From 8ce04df7e0108a10f7b782a28204e9384ab1129c Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Wed, 2 Oct 2019 16:42:28 +0200
Subject: Fix #78620: Out of memory error

If the integer addition in `ZEND_MM_ALIGNED_SIZE_EX` overflows, the
macro evaluates to `0`, what we should catch early.
---
 NEWS              | 1 +
 Zend/zend_alloc.c | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/NEWS b/NEWS
index 1c4ce6fe5d..b8a1a23997 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,7 @@ PHP                                                                        NEWS
 - Core:
   . Fixed bug #78535 (auto_detect_line_endings value not parsed as bool).
     (bugreportuser)
+  . Fixed bug #78620 (Out of memory error). (cmb)
 
 - Exif:
   . Fixed bug #78442 ('Illegal component' on exif_read_data since PHP7)
diff --git a/Zend/zend_alloc.c b/Zend/zend_alloc.c
index 3a43027346..222f08f49e 100644
--- a/Zend/zend_alloc.c
+++ b/Zend/zend_alloc.c
@@ -1730,10 +1730,15 @@ static void *zend_mm_alloc_huge(zend_mm_heap *heap, size_t size ZEND_FILE_LINE_D
 	void *ptr;
 
 #if ZEND_MM_LIMIT
+	if (UNEXPECTED(new_size == 0)) {
+		/* overflow in ZEND_MM_ALIGNED_SIZE_EX */
+		goto memory_limit_exhausted;
+	}
 	if (UNEXPECTED(new_size > heap->limit - heap->real_size)) {
 		if (zend_mm_gc(heap) && new_size <= heap->limit - heap->real_size) {
 			/* pass */
 		} else if (heap->overflow == 0) {
+memory_limit_exhausted:
 #if ZEND_DEBUG
 			zend_mm_safe_error(heap, "Allowed memory size of %zu bytes exhausted at %s:%d (tried to allocate %zu bytes)", heap->limit, __zend_filename, __zend_lineno, size);
 #else
-- 
cgit v1.2.1