Fix #79427: Integer Overflow in shmop_open()

cmb69 · cmb69 · commit a681b12820ee · 2020-03-30T08:56:49.000+02:00
If `shm.shm_segsz &gt; ZEND_LONG_MAX` the assignment to `shmop-&gt;size` a
few lines below would overflow, so we catch that early and bail out if
necessary.
diff --git a/NEWS b/NEWS
@@ -20,6 +20,9 @@ PHP                                                                        NEWS
   . Fixed bug #79412 (Opcache chokes and uses 100% CPU on specific script).
     (Dmitry)
 
+- Shmop:
+  . Fixed bug #79427 (Integer Overflow in shmop_open()). (cmb)
+
 - SimpleXML:
   . Fixed bug #61597 (SXE properties may lack attributes and content). (cmb)
 
diff --git a/ext/shmop/shmop.c b/ext/shmop/shmop.c
@@ -207,6 +207,11 @@ PHP_FUNCTION(shmop_open)
 		goto err;
 	}
 
+	if (shm.shm_segsz > ZEND_LONG_MAX) {
+		php_error_docref(NULL, E_WARNING, "shared memory segment too large to attach");
+		goto err;
+	}
+
 	shmop->addr = shmat(shmop->shmid, 0, shmop->shmatflg);
 	if (shmop->addr == (char*) -1) {
 		php_error_docref(NULL, E_WARNING, "unable to attach to shared memory segment '%s'", strerror(errno));
