From a681b12820ee1556668087bc7866006ca5329635 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Sun, 29 Mar 2020 16:56:57 +0200
Subject: Fix #79427: Integer Overflow in shmop_open()

If `shm.shm_segsz > ZEND_LONG_MAX` the assignment to `shmop->size` a
few lines below would overflow, so we catch that early and bail out if
necessary.
---
 NEWS              | 3 +++
 ext/shmop/shmop.c | 5 +++++
 2 files changed, 8 insertions(+)

diff --git a/NEWS b/NEWS
index f27238b701..2a8a0da2af 100644
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,9 @@ PHP                                                                        NEWS
   . Fixed bug #79412 (Opcache chokes and uses 100% CPU on specific script).
     (Dmitry)
 
+- Shmop:
+  . Fixed bug #79427 (Integer Overflow in shmop_open()). (cmb)
+
 - SimpleXML:
   . Fixed bug #61597 (SXE properties may lack attributes and content). (cmb)
 
diff --git a/ext/shmop/shmop.c b/ext/shmop/shmop.c
index d0d226bbbc..1509b80b0a 100644
--- a/ext/shmop/shmop.c
+++ b/ext/shmop/shmop.c
@@ -207,6 +207,11 @@ PHP_FUNCTION(shmop_open)
 		goto err;
 	}
 
+	if (shm.shm_segsz > ZEND_LONG_MAX) {
+		php_error_docref(NULL, E_WARNING, "shared memory segment too large to attach");
+		goto err;
+	}
+
 	shmop->addr = shmat(shmop->shmid, 0, shmop->shmatflg);
 	if (shmop->addr == (char*) -1) {
 		php_error_docref(NULL, E_WARNING, "unable to attach to shared memory segment '%s'", strerror(errno));
-- 
cgit v1.2.1