From 7bf6d985351ad92715b18692ba128842b725f1c0 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Wed, 10 Aug 2016 23:46:33 -0700
Subject: [PATCH] Check for string overflow

---
 ext/standard/php_smart_string.h | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/ext/standard/php_smart_string.h b/ext/standard/php_smart_string.h
index a832376064..1175d32907 100644
--- a/ext/standard/php_smart_string.h
+++ b/ext/standard/php_smart_string.h
@@ -52,19 +52,22 @@
 #define SMART_STRING_DO_REALLOC(d, what) \
 	(d)->c = SMART_STRING_REALLOC((d)->c, (d)->a + 1, (what))
 
-#define smart_string_alloc4(d, n, what, newlen) do {					\
+#define smart_string_alloc4(d, n, what, newlen) do {				\
 	if (!(d)->c) {													\
 		(d)->len = 0;												\
 		newlen = (n);												\
-		(d)->a = newlen < SMART_STRING_START_SIZE 						\
-				? SMART_STRING_START_SIZE 								\
-				: newlen + SMART_STRING_PREALLOC;						\
-		SMART_STRING_DO_REALLOC(d, what);								\
+		(d)->a = newlen < SMART_STRING_START_SIZE 					\
+				? SMART_STRING_START_SIZE 							\
+				: newlen + SMART_STRING_PREALLOC;					\
+		SMART_STRING_DO_REALLOC(d, what);							\
 	} else {														\
+		if(UNEXPECTED(n > SIZE_MAX - (d)->len)) {					\
+			zend_error(E_ERROR, "String size overflow");			\
+		}															\
 		newlen = (d)->len + (n);									\
 		if (newlen >= (d)->a) {										\
-			(d)->a = newlen + SMART_STRING_PREALLOC;					\
-			SMART_STRING_DO_REALLOC(d, what);							\
+			(d)->a = newlen + SMART_STRING_PREALLOC;				\
+			SMART_STRING_DO_REALLOC(d, what);						\
 		}															\
 	}																\
 } while (0)
-- 
2.40.0