From: Dmitry Stogov <dmitry@zend.com>
Date: Fri, 1 Feb 2019 08:11:15 +0000 (+0300)
Subject: Fixed bug #77329 (Buffer Overflow via overly long Error Messages)
X-Git-Tag: php-7.3.3RC1~23
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=203a2da30ae6722689e3625ac3c787c560a791a9;p=php

Fixed bug #77329 (Buffer Overflow via overly long Error Messages)
---

diff --git a/NEWS b/NEWS
index d94a6f47e5..6766c61a4b 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,8 @@ PHP                                                                        NEWS
 ?? ??? ????, PHP 7.3.3
 
 - Core:
+  . Fixed bug #77329 (Buffer Overflow via overly long Error Messages).
+    (Dmitry)
   . Fixed bug #77494 (Disabling class causes segfault on member access).
     (Dmitry)
   . Fixed bug #77498 (Custom extension Segmentation fault when declare static
diff --git a/Zend/zend_smart_str.c b/Zend/zend_smart_str.c
index 0e34f12cde..e13741f72e 100644
--- a/Zend/zend_smart_str.c
+++ b/Zend/zend_smart_str.c
@@ -155,7 +155,12 @@ ZEND_API void ZEND_FASTCALL _smart_string_alloc(smart_string *str, size_t len)
 			str->c = emalloc(SMART_STRING_START_LEN + 1);
 		} else {
 			str->a = ZEND_MM_ALIGNED_SIZE_EX(len + SMART_STRING_OVERHEAD, SMART_STRING_PAGE) - SMART_STRING_OVERHEAD;
-			str->c = emalloc_large(str->a + 1);
+			if (EXPECTED(str->a < (ZEND_MM_CHUNK_SIZE - SMART_STRING_OVERHEAD))) {
+				str->c = emalloc_large(str->a + 1);
+			} else {
+				/* allocate a huge chunk */
+				str->c = emalloc(str->a + 1);
+			}
 		}
 	} else {
 		if (UNEXPECTED((size_t) len > SIZE_MAX - str->len)) {