Fixed bug #50207 (segmentation fault when concatenating very large strings

on 64bit linux).
author: Ilia Alshanetsky <iliaa@php.net> 2009-11-19 14:04:34 +0000
committer: Ilia Alshanetsky <iliaa@php.net> 2009-11-19 14:04:34 +0000
commit: 63e4efe784856b4fb780e40f4e478a4d03c5ba99 (patch)
tree: 0c52200ffb8822f963e2d644ae0bfd71c2c59b88 /Zend/zend_operators.c
parent: a1269238feabf224b20afbc4c16ec02e57404ce6 (diff)
download: php-git-63e4efe784856b4fb780e40f4e478a4d03c5ba99.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
index ef08807c7d..196d63dfae 100644
--- a/Zend/zend_operators.c
+++ b/Zend/zend_operators.c
@@ -1227,6 +1227,12 @@ ZEND_API int concat_function(zval *result, zval *op1, zval *op2 TSRMLS_DC) /* {{
 	if (result==op1) {	/* special case, perform operations on result */
 		uint res_len = Z_STRLEN_P(op1) + Z_STRLEN_P(op2);
 
+		if (Z_STRLEN_P(result) < 0) {
+			efree(Z_STRVAL_P(result));
+			ZVAL_EMPTY_STRING(result);
+			zend_error(E_ERROR, "String size overflow");
+		}
+
 		Z_STRVAL_P(result) = erealloc(Z_STRVAL_P(result), res_len+1);
 
 		memcpy(Z_STRVAL_P(result)+Z_STRLEN_P(result), Z_STRVAL_P(op2), Z_STRLEN_P(op2));
author	Ilia Alshanetsky <iliaa@php.net>	2009-11-19 14:04:34 +0000
committer	Ilia Alshanetsky <iliaa@php.net>	2009-11-19 14:04:34 +0000
commit	63e4efe784856b4fb780e40f4e478a4d03c5ba99 (patch)
tree	0c52200ffb8822f963e2d644ae0bfd71c2c59b88 /Zend/zend_operators.c
parent	a1269238feabf224b20afbc4c16ec02e57404ce6 (diff)
download	php-git-63e4efe784856b4fb780e40f4e478a4d03c5ba99.tar.gz