diff --git a/NEWS b/NEWS index 40a01fb4b63..277411332e5 100644 --- a/NEWS +++ b/NEWS @@ -15,6 +15,7 @@ PHP NEWS . Fixed bug #72146 (Integer overflow on substr_replace). (cmb) . Fixed bug #81265 (getimagesize returns 0 for 256px ICO images). (George Dietrich) + . Fixed bug #74960 (Heap buffer overflow via str_repeat). (cmb, Dmitry) 29 Jul 2021, PHP 7.4.22 diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c index 596581270b0..031894755c8 100644 --- a/Zend/zend_operators.c +++ b/Zend/zend_operators.c @@ -1882,7 +1882,7 @@ ZEND_API int ZEND_FASTCALL concat_function(zval *result, zval *op1, zval *op2) / size_t result_len = op1_len + op2_len; zend_string *result_str; - if (UNEXPECTED(op1_len > SIZE_MAX - op2_len)) { + if (UNEXPECTED(op1_len > ZSTR_MAX_LEN - op2_len)) { zend_throw_error(NULL, "String size overflow"); zval_ptr_dtor_str(&op1_copy); zval_ptr_dtor_str(&op2_copy); diff --git a/Zend/zend_string.h b/Zend/zend_string.h index 96169d9a277..d90d2e06d38 100644 --- a/Zend/zend_string.h +++ b/Zend/zend_string.h @@ -75,6 +75,8 @@ END_EXTERN_C() #define _ZSTR_STRUCT_SIZE(len) (_ZSTR_HEADER_SIZE + len + 1) +#define ZSTR_MAX_LEN (SIZE_MAX - ZEND_MM_ALIGNED_SIZE(_ZSTR_HEADER_SIZE + 1)) + #define ZSTR_ALLOCA_ALLOC(str, _len, use_heap) do { \ (str) = (zend_string *)do_alloca(ZEND_MM_ALIGNED_SIZE_EX(_ZSTR_STRUCT_SIZE(_len), 8), (use_heap)); \ GC_SET_REFCOUNT(str, 1); \