Fixed bug #81070

pvandommelen · nikic · commit 1b3b5c94e52d · 2021-05-31T15:18:58.000+02:00
When the memory limit is reduced using an `ini_set("memory_limit", ..)` below the currently allocated memory, the out-of-memory check overflowed. Instead of implementing additional checks during allocation, `zend_set_memory_limit()` now validates the new memory limit. When below the current memory usage the ini_set call will fail and throw a warning. This is part of GH-7040.
diff --git a/NEWS b/NEWS
@@ -7,6 +7,8 @@ PHP                                                                        NEWS
   . Fixed bug #76359 (open_basedir bypass through adding ".."). (cmb)
   . Fixed bug #81090 (Typed property performance degradation with .= operator).
     (Nikita)
+  . Fixed bug #81070 (Integer underflow in memory limit comparison).
+    (Peter van Dommelen)
 
 - OpenSSL:
   . Fixed bug #76694 (native Windows cert verification uses CN as sever name).
diff --git a/Zend/tests/bug81070.phpt b/Zend/tests/bug81070.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Bug #81070	Setting memory limit to below current usage
+--FILE--
+<?php
+$a = str_repeat("0", 5 * 1024 * 1024);
+ini_set("memory_limit", "3M");
+?>
+--EXPECTF--
+Warning: Failed to set memory limit to 3145728 bytes (Current memory usage is %d bytes) in %s on line %d
diff --git a/Zend/zend_alloc.c b/Zend/zend_alloc.c
@@ -2660,7 +2660,13 @@ ZEND_API char* ZEND_FASTCALL zend_strndup(const char *s, size_t length)
 ZEND_API int zend_set_memory_limit(size_t memory_limit)
 {
 #if ZEND_MM_LIMIT
-	AG(mm_heap)->limit = (memory_limit >= ZEND_MM_CHUNK_SIZE) ? memory_limit : ZEND_MM_CHUNK_SIZE;
+	if (memory_limit < ZEND_MM_CHUNK_SIZE) {
+		memory_limit = ZEND_MM_CHUNK_SIZE;
+	}
+	if (UNEXPECTED(memory_limit < AG(mm_heap)->real_size)) {
+		return FAILURE;
+	}
+	AG(mm_heap)->limit = memory_limit;
 #endif
 	return SUCCESS;
 }
diff --git a/main/main.c b/main/main.c
@@ -296,12 +296,18 @@ static PHP_INI_MH(OnSetSerializePrecision)
  */
 static PHP_INI_MH(OnChangeMemoryLimit)
 {
+	size_t value;
 	if (new_value) {
-		PG(memory_limit) = zend_atol(ZSTR_VAL(new_value), ZSTR_LEN(new_value));
+		value = zend_atol(ZSTR_VAL(new_value), ZSTR_LEN(new_value));
 	} else {
-		PG(memory_limit) = Z_L(1)<<30;		/* effectively, no limit */
+		value = Z_L(1)<<30;		/* effectively, no limit */
 	}
-	return zend_set_memory_limit(PG(memory_limit));
+	if (zend_set_memory_limit(value) == FAILURE) {
+		zend_error(E_WARNING, "Failed to set memory limit to %zd bytes (Current memory usage is %zd bytes)", value, zend_memory_usage(true));
+		return FAILURE;
+	}
+	PG(memory_limit) = value;
+	return SUCCESS;
 }
 /* }}} */
 
