archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fix #74604: Out of bounds in php_pcre_replace_impl

Browse source 
Trying to allocate a `zend_string` with a length only slighty smaller
than `SIZE_MAX` causes an integer overflow; we make sure that this
doesn't happen by catering to the maximal overhead of a `zend_string`.

Closes GH-7597.
This commit is contained in:
Christoph M. Becker 2021-11-29 15:48:41 +01:00
parent 31749aac62
commit 712fc54e85
No known key found for this signature in database
GPG key ID: D66C9593118BCCB6
3 changed files with 8 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

6
ext/pcre/php_pcre.c
View file

@ -1725,7 +1725,7 @@ matched:
}
if (new_len >= alloc_len) {
alloc_len = zend_safe_address_guarded(2, new_len, 0);
alloc_len = zend_safe_address_guarded(2, new_len, ZSTR_MAX_OVERHEAD) - ZSTR_MAX_OVERHEAD;
if (result == NULL) {
result = zend_string_alloc(alloc_len, 0);
} else {
@ -1961,9 +1961,9 @@ matched:
pcre2_get_mark(match_data), flags);
ZEND_ASSERT(eval_result);
new_len = zend_safe_address_guarded(1, ZSTR_LEN(eval_result), new_len);
new_len = zend_safe_address_guarded(1, ZSTR_LEN(eval_result) + ZSTR_MAX_OVERHEAD, new_len) -ZSTR_MAX_OVERHEAD;
if (new_len >= alloc_len) {
alloc_len = zend_safe_address_guarded(2, new_len, 0);
alloc_len = zend_safe_address_guarded(2, new_len, ZSTR_MAX_OVERHEAD) - ZSTR_MAX_OVERHEAD;
if (result == NULL) {
result = zend_string_alloc(alloc_len, 0);
} else {