From 0b9c87a02bacfbf1d1383ad393bda78e5d65570c Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@zend.com>
Date: Wed, 24 Feb 2016 11:04:48 +0300
Subject: [PATCH] Fixed bug #71535 (Integer overflow in zend_mm_alloc_heap())

---
 NEWS              | 1 +
 Zend/zend_alloc.c | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/NEWS b/NEWS
index 2d6bf69433..fc22aaa606 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,7 @@ PHP                                                                        NEWS
     invoke C::$callable()). (Bob)
   . Fixed bug #71596 (Segmentation fault on ZTS with date function
     (setlocale)). (Anatol)
+  . Fixed bug #71535 (Integer overflow in zend_mm_alloc_heap()). (Dmitry)
 
 - Phar:
   . Fixed bug #71625 (Crash in php7.dll with bad phar filename).
diff --git a/Zend/zend_alloc.c b/Zend/zend_alloc.c
index cfc277f136..2e0de26378 100644
--- a/Zend/zend_alloc.c
+++ b/Zend/zend_alloc.c
@@ -1353,6 +1353,10 @@ static zend_always_inline void *zend_mm_alloc_heap(zend_mm_heap *heap, size_t si
 	/* special handling for zero-size allocation */
 	size = MAX(size, 1);
 	size = ZEND_MM_ALIGNED_SIZE(size) + ZEND_MM_ALIGNED_SIZE(sizeof(zend_mm_debug_info));
+	if (UNEXPECTED(size < real_size)) {
+		zend_error_noreturn(E_ERROR, "Possible integer overflow in memory allocation (%zu + %zu)", ZEND_MM_ALIGNED_SIZE(real_size), ZEND_MM_ALIGNED_SIZE(sizeof(zend_mm_debug_info)));
+		return NULL;
+	}
 #endif
 	if (size <= ZEND_MM_MAX_SMALL_SIZE) {
 		ptr = zend_mm_alloc_small(heap, size, ZEND_MM_SMALL_SIZE_TO_BIN(size) ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
-- 
2.50.1