Fix #72595: php_output_handler_append illegal write access

cmb69 · cmb69 · commit a942cf5b0287 · 2021-07-15T15:26:42.000+02:00
We must make sure that `handler->buffer.size + grow_max` does not overflow, so we're using `safe_erealloc()` instead. Closes GH-7241.
diff --git a/NEWS b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 7.4.23
 
+- Core:
+  . Fixed bug #72595 (php_output_handler_append illegal write access). (cmb)
+
 - Standard:
   . Fixed bug #72146 (Integer overflow on substr_replace). (cmb)
 
diff --git a/main/output.c b/main/output.c
@@ -889,7 +889,7 @@ static inline int php_output_handler_append(php_output_handler *handler, const p
 			size_t grow_buf = PHP_OUTPUT_HANDLER_INITBUF_SIZE(buf->used - (handler->buffer.size - handler->buffer.used));
 			size_t grow_max = MAX(grow_int, grow_buf);
 
-			handler->buffer.data = erealloc(handler->buffer.data, handler->buffer.size + grow_max);
+			handler->buffer.data = safe_erealloc(handler->buffer.data, 1, handler->buffer.size, grow_max);
 			handler->buffer.size += grow_max;
 		}
 		memcpy(handler->buffer.data + handler->buffer.used, buf->data, buf->used);

Original file line number	Diff line number	Diff line change
`@@ -889,7 +889,7 @@ static inline int php_output_handler_append(php_output_handler *handler, const p`
`889`	`889`	`size_t grow_buf = PHP_OUTPUT_HANDLER_INITBUF_SIZE(buf->used - (handler->buffer.size - handler->buffer.used));`
`890`	`890`	`size_t grow_max = MAX(grow_int, grow_buf);`
`891`	`891`
`892`		`- handler->buffer.data = erealloc(handler->buffer.data, handler->buffer.size + grow_max);`
	`892`	`+ handler->buffer.data = safe_erealloc(handler->buffer.data, 1, handler->buffer.size, grow_max);`
`893`	`893`	`handler->buffer.size += grow_max;`
`894`	`894`	`}`
`895`	`895`	`memcpy(handler->buffer.data + handler->buffer.used, buf->data, buf->used);`