Fixed bug #50207 (segmentation fault when concatenating very large strings

on 64bit linux).

diff --git a/NEWS b/NEWS
index 14e1b11daae3c5b2b2c9bd02aa316ed5a4807547..8e29ed6599346edc8b676a822ee49998a505dd59 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,8 @@ PHP                                                                        NEWS
 - Changed "post_max_size" php.ini directive to allow unlimited post size by
   setting it to 0. (Rasmus)
 
+- Fixed bug #50207 (segmentation fault when concatenating very large strings
+  on 64bit linux). (Ilia)
 - Fixed bug #50185 (ldap_get_entries() return false instead of an empty array
   when there is no error). (Jani)
 - Fixed bug #50174 (Incorrectly matched docComment). (Felipe)

diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
index 4fe38eb833cad1254e4724f80d82f627e358640e..4d9210d0e6f81f641a3c5882cf8da5845c153ec8 100644 (file)
--- a/Zend/zend_operators.c
+++ b/Zend/zend_operators.c
@@ -1202,6 +1202,12 @@ ZEND_API int concat_function(zval *result, zval *op1, zval *op2 TSRMLS_DC)
        }
        if (result==op1) {      /* special case, perform operations on result */
                uint res_len = op1->value.str.len + op2->value.str.len;
+
+               if (Z_STRLEN_P(result) < 0) {
+                       efree(Z_STRVAL_P(result));
+                       ZVAL_EMPTY_STRING(result);
+                       zend_error(E_ERROR, "String size overflow");
+               }
                
                result->value.str.val = erealloc(result->value.str.val, res_len+1);