Fix bug #71637: Multiple Heap Overflow due to integer overflows

3 files changed, 3 insertions, 3 deletions

diff --git a/ext/filter/sanitizing_filters.c b/ext/filter/sanitizing_filters.c
index ff27bdb1be..0b11ecfc2a 100644
--- a/ext/filter/sanitizing_filters.c
+++ b/ext/filter/sanitizing_filters.c
@@ -87,7 +87,7 @@ static void php_filter_encode_url(zval *value, const unsigned char* chars, const
 		memset(tmp, 1, 32);
 	}
 */
-	str = zend_string_alloc(3 * Z_STRLEN_P(value), 0);
+	str = zend_string_safe_alloc(Z_STRLEN_P(value), 3, 0, 0);
 	p = (unsigned char *) ZSTR_VAL(str);
 	s = (unsigned char *) Z_STRVAL_P(value);
 	e = s + Z_STRLEN_P(value);
diff --git a/ext/standard/string.c b/ext/standard/string.c
index 489006b261..7b6ad8ed9c 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -5372,7 +5372,7 @@ PHP_FUNCTION(str_pad)
 		return;
 	}
 
-	result = zend_string_alloc(ZSTR_LEN(input) + num_pad_chars, 0);
+	result = zend_string_safe_alloc(ZSTR_LEN(input), 1, num_pad_chars, 0);
 	ZSTR_LEN(result) = 0;
 
 	/* We need to figure out the left/right padding lengths. */
diff --git a/ext/xml/xml.c b/ext/xml/xml.c
index d6eae46583..bfa1b85b99 100644
--- a/ext/xml/xml.c
+++ b/ext/xml/xml.c
@@ -581,7 +581,7 @@ PHP_XML_API zend_string *xml_utf8_encode(const char *s, size_t len, const XML_Ch
 	}
 	/* This is the theoretical max (will never get beyond len * 2 as long
 	 * as we are converting from single-byte characters, though) */
-	str = zend_string_alloc(len * 4, 0);
+	str = zend_string_safe_alloc(len, 4, 0, 0);
 	ZSTR_LEN(str) = 0;
 	while (pos > 0) {
 		c = encoder ? encoder((unsigned char)(*s)) : (unsigned short)(*s);