Fix #74960: Heap buffer overflow via str_repeat

Trying to allocate a `zend_string` with a length only slighty smaller than `SIZE_MAX` causes an integer overflow, so callers may need to check that explicitly. To make that easy in a portable way, we introduce `ZSTR_MAX_LEN`. Closes GH-7294.
2024-11-27 20:03:40 +08:00 · 2021-07-21 13:55:13 +02:00 · 2021-07-21 13:55:13 +02:00 · 760ff841a1
commit 760ff841a1
parent 2d2c001ca5
3 changed files with 4 additions and 1 deletions
--- a/1
+++ b/1
@ -15,6 +15,7 @@ PHP                                                                        NEWS
  . Fixed bug #72146 (Integer overflow on substr_replace). (cmb)
  . Fixed bug #81265 (getimagesize returns 0 for 256px ICO images).
    (George Dietrich)
+  . Fixed bug #74960 (Heap buffer overflow via str_repeat). (cmb, Dmitry)

 29 Jul 2021, PHP 7.4.22

--- a/Zend/zend_operators.c
+++ b/Zend/zend_operators.c
@ -1882,7 +1882,7 @@ ZEND_API int ZEND_FASTCALL concat_function(zval *result, zval *op1, zval *op2) /
 		size_t result_len = op1_len + op2_len;
 		zend_string *result_str;

-		if (UNEXPECTED(op1_len > SIZE_MAX - op2_len)) {
+		if (UNEXPECTED(op1_len > ZSTR_MAX_LEN - op2_len)) {
 			zend_throw_error(NULL, "String size overflow");
 			zval_ptr_dtor_str(&op1_copy);
 			zval_ptr_dtor_str(&op2_copy);
--- a/Zend/zend_string.h
+++ b/Zend/zend_string.h
@ -75,6 +75,8 @@ END_EXTERN_C()

 #define _ZSTR_STRUCT_SIZE(len) (_ZSTR_HEADER_SIZE + len + 1)

+#define ZSTR_MAX_LEN (SIZE_MAX - ZEND_MM_ALIGNED_SIZE(_ZSTR_HEADER_SIZE + 1))
+
 #define ZSTR_ALLOCA_ALLOC(str, _len, use_heap) do { \
 	(str) = (zend_string *)do_alloca(ZEND_MM_ALIGNED_SIZE_EX(_ZSTR_STRUCT_SIZE(_len), 8), (use_heap)); \
 	GC_SET_REFCOUNT(str, 1); \