archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fix #74960: Heap buffer overflow via str_repeat

Browse source 
Trying to allocate a `zend_string` with a length only slighty smaller
than `SIZE_MAX` causes an integer overflow, so callers may need to
check that explicitly.  To make that easy in a portable way, we
introduce `ZSTR_MAX_LEN`.

Closes GH-7294.
This commit is contained in:
Christoph M. Becker 2021-07-21 13:55:13 +02:00
parent 2d2c001ca5
commit 760ff841a1
No known key found for this signature in database
GPG key ID: D66C9593118BCCB6
3 changed files with 4 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Zend/zend_string.h
View file

@ -75,6 +75,8 @@ END_EXTERN_C()
#define _ZSTR_STRUCT_SIZE(len) (_ZSTR_HEADER_SIZE + len + 1)
#define ZSTR_MAX_LEN (SIZE_MAX - ZEND_MM_ALIGNED_SIZE(_ZSTR_HEADER_SIZE + 1))
#define ZSTR_ALLOCA_ALLOC(str, _len, use_heap) do { \
(str) = (zend_string *)do_alloca(ZEND_MM_ALIGNED_SIZE_EX(_ZSTR_STRUCT_SIZE(_len), 8), (use_heap)); \
GC_SET_REFCOUNT(str, 1); \