Fix #74604: Out of bounds in php_pcre_replace_impl

Trying to allocate a `zend_string` with a length only slighty smaller
than `SIZE_MAX` causes an integer overflow; we need to ensure this does
not happen, and throw an Error instead.

Author: cmb69

ext/pcre/php_pcre.c

@@ -1720,6 +1720,14 @@ PHPAPI zend_string *php_pcre_replace_impl(pcre_cache_entry *pce, zend_string *su
 
 			if (new_len >= alloc_len) {
 				alloc_len = zend_safe_address_guarded(2, new_len, 0);
+				if (UNEXPECTED(alloc_len > ZSTR_MAX_LEN)) {
+					zend_throw_error(NULL, "String size overflow");
+					if (result != NULL) {
+						zend_string_release_ex(result, 0);
+						result = NULL;
+					}
+					break;
+				}
 				if (result == NULL) {
 					result = zend_string_alloc(alloc_len, 0);
 				} else {
@@ -1958,6 +1966,14 @@ static zend_string *php_pcre_replace_func_impl(pcre_cache_entry *pce, zend_strin
 			new_len = zend_safe_address_guarded(1, ZSTR_LEN(eval_result), new_len);
 			if (new_len >= alloc_len) {
 				alloc_len = zend_safe_address_guarded(2, new_len, 0);
+				if (UNEXPECTED(alloc_len > ZSTR_MAX_LEN)) {
+					zend_throw_error(NULL, "String size overflow");
+					if (result != NULL) {
+						zend_string_release_ex(result, 0);
+						result = NULL;
+					}
+					break;
+				}
 				if (result == NULL) {
 					result = zend_string_alloc(alloc_len, 0);
 				} else {