php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-04-26 01:18:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix #73122: Integer Overflow when concatenating strings

Browse Source 
We must avoid integer overflows in memory allocations, so we introduce
an additional check in the VM, and bail out in the rare case of an
overflow.  Since the recent fix for bug #74960 still doesn't catch all
possible overflows, we fix that right away.
This commit is contained in:
Christoph M. Becker
2021-08-17 15:48:58 +02:00
parent f924e97269
commit f1ce8d5f58
2 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Zend/zend_operators.c
+1 -1
View File
@@ -1882,7 +1882,7 @@ ZEND_API int ZEND_FASTCALL concat_function(zval *result, zval *op1, zval *op2) /
size_t result_len = op1_len + op2_len;
zend_string *result_str;
if (UNEXPECTED(op1_len > ZSTR_MAX_LEN - op2_len)) {
if (UNEXPECTED(op1_len > ZSTR_MAX_LEN - op2_len || op2_len > ZSTR_MAX_LEN)) {
zend_throw_error(NULL, "String size overflow");
zval_ptr_dtor_str(&op1_copy);
zval_ptr_dtor_str(&op2_copy);
Zend/zend_vm_def.h
+3
View File
@@ -416,6 +416,9 @@ ZEND_VM_HANDLER(8, ZEND_CONCAT, CONST|TMPVAR|CV, CONST|TMPVAR|CV, SPEC(NO_CONST_
!ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) {
size_t len = ZSTR_LEN(op1_str);
if (UNEXPECTED(ZSTR_LEN(op2_str) > ZSTR_MAX_LEN - len || len > ZSTR_MAX_LEN)) {
zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation");
}
str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0);
memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1);
ZVAL_NEW_STR(EX_VAR(opline->result.var), str);