Fix #74544: Integer overflow in mysqli_real_escape_string()

The patch has been provided by @johannes. Closes GH-7353.
php · Aug 9, 2021 · 5977610 · 5977610
1 parent 6724d5d
commit 5977610
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/NEWS b/NEWS
@@ -18,6 +18,10 @@ PHP                                                                        NEWS
 - GD:
   . Fixed bug #51498 (imagefilledellipse does not work for large circles). (cmb)
 
+- MySQLi:
+  . Fixed bug #74544 (Integer overflow in mysqli_real_escape_string()). (cmb,
+    johannes)
+
 - OpenSSL:
   . Fixed bug #81327 (Error build openssl extension on php 7.4.22). (cmb)
 

diff --git a/ext/mysqli/mysqli_api.c b/ext/mysqli/mysqli_api.c
@@ -1971,7 +1971,7 @@ PHP_FUNCTION(mysqli_real_escape_string) {
 	}
 	MYSQLI_FETCH_RESOURCE_CONN(mysql, mysql_link, MYSQLI_STATUS_VALID);
 
-	newstr = zend_string_alloc(2 * escapestr_len, 0);
+	newstr = zend_string_safe_alloc(2, escapestr_len, 0, 0);
 	ZSTR_LEN(newstr) = mysql_real_escape_string_quote(mysql->mysql, ZSTR_VAL(newstr), escapestr, escapestr_len, '\'');
 	newstr = zend_string_truncate(newstr, ZSTR_LEN(newstr), 0);