Revert "Fix #73122: Integer Overflow when concatenating strings"

This reverts commit f1ce8d5, which has been accidentially pushed.
php · Aug 17, 2021 · f3c45c1 · f3c45c1
1 parent f1ce8d5
commit f3c45c1
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 4 deletions.
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
@@ -1882,7 +1882,7 @@ ZEND_API int ZEND_FASTCALL concat_function(zval *result, zval *op1, zval *op2) /
 		size_t result_len = op1_len + op2_len;
 		zend_string *result_str;
 
-		if (UNEXPECTED(op1_len > ZSTR_MAX_LEN - op2_len || op2_len > ZSTR_MAX_LEN)) {
+		if (UNEXPECTED(op1_len > ZSTR_MAX_LEN - op2_len)) {
 			zend_throw_error(NULL, "String size overflow");
 			zval_ptr_dtor_str(&op1_copy);
 			zval_ptr_dtor_str(&op2_copy);

diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
@@ -416,9 +416,6 @@ ZEND_VM_HANDLER(8, ZEND_CONCAT, CONST|TMPVAR|CV, CONST|TMPVAR|CV, SPEC(NO_CONST_
 		    !ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) {
 		    size_t len = ZSTR_LEN(op1_str);
 
-			if (UNEXPECTED(ZSTR_LEN(op2_str) > ZSTR_MAX_LEN - len || len > ZSTR_MAX_LEN)) {
-				zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation");
-			}
 			str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0);
 			memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1);
 			ZVAL_NEW_STR(EX_VAR(opline->result.var), str);