Description

Fixes #16878

Problem

gmp_fact() was crashing with "GNU MP: Cannot allocate memory" abort when passed extremely large values (e.g., 2^50+1). The function calls mpz_fac_ui() which:

1. Accepts an unsigned long parameter
2. Can trigger massive memory allocations for large inputs, causing GMP to abort the process
3. Had a TODO comment acknowledging the missing validation

Before this fix:

gmp_fact(gmp_pow(2, 50) + 1);  // Aborted (core dumped)

Reference: https://3v4l.org/X428B

Solution

Added proper input validation in gmp_fact() before calling mpz_fac_ui():

1. Check if value fits in unsigned long: Uses mpz_fits_ulong_p() to ensure the GMP number can be safely converted
2. Add practical upper limit: Caps input at 100,000 to prevent excessive memory/CPU usage
3. Throw proper ValueError: Returns a clear error message instead of crashing

After this fix:

gmp_fact(gmp_pow(2, 50) + 1);  // ValueError: gmp_fact(): Argument #1 ($num) is too large

Changes Made

Modified:

• ext/gmp/gmp.c: Added validation logic replacing the TODO comment
  • Validates mpz_fits_ulong_p(gmpnum) to prevent truncation/overflow
  • Validates mpz_cmp_ui(gmpnum, 100000) > 0 to prevent excessive resource usage

Added:

• ext/gmp/tests/gh16878.phpt: Test case covering:
  • Very large values that previously crashed (2^50+1, 1 trillion)
  • Normal values that should work (100)

Why the 100,000 cap?

Factorial growth is astronomical:

• 100! = 158 digits
• 100,000! = ~456,574 digits
• Values beyond 100,000 can consume excessive memory and CPU
• The cap prevents accidental DoS-style usage while allowing practical computations
• Consistent with PHP's philosophy of having resource limits on expensive operations

Error Behavior