Expose zend_safe_address() and use it in zend_arena_calloc()

author: Dmitry Stogov <dmitry@zend.com> 2014-09-18 13:31:25 +0400
committer: Dmitry Stogov <dmitry@zend.com> 2014-09-18 13:31:25 +0400
commit: e439349e589e122487131d845f6d3c4d4229d758 (patch)
tree: 7f60753e4ff2a244c5d960dfaf6cbf1f483d0199 /Zend/zend_arena.h
parent: 025bc7e80a192b9ffe8d3dd67708835601fdc1ac (diff)
download: php-git-e439349e589e122487131d845f6d3c4d4229d758.tar.gz
1 files changed, 5 insertions, 5 deletions
diff --git a/Zend/zend_arena.h b/Zend/zend_arena.h
index 96e18a6910..64fde19619 100644
--- a/Zend/zend_arena.h
+++ b/Zend/zend_arena.h
@@ -80,14 +80,14 @@ static zend_always_inline void* zend_arena_alloc(zend_arena **arena_ptr, size_t
 
 static zend_always_inline void* zend_arena_calloc(zend_arena **arena_ptr, size_t count, size_t unit_size)
 {
-	zend_long overflow;
-	double d;
+	int overflow;
 	size_t size;
 	void *ret;
 
-	(void)d;
-	ZEND_SIGNED_MULTIPLY_LONG(unit_size, count, size, d, overflow);
-	ZEND_ASSERT(overflow == 0);
+	size = zend_safe_address(unit_size, count, 0, &overflow);
+	if (UNEXPECTED(overflow)) {
+		zend_error(E_ERROR, "Possible integer overflow in zend_arena_calloc() (%zu * %zu)", unit_size, count);
+	}
 	ret = zend_arena_alloc(arena_ptr, size);
 	memset(ret, 0, size);
 	return ret;
author	Dmitry Stogov <dmitry@zend.com>	2014-09-18 13:31:25 +0400
committer	Dmitry Stogov <dmitry@zend.com>	2014-09-18 13:31:25 +0400
commit	e439349e589e122487131d845f6d3c4d4229d758 (patch)
tree	7f60753e4ff2a244c5d960dfaf6cbf1f483d0199 /Zend/zend_arena.h
parent	025bc7e80a192b9ffe8d3dd67708835601fdc1ac (diff)
download	php-git-e439349e589e122487131d845f6d3c4d4229d758.tar.gz