Fix bug #67247 spl_fixedarray_resize integer overflow

diff --git a/ext/spl/spl_fixedarray.c b/ext/spl/spl_fixedarray.c
index 646c002f6ff1a97046b3f2ddf416268ab555021b..526ed8596fe5c8957763f40f80bfb7c12f1b839d 100644 (file)
--- a/ext/spl/spl_fixedarray.c
+++ b/ext/spl/spl_fixedarray.c
@@ -116,7 +116,7 @@ static void spl_fixedarray_resize(spl_fixedarray *array, long size TSRMLS_DC) /*
                        array->elements = NULL;
                }
        } else if (size > array->size) {
-               array->elements = erealloc(array->elements, sizeof(zval *) * size);
+               array->elements = safe_erealloc(array->elements, size, sizeof(zval *), 0);
                memset(array->elements + array->size, '\0', sizeof(zval *) * (size - array->size));
        } else { /* size < array->size */
                long i;

diff --git a/ext/spl/tests/bug67247.phpt b/ext/spl/tests/bug67247.phpt
new file mode 100644 (file)
index 0000000..cb71445
--- /dev/null
+++ b/ext/spl/tests/bug67247.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #67247 (spl_fixedarray_resize integer overflow)
+--FILE--
+<?php
+$ar = new SplFixedArray(1);
+echo "size: ".$ar->getSize()."\n";
+$ar->setSize((PHP_INT_SIZE==8)?0x2000000000000001:0x40000001);
+echo "size: ".$ar->getSize()."\n";
+?>
+--EXPECTF--
+size: 1
+
+Fatal error: Possible integer overflow in memory allocation (%d * %d + 0) in %s on line %d