archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fixed bug #71535 (Integer overflow in zend_mm_alloc_heap())

Browse source
This commit is contained in:
Dmitry Stogov 2016-02-24 11:04:48 +03:00
parent 01e85f3fdc
commit 0b9c87a02b
2 changed files with 5 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
NEWS
View file

@ -9,6 +9,7 @@ PHP NEWS
invoke C::$callable()). (Bob)
. Fixed bug #71596 (Segmentation fault on ZTS with date function
(setlocale)). (Anatol)
. Fixed bug #71535 (Integer overflow in zend_mm_alloc_heap()). (Dmitry)
- Phar:
. Fixed bug #71625 (Crash in php7.dll with bad phar filename).

4
Zend/zend_alloc.c
View file

@ -1353,6 +1353,10 @@ static zend_always_inline void *zend_mm_alloc_heap(zend_mm_heap *heap, size_t si
/* special handling for zero-size allocation */
size = MAX(size, 1);
size = ZEND_MM_ALIGNED_SIZE(size) + ZEND_MM_ALIGNED_SIZE(sizeof(zend_mm_debug_info));
if (UNEXPECTED(size < real_size)) {
zend_error_noreturn(E_ERROR, "Possible integer overflow in memory allocation (%zu + %zu)", ZEND_MM_ALIGNED_SIZE(real_size), ZEND_MM_ALIGNED_SIZE(sizeof(zend_mm_debug_info)));
return NULL;
}
#endif
if (size <= ZEND_MM_MAX_SMALL_SIZE) {
ptr = zend_mm_alloc_small(heap, size, ZEND_MM_SMALL_SIZE_TO_BIN(size) ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);