diff options
| author | Christoph M. Becker <cmbecker69@gmx.de> | 2019-10-02 16:42:28 +0200 |
|---|---|---|
| committer | Christoph M. Becker <cmbecker69@gmx.de> | 2019-10-02 18:18:52 +0200 |
| commit | 8ce04df7e0108a10f7b782a28204e9384ab1129c (patch) | |
| tree | 36372a5cc014c94527ecff94d6631d48667e4833 | |
| parent | a5d3620d937f69665d78ab8d21c757d3db17b5ec (diff) | |
| download | php-git-8ce04df7e0108a10f7b782a28204e9384ab1129c.tar.gz | |
Fix #78620: Out of memory error
If the integer addition in `ZEND_MM_ALIGNED_SIZE_EX` overflows, the
macro evaluates to `0`, what we should catch early.
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | Zend/zend_alloc.c | 5 |
2 files changed, 6 insertions, 0 deletions
@@ -5,6 +5,7 @@ PHP NEWS - Core: . Fixed bug #78535 (auto_detect_line_endings value not parsed as bool). (bugreportuser) + . Fixed bug #78620 (Out of memory error). (cmb) - Exif: . Fixed bug #78442 ('Illegal component' on exif_read_data since PHP7) diff --git a/Zend/zend_alloc.c b/Zend/zend_alloc.c index 3a43027346..222f08f49e 100644 --- a/Zend/zend_alloc.c +++ b/Zend/zend_alloc.c @@ -1730,10 +1730,15 @@ static void *zend_mm_alloc_huge(zend_mm_heap *heap, size_t size ZEND_FILE_LINE_D void *ptr; #if ZEND_MM_LIMIT + if (UNEXPECTED(new_size == 0)) { + /* overflow in ZEND_MM_ALIGNED_SIZE_EX */ + goto memory_limit_exhausted; + } if (UNEXPECTED(new_size > heap->limit - heap->real_size)) { if (zend_mm_gc(heap) && new_size <= heap->limit - heap->real_size) { /* pass */ } else if (heap->overflow == 0) { +memory_limit_exhausted: #if ZEND_DEBUG zend_mm_safe_error(heap, "Allowed memory size of %zu bytes exhausted at %s:%d (tried to allocate %zu bytes)", heap->limit, __zend_filename, __zend_lineno, size); #else |