Merge branch 'PHP-5.4' into PHP-5.5

* PHP-5.4:
  Fix bug #67247	spl_fixedarray_resize integer overflow
  fix news

3 files changed, 16 insertions, 3 deletions

diff --git a/NEWS b/NEWS
index 5ee5c567a6..aaf308804a 100644
--- a/NEWS
+++ b/NEWS
@@ -13,8 +13,8 @@ PHP                                                                        NEWS
     by tempnam()). (Boro Sitnikovski)
   . Fixed bug #67072 (Echoing unserialized "SplFileObject" crash). (Anatol)
   . Fixed bug #67245 (usage of memcpy() with overlapping src and dst in
-    zend_exceptions.c) (backported fix from PHP 5.6; initially committed
-    to wrong branch). (Bob)
+    zend_exceptions.c). (Bob)
+  . Fixed bug #67247 (spl_fixedarray_resize integer overflow). (Stas)
 
 - Curl:
   . Fixed bug #64247 (CURLOPT_INFILE doesn't allow reset). (Mike)
diff --git a/ext/spl/spl_fixedarray.c b/ext/spl/spl_fixedarray.c
index ca61b3bd97..98a5117eff 100644
--- a/ext/spl/spl_fixedarray.c
+++ b/ext/spl/spl_fixedarray.c
@@ -116,7 +116,7 @@ static void spl_fixedarray_resize(spl_fixedarray *array, long size TSRMLS_DC) /*
 			array->elements = NULL;
 		}
 	} else if (size > array->size) {
-		array->elements = erealloc(array->elements, sizeof(zval *) * size);
+		array->elements = safe_erealloc(array->elements, size, sizeof(zval *), 0);
 		memset(array->elements + array->size, '\0', sizeof(zval *) * (size - array->size));
 	} else { /* size < array->size */
 		long i;
diff --git a/ext/spl/tests/bug67247.phpt b/ext/spl/tests/bug67247.phpt
new file mode 100644
index 0000000000..cb71445d7b
--- /dev/null
+++ b/ext/spl/tests/bug67247.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #67247 (spl_fixedarray_resize integer overflow)
+--FILE--
+<?php
+$ar = new SplFixedArray(1);
+echo "size: ".$ar->getSize()."\n";
+$ar->setSize((PHP_INT_SIZE==8)?0x2000000000000001:0x40000001);
+echo "size: ".$ar->getSize()."\n";
+?>
+--EXPECTF--
+size: 1
+
+Fatal error: Possible integer overflow in memory allocation (%d * %d + 0) in %s on line %d