Fixed bug #71535 (Integer overflow in zend_mm_alloc_heap())

author: Dmitry Stogov <dmitry@zend.com> 2016-02-24 11:04:48 +0300
committer: Dmitry Stogov <dmitry@zend.com> 2016-02-24 11:04:48 +0300
commit: 0b9c87a02bacfbf1d1383ad393bda78e5d65570c (patch)
tree: 2bbd8a3b3ed3acffd77e09ba1ec47e769039f2da /Zend/zend_alloc.c
parent: 01e85f3fdc06f99e3c47b2bc2464c5de98347522 (diff)
download: php-git-0b9c87a02bacfbf1d1383ad393bda78e5d65570c.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/Zend/zend_alloc.c b/Zend/zend_alloc.c
index cfc277f136..2e0de26378 100644
--- a/Zend/zend_alloc.c
+++ b/Zend/zend_alloc.c
@@ -1353,6 +1353,10 @@ static zend_always_inline void *zend_mm_alloc_heap(zend_mm_heap *heap, size_t si
 	/* special handling for zero-size allocation */
 	size = MAX(size, 1);
 	size = ZEND_MM_ALIGNED_SIZE(size) + ZEND_MM_ALIGNED_SIZE(sizeof(zend_mm_debug_info));
+	if (UNEXPECTED(size < real_size)) {
+		zend_error_noreturn(E_ERROR, "Possible integer overflow in memory allocation (%zu + %zu)", ZEND_MM_ALIGNED_SIZE(real_size), ZEND_MM_ALIGNED_SIZE(sizeof(zend_mm_debug_info)));
+		return NULL;
+	}
 #endif
 	if (size <= ZEND_MM_MAX_SMALL_SIZE) {
 		ptr = zend_mm_alloc_small(heap, size, ZEND_MM_SMALL_SIZE_TO_BIN(size) ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
author	Dmitry Stogov <dmitry@zend.com>	2016-02-24 11:04:48 +0300
committer	Dmitry Stogov <dmitry@zend.com>	2016-02-24 11:04:48 +0300
commit	0b9c87a02bacfbf1d1383ad393bda78e5d65570c (patch)
tree	2bbd8a3b3ed3acffd77e09ba1ec47e769039f2da /Zend/zend_alloc.c
parent	01e85f3fdc06f99e3c47b2bc2464c5de98347522 (diff)
download	php-git-0b9c87a02bacfbf1d1383ad393bda78e5d65570c.tar.gz