Fix various int size overflows.

Add function for detection of string zvals with length that does not fit INT_MAX.
author: Stanislav Malyshev <stas@php.net> 2016-09-01 23:15:34 -0700
committer: Stanislav Malyshev <stas@php.net> 2016-09-12 21:04:23 -0700
commit: 19866fb76cf4c95d904ebb0e08592cf38303fae9 (patch)
tree: dd21e44e7b8953545e0869915e1e40cc23e4e9f8 /Zend/zend_alloc.c
parent: 0cbf634657dbaf5a49ba1c9f2d479d05c2e806d6 (diff)
download: php-git-19866fb76cf4c95d904ebb0e08592cf38303fae9.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/Zend/zend_alloc.c b/Zend/zend_alloc.c
index 105c2560aa..1f00414939 100644
--- a/Zend/zend_alloc.c
+++ b/Zend/zend_alloc.c
@@ -2578,6 +2578,15 @@ static inline size_t safe_address(size_t nmemb, size_t size, size_t offset)
 #endif
 
 
+ZEND_API void *_safe_emalloc_string(size_t nmemb, size_t size, size_t offset ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
+{
+	size_t str_size = safe_address(nmemb, size, offset);
+	if (UNEXPECTED(str_size > INT_MAX)) {
+		zend_error_noreturn(E_ERROR, "String allocation overflow, max size is %d", INT_MAX);
+	}
+	return emalloc_rel(str_size);
+}
+
 ZEND_API void *_safe_emalloc(size_t nmemb, size_t size, size_t offset ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
 {
 	return emalloc_rel(safe_address(nmemb, size, offset));
author	Stanislav Malyshev <stas@php.net>	2016-09-01 23:15:34 -0700
committer	Stanislav Malyshev <stas@php.net>	2016-09-12 21:04:23 -0700
commit	19866fb76cf4c95d904ebb0e08592cf38303fae9 (patch)
tree	dd21e44e7b8953545e0869915e1e40cc23e4e9f8 /Zend/zend_alloc.c
parent	0cbf634657dbaf5a49ba1c9f2d479d05c2e806d6 (diff)
download	php-git-19866fb76cf4c95d904ebb0e08592cf38303fae9.tar.gz