php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-04-28 02:33:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'PHP-8.0'

Browse Source 
* PHP-8.0:
  Fix #74960: Heap buffer overflow via str_repeat
This commit is contained in:
Christoph M. Becker
2021-07-21 15:36:16 +02:00
parent 9108ac678e f03e7c845e
commit 9f18bff6b4
2 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Zend/zend_operators.c
+1 -1
View File
@@ -1918,7 +1918,7 @@ ZEND_API zend_result ZEND_FASTCALL concat_function(zval *result, zval *op1, zval
size_t result_len = op1_len + op2_len;
zend_string *result_str;
if (UNEXPECTED(op1_len > SIZE_MAX - op2_len)) {
if (UNEXPECTED(op1_len > ZSTR_MAX_LEN - op2_len)) {
zend_throw_error(NULL, "String size overflow");
zval_ptr_dtor_str(&op1_copy);
zval_ptr_dtor_str(&op2_copy);
Zend/zend_string.h
+2
View File
@@ -83,6 +83,8 @@ END_EXTERN_C()
#define _ZSTR_STRUCT_SIZE(len) (_ZSTR_HEADER_SIZE + len + 1)
#define ZSTR_MAX_LEN (SIZE_MAX - ZEND_MM_ALIGNED_SIZE(_ZSTR_HEADER_SIZE + 1))
#define ZSTR_ALLOCA_ALLOC(str, _len, use_heap) do { \
(str) = (zend_string *)do_alloca(ZEND_MM_ALIGNED_SIZE_EX(_ZSTR_STRUCT_SIZE(_len), 8), (use_heap)); \
GC_SET_REFCOUNT(str, 1); \