From: Dmitry Stogov <dmitry@zend.com> Date: Fri, 1 Feb 2019 08:11:15 +0000 (+0300) Subject: Fixed bug #77329 (Buffer Overflow via overly long Error Messages) X-Git-Tag: php-7.3.3RC1~23 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=203a2da30ae6722689e3625ac3c787c560a791a9;p=php Fixed bug #77329 (Buffer Overflow via overly long Error Messages) --- diff --git a/NEWS b/NEWS index d94a6f47e5..6766c61a4b 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,8 @@ PHP NEWS ?? ??? ????, PHP 7.3.3 - Core: + . Fixed bug #77329 (Buffer Overflow via overly long Error Messages). + (Dmitry) . Fixed bug #77494 (Disabling class causes segfault on member access). (Dmitry) . Fixed bug #77498 (Custom extension Segmentation fault when declare static diff --git a/Zend/zend_smart_str.c b/Zend/zend_smart_str.c index 0e34f12cde..e13741f72e 100644 --- a/Zend/zend_smart_str.c +++ b/Zend/zend_smart_str.c @@ -155,7 +155,12 @@ ZEND_API void ZEND_FASTCALL _smart_string_alloc(smart_string *str, size_t len) str->c = emalloc(SMART_STRING_START_LEN + 1); } else { str->a = ZEND_MM_ALIGNED_SIZE_EX(len + SMART_STRING_OVERHEAD, SMART_STRING_PAGE) - SMART_STRING_OVERHEAD; - str->c = emalloc_large(str->a + 1); + if (EXPECTED(str->a < (ZEND_MM_CHUNK_SIZE - SMART_STRING_OVERHEAD))) { + str->c = emalloc_large(str->a + 1); + } else { + /* allocate a huge chunk */ + str->c = emalloc(str->a + 1); + } } } else { if (UNEXPECTED((size_t) len > SIZE_MAX - str->len)) {