equal to 0
 string(4) "1024"
 string(14) "10240000000000"
 string(17) "97656250000000000"
-gmp_pow(): Argument #2 ($exponent) must be between 0 and %d
+gmp_pow(): Argument #2 ($exponent) must be greater than or equal to 0
 string(14) "10240000000000"
 string(14) "10240000000000"
 gmp_pow(): Argument #2 ($exponent) must be of type int, array given