From: Stanislav Malyshev <stas@php.net>
Date: Mon, 22 Feb 2016 07:14:29 +0000 (-0800)
Subject: Fix bug #71637: Multiple Heap Overflow due to integer overflows
X-Git-Tag: php-7.0.4~4
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9cabc99fcef0f12b472e40811beab4eb2ef17e1b;p=php

Fix bug #71637: Multiple Heap Overflow due to integer overflows
---

diff --git a/ext/filter/sanitizing_filters.c b/ext/filter/sanitizing_filters.c
index ff27bdb1be..0b11ecfc2a 100644
--- a/ext/filter/sanitizing_filters.c
+++ b/ext/filter/sanitizing_filters.c
@@ -87,7 +87,7 @@ static void php_filter_encode_url(zval *value, const unsigned char* chars, const
 		memset(tmp, 1, 32);
 	}
 */
-	str = zend_string_alloc(3 * Z_STRLEN_P(value), 0);
+	str = zend_string_safe_alloc(Z_STRLEN_P(value), 3, 0, 0);
 	p = (unsigned char *) ZSTR_VAL(str);
 	s = (unsigned char *) Z_STRVAL_P(value);
 	e = s + Z_STRLEN_P(value);
diff --git a/ext/standard/string.c b/ext/standard/string.c
index 489006b261..7b6ad8ed9c 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -5372,7 +5372,7 @@ PHP_FUNCTION(str_pad)
 		return;
 	}
 
-	result = zend_string_alloc(ZSTR_LEN(input) + num_pad_chars, 0);
+	result = zend_string_safe_alloc(ZSTR_LEN(input), 1, num_pad_chars, 0);
 	ZSTR_LEN(result) = 0;
 
 	/* We need to figure out the left/right padding lengths. */
diff --git a/ext/xml/xml.c b/ext/xml/xml.c
index d6eae46583..bfa1b85b99 100644
--- a/ext/xml/xml.c
+++ b/ext/xml/xml.c
@@ -581,7 +581,7 @@ PHP_XML_API zend_string *xml_utf8_encode(const char *s, size_t len, const XML_Ch
 	}
 	/* This is the theoretical max (will never get beyond len * 2 as long
 	 * as we are converting from single-byte characters, though) */
-	str = zend_string_alloc(len * 4, 0);
+	str = zend_string_safe_alloc(len, 4, 0, 0);
 	ZSTR_LEN(str) = 0;
 	while (pos > 0) {
 		c = encoder ? encoder((unsigned char)(*s)) : (unsigned short)(*s);