Fix bug #71637: Multiple Heap Overflow due to integer overflows

author: Stanislav Malyshev <stas@php.net> 2016-02-21 23:14:29 -0800
committer: Stanislav Malyshev <stas@php.net> 2016-02-21 23:14:29 -0800
commit: 57b997ebf99e0eb9a073e0dafd2ab100bd4a112d (patch)
tree: fac695c3800bbb6a70b0f96f26601cf6d525dada /ext/xml/xml.c
parent: 4e527d8201f782ead105299149c3d88880093cbf (diff)
download: php-git-57b997ebf99e0eb9a073e0dafd2ab100bd4a112d.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/ext/xml/xml.c b/ext/xml/xml.c
index d6eae46583..bfa1b85b99 100644
--- a/ext/xml/xml.c
+++ b/ext/xml/xml.c
@@ -581,7 +581,7 @@ PHP_XML_API zend_string *xml_utf8_encode(const char *s, size_t len, const XML_Ch
 	}
 	/* This is the theoretical max (will never get beyond len * 2 as long
 	 * as we are converting from single-byte characters, though) */
-	str = zend_string_alloc(len * 4, 0);
+	str = zend_string_safe_alloc(len, 4, 0, 0);
 	ZSTR_LEN(str) = 0;
 	while (pos > 0) {
 		c = encoder ? encoder((unsigned char)(*s)) : (unsigned short)(*s);
author	Stanislav Malyshev <stas@php.net>	2016-02-21 23:14:29 -0800
committer	Stanislav Malyshev <stas@php.net>	2016-02-21 23:14:29 -0800
commit	57b997ebf99e0eb9a073e0dafd2ab100bd4a112d (patch)
tree	fac695c3800bbb6a70b0f96f26601cf6d525dada /ext/xml/xml.c
parent	4e527d8201f782ead105299149c3d88880093cbf (diff)
download	php-git-57b997ebf99e0eb9a073e0dafd2ab100bd4a112d.tar.gz