diff options
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | Zend/zend_alloc.c | 9 | ||||
| -rw-r--r-- | ext/standard/tests/strings/wordwrap_memory_limit.phpt | 1 | ||||
| -rw-r--r-- | ext/standard/tests/strings/wordwrap_memory_limit_win32.phpt | 19 |
4 files changed, 28 insertions, 2 deletions
@@ -5,6 +5,7 @@ PHP NEWS - Core: . Fixed bug #78535 (auto_detect_line_endings value not parsed as bool). (bugreportuser) + . Fixed bug #78620 (Out of memory error). (cmb, Nikita) - Exif : . Fixed bug #78442 ('Illegal component' on exif_read_data since PHP7) diff --git a/Zend/zend_alloc.c b/Zend/zend_alloc.c index 035e23f1db..0ccc004e14 100644 --- a/Zend/zend_alloc.c +++ b/Zend/zend_alloc.c @@ -1792,12 +1792,17 @@ static void *zend_mm_alloc_huge(zend_mm_heap *heap, size_t size ZEND_FILE_LINE_D * We allocate them with 2MB size granularity, to avoid many * reallocations when they are extended by small pieces */ - size_t new_size = ZEND_MM_ALIGNED_SIZE_EX(size, MAX(REAL_PAGE_SIZE, ZEND_MM_CHUNK_SIZE)); + size_t alignment = MAX(REAL_PAGE_SIZE, ZEND_MM_CHUNK_SIZE); #else - size_t new_size = ZEND_MM_ALIGNED_SIZE_EX(size, REAL_PAGE_SIZE); + size_t alignment = REAL_PAGE_SIZE; #endif + size_t new_size = ZEND_MM_ALIGNED_SIZE_EX(size, alignment); void *ptr; + if (UNEXPECTED(new_size < size)) { + zend_error_noreturn(E_ERROR, "Possible integer overflow in memory allocation (%zu + %zu)", size, alignment); + } + #if ZEND_MM_LIMIT if (UNEXPECTED(new_size > heap->limit - heap->real_size)) { if (zend_mm_gc(heap) && new_size <= heap->limit - heap->real_size) { diff --git a/ext/standard/tests/strings/wordwrap_memory_limit.phpt b/ext/standard/tests/strings/wordwrap_memory_limit.phpt index fb0cc5c3bc..21340153fa 100644 --- a/ext/standard/tests/strings/wordwrap_memory_limit.phpt +++ b/ext/standard/tests/strings/wordwrap_memory_limit.phpt @@ -2,6 +2,7 @@ No overflow should occur during the memory_limit check for wordwrap() --SKIPIF-- <?php +if (substr(PHP_OS, 0, 3) == 'WIN' && PHP_INT_SIZE == 4) die("skip this test is not for 32bit Windows platforms"); if (getenv("USE_ZEND_ALLOC") === "0") die("skip Zend MM disabled"); ?> --INI-- diff --git a/ext/standard/tests/strings/wordwrap_memory_limit_win32.phpt b/ext/standard/tests/strings/wordwrap_memory_limit_win32.phpt new file mode 100644 index 0000000000..e0e76b5800 --- /dev/null +++ b/ext/standard/tests/strings/wordwrap_memory_limit_win32.phpt @@ -0,0 +1,19 @@ +--TEST-- +No overflow should occur during the memory_limit check for wordwrap() +--SKIPIF-- +<?php +if (substr(PHP_OS, 0, 3) != 'WIN' || PHP_INT_SIZE != 4) die("skip this test is for 32bit Windows platforms only"); +if (getenv("USE_ZEND_ALLOC") === "0") die("skip Zend MM disabled"); +?> +--INI-- +memory_limit=128M +--FILE-- +<?php + +$str = str_repeat('x', 65534); +$str2 = str_repeat('x', 65535); +wordwrap($str, 1, $str2); + +?> +--EXPECTF-- +Fatal error: Possible integer overflow in memory allocation (4294901777 + %d) in %s on line %d |