Skip to content

Commit 7c53e7d

Browse files
cmb69cmb69
committed
Merge branch 'PHP-8.0'
* PHP-8.0: Fix #73122: Integer Overflow when concatenating strings
2 parents a991fe5 + d71a0dc commit 7c53e7d

File tree

2 files changed

+27
-0
lines changed

2 files changed

+27
-0
lines changed

Diff for: Zend/zend_vm_def.h

+3
Original file line numberDiff line numberDiff line change
@@ -407,6 +407,9 @@ ZEND_VM_HANDLER(8, ZEND_CONCAT, CONST|TMPVAR|CV, CONST|TMPVAR|CV, SPEC(NO_CONST_
407407
!ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) {
408408
size_t len = ZSTR_LEN(op1_str);
409409

410+
if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) {
411+
zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation");
412+
}
410413
str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0);
411414
memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1);
412415
ZVAL_NEW_STR(EX_VAR(opline->result.var), str);

Diff for: Zend/zend_vm_execute.h

+24
Original file line numberDiff line numberDiff line change
@@ -8395,6 +8395,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_CONCAT_SPEC_CONST_TMPVAR_HANDL
83958395
!ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) {
83968396
size_t len = ZSTR_LEN(op1_str);
83978397

8398+
if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) {
8399+
zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation");
8400+
}
83988401
str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0);
83998402
memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1);
84008403
ZVAL_NEW_STR(EX_VAR(opline->result.var), str);
@@ -10747,6 +10750,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_CONCAT_SPEC_CONST_CV_HANDLER(Z
1074710750
!ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) {
1074810751
size_t len = ZSTR_LEN(op1_str);
1074910752

10753+
if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) {
10754+
zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation");
10755+
}
1075010756
str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0);
1075110757
memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1);
1075210758
ZVAL_NEW_STR(EX_VAR(opline->result.var), str);
@@ -14824,6 +14830,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_CONCAT_SPEC_TMPVAR_CONST_HANDL
1482414830
!ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) {
1482514831
size_t len = ZSTR_LEN(op1_str);
1482614832

14833+
if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) {
14834+
zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation");
14835+
}
1482714836
str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0);
1482814837
memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1);
1482914838
ZVAL_NEW_STR(EX_VAR(opline->result.var), str);
@@ -16244,6 +16253,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_CONCAT_SPEC_TMPVAR_TMPVAR_HAND
1624416253
!ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) {
1624516254
size_t len = ZSTR_LEN(op1_str);
1624616255

16256+
if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) {
16257+
zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation");
16258+
}
1624716259
str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0);
1624816260
memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1);
1624916261
ZVAL_NEW_STR(EX_VAR(opline->result.var), str);
@@ -17918,6 +17930,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_CONCAT_SPEC_TMPVAR_CV_HANDLER(
1791817930
!ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) {
1791917931
size_t len = ZSTR_LEN(op1_str);
1792017932

17933+
if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) {
17934+
zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation");
17935+
}
1792117936
str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0);
1792217937
memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1);
1792317938
ZVAL_NEW_STR(EX_VAR(opline->result.var), str);
@@ -38883,6 +38898,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_CONCAT_SPEC_CV_CONST_HANDLER(Z
3888338898
!ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) {
3888438899
size_t len = ZSTR_LEN(op1_str);
3888538900

38901+
if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) {
38902+
zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation");
38903+
}
3888638904
str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0);
3888738905
memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1);
3888838906
ZVAL_NEW_STR(EX_VAR(opline->result.var), str);
@@ -42542,6 +42560,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_CONCAT_SPEC_CV_TMPVAR_HANDLER(
4254242560
!ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) {
4254342561
size_t len = ZSTR_LEN(op1_str);
4254442562

42563+
if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) {
42564+
zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation");
42565+
}
4254542566
str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0);
4254642567
memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1);
4254742568
ZVAL_NEW_STR(EX_VAR(opline->result.var), str);
@@ -47544,6 +47565,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_CONCAT_SPEC_CV_CV_HANDLER(ZEND
4754447565
!ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) {
4754547566
size_t len = ZSTR_LEN(op1_str);
4754647567

47568+
if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) {
47569+
zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation");
47570+
}
4754747571
str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0);
4754847572
memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1);
4754947573
ZVAL_NEW_STR(EX_VAR(opline->result.var), str);

0 commit comments

Comments
 (0)