Fixed bug #71535 (Integer overflow in zend_mm_alloc_heap())

diff --git a/NEWS b/NEWS
index 2d6bf694334b07b162a901ec984bc0aa8e9912ab..fc22aaa60604c9071e8fd7b12ebc408878f73081 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,7 @@ PHP                                                                        NEWS
     invoke C::$callable()). (Bob)
   . Fixed bug #71596 (Segmentation fault on ZTS with date function
     (setlocale)). (Anatol)
+  . Fixed bug #71535 (Integer overflow in zend_mm_alloc_heap()). (Dmitry)
 
 - Phar:
   . Fixed bug #71625 (Crash in php7.dll with bad phar filename).

diff --git a/Zend/zend_alloc.c b/Zend/zend_alloc.c
index cfc277f136af36c4c2984cd3f24bd7088246b992..2e0de26378875ddd24b11a1797a976cc675f5438 100644 (file)
--- a/Zend/zend_alloc.c
+++ b/Zend/zend_alloc.c
@@ -1353,6 +1353,10 @@ static zend_always_inline void *zend_mm_alloc_heap(zend_mm_heap *heap, size_t si
        /* special handling for zero-size allocation */
        size = MAX(size, 1);
        size = ZEND_MM_ALIGNED_SIZE(size) + ZEND_MM_ALIGNED_SIZE(sizeof(zend_mm_debug_info));
+       if (UNEXPECTED(size < real_size)) {
+               zend_error_noreturn(E_ERROR, "Possible integer overflow in memory allocation (%zu + %zu)", ZEND_MM_ALIGNED_SIZE(real_size), ZEND_MM_ALIGNED_SIZE(sizeof(zend_mm_debug_info)));
+               return NULL;
+       }
 #endif
        if (size <= ZEND_MM_MAX_SMALL_SIZE) {
                ptr = zend_mm_alloc_small(heap, size, ZEND_MM_SMALL_SIZE_TO_BIN(size) ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);