diff options
| author | Christoph M. Becker <cmbecker69@gmx.de> | 2019-10-04 09:14:36 +0200 |
|---|---|---|
| committer | Christoph M. Becker <cmbecker69@gmx.de> | 2019-10-04 09:14:36 +0200 |
| commit | 0edcd105f31d0e93d8b68858bda508ee592bc885 (patch) | |
| tree | 27b54b76e9348c4ed7325877cebeb53664ebba6a | |
| parent | 3f069b19a06ff913da738a699353eab80de2735c (diff) | |
| parent | 6627f782d66173a1412e6a9f721fe99f91cd9a0a (diff) | |
| download | php-git-0edcd105f31d0e93d8b68858bda508ee592bc885.tar.gz | |
Merge branch 'PHP-7.4'
* PHP-7.4:
Fix #78620: Out of memory error
| -rw-r--r-- | Zend/zend_alloc.c | 9 | ||||
| -rw-r--r-- | ext/standard/tests/strings/wordwrap_memory_limit.phpt | 1 | ||||
| -rw-r--r-- | ext/standard/tests/strings/wordwrap_memory_limit_win32.phpt | 19 |
3 files changed, 27 insertions, 2 deletions
diff --git a/Zend/zend_alloc.c b/Zend/zend_alloc.c index d3349fe395..21ccf85049 100644 --- a/Zend/zend_alloc.c +++ b/Zend/zend_alloc.c @@ -1754,12 +1754,17 @@ static void *zend_mm_alloc_huge(zend_mm_heap *heap, size_t size ZEND_FILE_LINE_D * We allocate them with 2MB size granularity, to avoid many * reallocations when they are extended by small pieces */ - size_t new_size = ZEND_MM_ALIGNED_SIZE_EX(size, MAX(REAL_PAGE_SIZE, ZEND_MM_CHUNK_SIZE)); + size_t alignment = MAX(REAL_PAGE_SIZE, ZEND_MM_CHUNK_SIZE); #else - size_t new_size = ZEND_MM_ALIGNED_SIZE_EX(size, REAL_PAGE_SIZE); + size_t alignment = REAL_PAGE_SIZE; #endif + size_t new_size = ZEND_MM_ALIGNED_SIZE_EX(size, alignment); void *ptr; + if (UNEXPECTED(new_size < size)) { + zend_error_noreturn(E_ERROR, "Possible integer overflow in memory allocation (%zu + %zu)", size, alignment); + } + #if ZEND_MM_LIMIT if (UNEXPECTED(new_size > heap->limit - heap->real_size)) { if (zend_mm_gc(heap) && new_size <= heap->limit - heap->real_size) { diff --git a/ext/standard/tests/strings/wordwrap_memory_limit.phpt b/ext/standard/tests/strings/wordwrap_memory_limit.phpt index fb0cc5c3bc..21340153fa 100644 --- a/ext/standard/tests/strings/wordwrap_memory_limit.phpt +++ b/ext/standard/tests/strings/wordwrap_memory_limit.phpt @@ -2,6 +2,7 @@ No overflow should occur during the memory_limit check for wordwrap() --SKIPIF-- <?php +if (substr(PHP_OS, 0, 3) == 'WIN' && PHP_INT_SIZE == 4) die("skip this test is not for 32bit Windows platforms"); if (getenv("USE_ZEND_ALLOC") === "0") die("skip Zend MM disabled"); ?> --INI-- diff --git a/ext/standard/tests/strings/wordwrap_memory_limit_win32.phpt b/ext/standard/tests/strings/wordwrap_memory_limit_win32.phpt new file mode 100644 index 0000000000..e0e76b5800 --- /dev/null +++ b/ext/standard/tests/strings/wordwrap_memory_limit_win32.phpt @@ -0,0 +1,19 @@ +--TEST-- +No overflow should occur during the memory_limit check for wordwrap() +--SKIPIF-- +<?php +if (substr(PHP_OS, 0, 3) != 'WIN' || PHP_INT_SIZE != 4) die("skip this test is for 32bit Windows platforms only"); +if (getenv("USE_ZEND_ALLOC") === "0") die("skip Zend MM disabled"); +?> +--INI-- +memory_limit=128M +--FILE-- +<?php + +$str = str_repeat('x', 65534); +$str2 = str_repeat('x', 65535); +wordwrap($str, 1, $str2); + +?> +--EXPECTF-- +Fatal error: Possible integer overflow in memory allocation (4294901777 + %d) in %s on line %d |