summaryrefslogtreecommitdiff
path: root/ext
diff options
context:
space:
mode:
authorChristoph M. Becker <cmbecker69@gmx.de>2020-03-29 16:56:57 +0200
committerChristoph M. Becker <cmbecker69@gmx.de>2020-03-30 08:56:49 +0200
commita681b12820ee1556668087bc7866006ca5329635 (patch)
treecac68af73581b3ad65399efe31ffda05c9aa0083 /ext
parent04920645f14ea117d5248ef3a0e03c6784c2fb49 (diff)
downloadphp-git-a681b12820ee1556668087bc7866006ca5329635.tar.gz
Fix #79427: Integer Overflow in shmop_open()
If `shm.shm_segsz > ZEND_LONG_MAX` the assignment to `shmop->size` a few lines below would overflow, so we catch that early and bail out if necessary.
Diffstat (limited to 'ext')
-rw-r--r--ext/shmop/shmop.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/ext/shmop/shmop.c b/ext/shmop/shmop.c
index d0d226bbbc..1509b80b0a 100644
--- a/ext/shmop/shmop.c
+++ b/ext/shmop/shmop.c
@@ -207,6 +207,11 @@ PHP_FUNCTION(shmop_open)
goto err;
}
+ if (shm.shm_segsz > ZEND_LONG_MAX) {
+ php_error_docref(NULL, E_WARNING, "shared memory segment too large to attach");
+ goto err;
+ }
+
shmop->addr = shmat(shmop->shmid, 0, shmop->shmatflg);
if (shmop->addr == (char*) -1) {
php_error_docref(NULL, E_WARNING, "unable to attach to shared memory segment '%s'", strerror(errno));