Fix #79427: Integer Overflow in shmop_open()

If `shm.shm_segsz > ZEND_LONG_MAX` the assignment to `shmop->size` a
few lines below would overflow, so we catch that early and bail out if
necessary.

diff --git a/NEWS b/NEWS
index f27238b7014289f14b1b1b5139e09563f51e1d76..2a8a0da2af566f9224b6aea7d3412d52351ea881 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,9 @@ PHP                                                                        NEWS
   . Fixed bug #79412 (Opcache chokes and uses 100% CPU on specific script).
     (Dmitry)
 
+- Shmop:
+  . Fixed bug #79427 (Integer Overflow in shmop_open()). (cmb)
+
 - SimpleXML:
   . Fixed bug #61597 (SXE properties may lack attributes and content). (cmb)
 

diff --git a/ext/shmop/shmop.c b/ext/shmop/shmop.c
index d0d226bbbc2ab81b765eff099fc4f9352ade3945..1509b80b0ad51072742896d904f7cb35725f704f 100644 (file)
--- a/ext/shmop/shmop.c
+++ b/ext/shmop/shmop.c
@@ -207,6 +207,11 @@ PHP_FUNCTION(shmop_open)
                goto err;
        }
 
+       if (shm.shm_segsz > ZEND_LONG_MAX) {
+               php_error_docref(NULL, E_WARNING, "shared memory segment too large to attach");
+               goto err;
+       }
+
        shmop->addr = shmat(shmop->shmid, 0, shmop->shmatflg);
        if (shmop->addr == (char*) -1) {
                php_error_docref(NULL, E_WARNING, "unable to attach to shared memory segment '%s'", strerror(errno));