Fix bug #71637: Multiple Heap Overflow due to integer overflows

diff --git a/ext/filter/sanitizing_filters.c b/ext/filter/sanitizing_filters.c
index ff27bdb1be0bf4fdb663b9a997f0812d7e6043b7..0b11ecfc2a3c2a4f789851961df73763f0a1578a 100644 (file)
--- a/ext/filter/sanitizing_filters.c
+++ b/ext/filter/sanitizing_filters.c
@@ -87,7 +87,7 @@ static void php_filter_encode_url(zval *value, const unsigned char* chars, const
                memset(tmp, 1, 32);
        }
 */
-       str = zend_string_alloc(3 * Z_STRLEN_P(value), 0);
+       str = zend_string_safe_alloc(Z_STRLEN_P(value), 3, 0, 0);
        p = (unsigned char *) ZSTR_VAL(str);
        s = (unsigned char *) Z_STRVAL_P(value);
        e = s + Z_STRLEN_P(value);

diff --git a/ext/standard/string.c b/ext/standard/string.c
index 489006b26178be6ba320497f2b19faea4899211a..7b6ad8ed9ceba7215921837dd490077e0879610e 100644 (file)
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -5372,7 +5372,7 @@ PHP_FUNCTION(str_pad)
                return;
        }
 
-       result = zend_string_alloc(ZSTR_LEN(input) + num_pad_chars, 0);
+       result = zend_string_safe_alloc(ZSTR_LEN(input), 1, num_pad_chars, 0);
        ZSTR_LEN(result) = 0;
 
        /* We need to figure out the left/right padding lengths. */

diff --git a/ext/xml/xml.c b/ext/xml/xml.c
index d6eae465830a5faba3f5424ed3af98e1d67825bf..bfa1b85b99bbf576e5f383dc55853eb8acf10366 100644 (file)
--- a/ext/xml/xml.c
+++ b/ext/xml/xml.c
@@ -581,7 +581,7 @@ PHP_XML_API zend_string *xml_utf8_encode(const char *s, size_t len, const XML_Ch
        }
        /* This is the theoretical max (will never get beyond len * 2 as long
         * as we are converting from single-byte characters, though) */
-       str = zend_string_alloc(len * 4, 0);
+       str = zend_string_safe_alloc(len, 4, 0, 0);
        ZSTR_LEN(str) = 0;
        while (pos > 0) {
                c = encoder ? encoder((unsigned char)(*s)) : (unsigned short)(*s);