archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fix #74960: Heap buffer overflow via str_repeat

Browse source 
Trying to allocate a `zend_string` with a length only slighty smaller
than `SIZE_MAX` causes an integer overflow, so callers may need to
check that explicitly.  To make that easy in a portable way, we
introduce `ZSTR_MAX_LEN`.

Closes GH-7294.
This commit is contained in:
Christoph M. Becker 2021-07-21 13:55:13 +02:00
parent 2d2c001ca5
commit 760ff841a1
No known key found for this signature in database
GPG key ID: D66C9593118BCCB6
3 changed files with 4 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Zend/zend_operators.c
View file

@ -1882,7 +1882,7 @@ ZEND_API int ZEND_FASTCALL concat_function(zval *result, zval *op1, zval *op2) /
size_t result_len = op1_len + op2_len;
zend_string *result_str;
if (UNEXPECTED(op1_len > SIZE_MAX - op2_len)) {
if (UNEXPECTED(op1_len > ZSTR_MAX_LEN - op2_len)) {
zend_throw_error(NULL, "String size overflow");
zval_ptr_dtor_str(&op1_copy);
zval_ptr_dtor_str(&op2_copy);