Fix bug #71750: use zend_string_safe_alloc for calculated allocations

diff --git a/NEWS b/NEWS
index fc6a40b806e144a1475dae8e12633af7e780c7ad..e8684bba4b3a458ed4b767a2e32176d0ce4754f8 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,8 @@ PHP                                                                        NEWS
   . Fixed Bug #71859 (zend_objects_store_call_destructors operates on realloced
     memory, crashing). (Laruence)
   . Fixed bug #71841 (EG(error_zval) is not handled well). (Laruence)
+  . Fixed bug #71750 (Multiple Heap Overflows in php_raw_url_encode/
+    php_url_encode). (Stas)
   . Fixed bug #71731 (Null coalescing operator and ArrayAccess). (Nikita)
   . Fixed bug #69659 (ArrayAccess, isset() and the offsetExists method).
     (Nikita)

diff --git a/ext/standard/url.c b/ext/standard/url.c
index 0138e4203f636e638512a977a8b8fdc5f7b6c717..9963ce60f4424e58f5ccbb735f189327e9b1282d 100644 (file)
--- a/ext/standard/url.c
+++ b/ext/standard/url.c
@@ -493,7 +493,7 @@ PHPAPI zend_string *php_url_encode(char const *s, size_t len)
 
        from = (unsigned char *)s;
        end = (unsigned char *)s + len;
-       start = zend_string_alloc(3 * len, 0);
+       start = zend_string_safe_alloc(3, len, 0, 0);
        to = (unsigned char*)ZSTR_VAL(start);
 
        while (from < end) {
@@ -611,7 +611,7 @@ PHPAPI zend_string *php_raw_url_encode(char const *s, size_t len)
        register int x, y;
        zend_string *str;
 
-       str = zend_string_alloc(3 * len, 0);
+       str = zend_string_safe_alloc(3, len, 0, 0);
        for (x = 0, y = 0; len--; x++, y++) {
                ZSTR_VAL(str)[y] = (unsigned char) s[x];
 #ifndef CHARSET_EBCDIC