]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3bd3651)
Fix signed integer overflow
authorNikita Popov <nikita.ppv@gmail.com>
Fri, 30 Oct 2020 11:37:22 +0000 (12:37 +0100)
committerNikita Popov <nikita.ppv@gmail.com>
Fri, 30 Oct 2020 11:38:27 +0000 (12:38 +0100)
Fixes oss-fuzz #26763.

Zend/zend_execute.c patch | blob | history

diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index 1cec01591e9904b7eb0f8dc9ebc8bc333bbbff3e..c58e1fa228e17c981705af17cd22164a0a1c0e5c 100644 (file)
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -1553,7 +1553,7 @@ static zend_never_inline void zend_assign_to_string_offset(zval *str, zval *dim,
        if ((size_t)offset >= Z_STRLEN_P(str)) {
                /* Extend string if needed */
                zend_long old_len = Z_STRLEN_P(str);
-               ZVAL_NEW_STR(str, zend_string_extend(Z_STR_P(str), offset + 1, 0));
+               ZVAL_NEW_STR(str, zend_string_extend(Z_STR_P(str), (size_t)offset + 1, 0));
                memset(Z_STRVAL_P(str) + old_len, ' ', offset - old_len);
                Z_STRVAL_P(str)[offset+1] = 0;
        } else if (!Z_REFCOUNTED_P(str)) {
Unnamed repository; edit this file 'description' to name the repository.