diff options
| author | Dmitry Stogov <dmitry@zend.com> | 2019-02-01 11:11:15 +0300 |
|---|---|---|
| committer | Dmitry Stogov <dmitry@zend.com> | 2019-02-01 11:11:15 +0300 |
| commit | 203a2da30ae6722689e3625ac3c787c560a791a9 (patch) | |
| tree | 17502d6ffa2fd94693b7718c11edf0f6c2ec5885 /Zend | |
| parent | 7d1df603ada38814dbf4728950bc7f9d0a636864 (diff) | |
| download | php-git-203a2da30ae6722689e3625ac3c787c560a791a9.tar.gz | |
Fixed bug #77329 (Buffer Overflow via overly long Error Messages)
Diffstat (limited to 'Zend')
| -rw-r--r-- | Zend/zend_smart_str.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/Zend/zend_smart_str.c b/Zend/zend_smart_str.c index 0e34f12cde..e13741f72e 100644 --- a/Zend/zend_smart_str.c +++ b/Zend/zend_smart_str.c @@ -155,7 +155,12 @@ ZEND_API void ZEND_FASTCALL _smart_string_alloc(smart_string *str, size_t len) str->c = emalloc(SMART_STRING_START_LEN + 1); } else { str->a = ZEND_MM_ALIGNED_SIZE_EX(len + SMART_STRING_OVERHEAD, SMART_STRING_PAGE) - SMART_STRING_OVERHEAD; - str->c = emalloc_large(str->a + 1); + if (EXPECTED(str->a < (ZEND_MM_CHUNK_SIZE - SMART_STRING_OVERHEAD))) { + str->c = emalloc_large(str->a + 1); + } else { + /* allocate a huge chunk */ + str->c = emalloc(str->a + 1); + } } } else { if (UNEXPECTED((size_t) len > SIZE_MAX - str->len)) { |