projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: cbcacbb)
We should not silently go on if the required size can not be met.
authorXinchen Hui <laruence@php.net>
Wed, 12 Aug 2015 08:40:59 +0000 (16:40 +0800)
committerXinchen Hui <laruence@php.net>
Wed, 12 Aug 2015 08:40:59 +0000 (16:40 +0800)
Zend/zend_hash.c patch | blob | history

diff --git a/Zend/zend_hash.c b/Zend/zend_hash.c
index 96ed6794f7ff91bbb83eb9c958c01f00b9082e61..b8cd4355e83035eabcb6dec509b9a3947a8fbdce 100644 (file)
--- a/Zend/zend_hash.c
+++ b/Zend/zend_hash.c
@@ -98,6 +98,11 @@ static uint32_t zend_always_inline zend_hash_check_size(uint32_t nSize)
        /* Use big enough power of 2 */
        /* size should be between HT_MIN_SIZE and HT_MAX_SIZE */
        nSize = (nSize <= HT_MIN_SIZE ? HT_MIN_SIZE : (nSize >= HT_MAX_SIZE ? HT_MAX_SIZE : nSize));
+       if (nSize < HT_MIN_SIZE) {
+               nSize = HT_MIN_SIZE;
+       } else if (UNEXPECTED(nSize >= HT_MAX_SIZE)) {
+               zend_error_noreturn(E_ERROR, "Possible integer overflow in memory allocation (%zu * %zu + %zu)", nSize, sizeof(Bucket), sizeof(Bucket));
+       }
 
 #if defined(ZEND_WIN32)
        if (BitScanReverse(&index, nSize - 1)) {
Unnamed repository; edit this file 'description' to name the repository.