Merge branch 'PHP-7.3' into PHP-7.4

* PHP-7.3: Fix #79427: Integer Overflow in shmop_open()
author: Christoph M. Becker <cmbecker69@gmx.de> 2020-03-30 08:57:29 +0200
committer: Christoph M. Becker <cmbecker69@gmx.de> 2020-03-30 08:57:49 +0200
commit: 6f8045c47fd6e97b80205a040177358575d0f1f6 (patch)
tree: feea683d64c8ff1c0b379345ca637e9f85c17709
parent: 0b4e80b8c1462a17ab758e600e2a5ddb39d80c06 (diff)
parent: a681b12820ee1556668087bc7866006ca5329635 (diff)
download: php-git-6f8045c47fd6e97b80205a040177358575d0f1f6.tar.gz
2 files changed, 8 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index ede62878a5..b087d3a847 100644
--- a/NEWS
+++ b/NEWS
@@ -25,6 +25,9 @@ PHP                                                                        NEWS
   . Fixed bug #79412 (Opcache chokes and uses 100% CPU on specific script).
     (Dmitry)
 
+- Shmop:
+  . Fixed bug #79427 (Integer Overflow in shmop_open()). (cmb)
+
 - SimpleXML:
   . Fixed bug #61597 (SXE properties may lack attributes and content). (cmb)
 
diff --git a/ext/shmop/shmop.c b/ext/shmop/shmop.c
index 8a4c0b8763..07414f2bca 100644
--- a/ext/shmop/shmop.c
+++ b/ext/shmop/shmop.c
@@ -207,6 +207,11 @@ PHP_FUNCTION(shmop_open)
 		goto err;
 	}
 
+	if (shm.shm_segsz > ZEND_LONG_MAX) {
+		php_error_docref(NULL, E_WARNING, "shared memory segment too large to attach");
+		goto err;
+	}
+
 	shmop->addr = shmat(shmop->shmid, 0, shmop->shmatflg);
 	if (shmop->addr == (char*) -1) {
 		php_error_docref(NULL, E_WARNING, "unable to attach to shared memory segment '%s'", strerror(errno));
author	Christoph M. Becker <cmbecker69@gmx.de>	2020-03-30 08:57:29 +0200
committer	Christoph M. Becker <cmbecker69@gmx.de>	2020-03-30 08:57:49 +0200
commit	6f8045c47fd6e97b80205a040177358575d0f1f6 (patch)
tree	feea683d64c8ff1c0b379345ca637e9f85c17709
parent	0b4e80b8c1462a17ab758e600e2a5ddb39d80c06 (diff)
parent	a681b12820ee1556668087bc7866006ca5329635 (diff)
download	php-git-6f8045c47fd6e97b80205a040177358575d0f1f6.tar.gz