Fixed bug #77329 (Buffer Overflow via overly long Error Messages)

dstogov · dstogov · commit 203a2da30ae6 · 2019-02-01T11:11:15.000+03:00
diff --git a/NEWS b/NEWS
@@ -3,6 +3,8 @@ PHP                                                                        NEWS
 ?? ??? ????, PHP 7.3.3
 
 - Core:
+  . Fixed bug #77329 (Buffer Overflow via overly long Error Messages).
+    (Dmitry)
   . Fixed bug #77494 (Disabling class causes segfault on member access).
     (Dmitry)
   . Fixed bug #77498 (Custom extension Segmentation fault when declare static
diff --git a/Zend/zend_smart_str.c b/Zend/zend_smart_str.c
@@ -155,7 +155,12 @@ ZEND_API void ZEND_FASTCALL _smart_string_alloc(smart_string *str, size_t len)
 			str->c = emalloc(SMART_STRING_START_LEN + 1);
 		} else {
 			str->a = ZEND_MM_ALIGNED_SIZE_EX(len + SMART_STRING_OVERHEAD, SMART_STRING_PAGE) - SMART_STRING_OVERHEAD;
-			str->c = emalloc_large(str->a + 1);
+			if (EXPECTED(str->a < (ZEND_MM_CHUNK_SIZE - SMART_STRING_OVERHEAD))) {
+				str->c = emalloc_large(str->a + 1);
+			} else {
+				/* allocate a huge chunk */
+				str->c = emalloc(str->a + 1);
+			}
 		}
 	} else {
 		if (UNEXPECTED((size_t) len > SIZE_MAX - str->len)) {
