Fix bug #72541 - size_t overflow lead to heap corruption

diff --git a/ext/curl/interface.c b/ext/curl/interface.c
index 6a616411ef6c382e9a89dc651cd697771140362a..7d085de73cccebe987dd0416248d4acda143986e 100644 (file)
--- a/ext/curl/interface.c
+++ b/ext/curl/interface.c
@@ -3595,6 +3595,10 @@ PHP_FUNCTION(curl_unescape)
                RETURN_FALSE;
        }
 
+       if (str_len > INT_MAX) {
+               RETURN_FALSE;
+       }
+
        if ((out = curl_easy_unescape(ch->cp, str, str_len, &out_len))) {
                RETVAL_STRINGL(out, out_len);
                curl_free(out);