Merge branch 'PHP-7.3' into PHP-7.4

cmb69 · cmb69 · commit 6627f782d661 · 2019-10-04T09:11:18.000+02:00
* PHP-7.3:
  Fix #78620: Out of memory error
diff --git a/NEWS b/NEWS
@@ -5,6 +5,7 @@ PHP                                                                        NEWS
 - Core:
   . Fixed bug #78614 (Does not compile with DTRACE anymore).
     (tz at FreeBSD dot org)
+  . Fixed bug #78620 (Out of memory error). (cmb, Nikita)
 
 - Pcntl:
   . Fixed bug #77335 (PHP is preventing SIGALRM from specifying SA_RESTART).
diff --git a/Zend/zend_alloc.c b/Zend/zend_alloc.c
@@ -1754,12 +1754,17 @@ static void *zend_mm_alloc_huge(zend_mm_heap *heap, size_t size ZEND_FILE_LINE_D
 	 * We allocate them with 2MB size granularity, to avoid many
 	 * reallocations when they are extended by small pieces
 	 */
-	size_t new_size = ZEND_MM_ALIGNED_SIZE_EX(size, MAX(REAL_PAGE_SIZE, ZEND_MM_CHUNK_SIZE));
+	size_t alignment = MAX(REAL_PAGE_SIZE, ZEND_MM_CHUNK_SIZE);
 #else
-	size_t new_size = ZEND_MM_ALIGNED_SIZE_EX(size, REAL_PAGE_SIZE);
+	size_t alignment = REAL_PAGE_SIZE;
 #endif
+	size_t new_size = ZEND_MM_ALIGNED_SIZE_EX(size, alignment);
 	void *ptr;
 
+	if (UNEXPECTED(new_size < size)) {
+		zend_error_noreturn(E_ERROR, "Possible integer overflow in memory allocation (%zu + %zu)", size, alignment);
+	}
+
 #if ZEND_MM_LIMIT
 	if (UNEXPECTED(new_size > heap->limit - heap->real_size)) {
 		if (zend_mm_gc(heap) && new_size <= heap->limit - heap->real_size) {
diff --git a/ext/standard/tests/strings/wordwrap_memory_limit.phpt b/ext/standard/tests/strings/wordwrap_memory_limit.phpt
@@ -2,6 +2,7 @@
 No overflow should occur during the memory_limit check for wordwrap()
 --SKIPIF--
 <?php
+if (substr(PHP_OS, 0, 3) == 'WIN' && PHP_INT_SIZE == 4) die("skip this test is not for 32bit Windows platforms");
 if (getenv("USE_ZEND_ALLOC") === "0") die("skip Zend MM disabled");
 ?>
 --INI--
diff --git a/ext/standard/tests/strings/wordwrap_memory_limit_win32.phpt b/ext/standard/tests/strings/wordwrap_memory_limit_win32.phpt
@@ -0,0 +1,19 @@
+--TEST--
+No overflow should occur during the memory_limit check for wordwrap()
+--SKIPIF--
+<?php
+if (substr(PHP_OS, 0, 3) != 'WIN' || PHP_INT_SIZE != 4) die("skip this test is for 32bit Windows platforms only");
+if (getenv("USE_ZEND_ALLOC") === "0") die("skip Zend MM disabled");
+?>
+--INI--
+memory_limit=128M
+--FILE--
+<?php
+
+$str = str_repeat('x', 65534);
+$str2 = str_repeat('x', 65535);
+wordwrap($str, 1, $str2);
+
+?>
+--EXPECTF--
+Fatal error: Possible integer overflow in memory allocation (4294901777 + %d) in %s on line %d
