Fix GH-20006: Power of 0 of BcMath number causes UB

ndossche · ndossche · commit a380dcae4dfe · 2025-09-30T14:47:35.000+02:00
Closes GH-20007.
diff --git a/NEWS b/NEWS
@@ -5,6 +5,9 @@ PHP                                                                        NEWS
 - Core:
   . Fix OSS-Fuzz #447521098 (Fatal error during sccp shift eval). (ilutov)
 
+- BcMath:
+  . Fixed bug GH-20006 (Power of 0 of BcMath number causes UB). (nielsdos)
+
 - Opcache:
   . Fixed segfault in function JIT due to NAN to bool warning. (Girgias)
 
diff --git a/ext/bcmath/libbcmath/src/raise.c b/ext/bcmath/libbcmath/src/raise.c
@@ -193,7 +193,12 @@ bc_raise_status bc_raise(bc_num base, long exponent, bc_num *result, size_t scal
 
 	if (bc_is_zero(base)) {
 		/* If the exponent is negative, it divides by 0 */
-		return is_neg ? BC_RAISE_STATUS_DIVIDE_BY_ZERO : BC_RAISE_STATUS_OK;
+		if (is_neg) {
+			return BC_RAISE_STATUS_DIVIDE_BY_ZERO;
+		}
+		bc_free_num (result);
+		*result = bc_copy_num(BCG(_zero_));
+		return BC_RAISE_STATUS_OK;
 	}
 
 	/* check overflow */
diff --git a/ext/bcmath/tests/gh20006.phpt b/ext/bcmath/tests/gh20006.phpt
@@ -0,0 +1,16 @@
+--TEST--
+GH-20006 (Power of 0 of BcMath number causes crash)
+--EXTENSIONS--
+bcmath
+--FILE--
+<?php
+$n = new BcMath\Number("0");
+var_dump(pow($n, 2));
+?>
+--EXPECTF--
+object(BcMath\Number)#%d (2) {
+  ["value"]=>
+  string(1) "0"
+  ["scale"]=>
+  int(0)
+}
