Fixed bug #77329 (Buffer Overflow via overly long Error Messages)

diff --git a/NEWS b/NEWS
index d94a6f47e5ed497db8e0b9cb2a13816511763b77..6766c61a4bdd431c58b45bde143bbc91944d7062 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,8 @@ PHP                                                                        NEWS
 ?? ??? ????, PHP 7.3.3
 
 - Core:
+  . Fixed bug #77329 (Buffer Overflow via overly long Error Messages).
+    (Dmitry)
   . Fixed bug #77494 (Disabling class causes segfault on member access).
     (Dmitry)
   . Fixed bug #77498 (Custom extension Segmentation fault when declare static

diff --git a/Zend/zend_smart_str.c b/Zend/zend_smart_str.c
index 0e34f12cde60e5b7ea361012276ca85375a7a925..e13741f72ee11de3496b6bcbc6e83655e00ea056 100644 (file)
--- a/Zend/zend_smart_str.c
+++ b/Zend/zend_smart_str.c
@@ -155,7 +155,12 @@ ZEND_API void ZEND_FASTCALL _smart_string_alloc(smart_string *str, size_t len)
                        str->c = emalloc(SMART_STRING_START_LEN + 1);
                } else {
                        str->a = ZEND_MM_ALIGNED_SIZE_EX(len + SMART_STRING_OVERHEAD, SMART_STRING_PAGE) - SMART_STRING_OVERHEAD;
-                       str->c = emalloc_large(str->a + 1);
+                       if (EXPECTED(str->a < (ZEND_MM_CHUNK_SIZE - SMART_STRING_OVERHEAD))) {
+                               str->c = emalloc_large(str->a + 1);
+                       } else {
+                               /* allocate a huge chunk */
+                               str->c = emalloc(str->a + 1);
+                       }
                }
        } else {
                if (UNEXPECTED((size_t) len > SIZE_MAX - str->len)) {