From 63e4efe784856b4fb780e40f4e478a4d03c5ba99 Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <iliaa@php.net>
Date: Thu, 19 Nov 2009 14:04:34 +0000
Subject: Fixed bug #50207 (segmentation fault when concatenating very large
 strings on 64bit linux).

---
 Zend/zend_operators.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'Zend/zend_operators.c')

diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
index ef08807c7d..196d63dfae 100644
--- a/Zend/zend_operators.c
+++ b/Zend/zend_operators.c
@@ -1227,6 +1227,12 @@ ZEND_API int concat_function(zval *result, zval *op1, zval *op2 TSRMLS_DC) /* {{
 	if (result==op1) {	/* special case, perform operations on result */
 		uint res_len = Z_STRLEN_P(op1) + Z_STRLEN_P(op2);
 
+		if (Z_STRLEN_P(result) < 0) {
+			efree(Z_STRVAL_P(result));
+			ZVAL_EMPTY_STRING(result);
+			zend_error(E_ERROR, "String size overflow");
+		}
+
 		Z_STRVAL_P(result) = erealloc(Z_STRVAL_P(result), res_len+1);
 
 		memcpy(Z_STRVAL_P(result)+Z_STRLEN_P(result), Z_STRVAL_P(op2), Z_STRLEN_P(op2));
-- 
cgit v1.2.1