Merge branch 'PHP-7.3' into PHP-7.4

Author: nikic

Zend/zend_alloc.c

@@ -939,7 +939,7 @@ static void *zend_mm_alloc_pages(zend_mm_heap *heap, uint32_t pages_count ZEND_F
 				heap->cached_chunks = chunk->next;
 			} else {
 #if ZEND_MM_LIMIT
-				if (UNEXPECTED(heap->real_size + ZEND_MM_CHUNK_SIZE > heap->limit)) {
+				if (UNEXPECTED(ZEND_MM_CHUNK_SIZE > heap->limit - heap->real_size)) {
 					if (zend_mm_gc(heap)) {
 						goto get_chunk;
 					} else if (heap->overflow == 0) {
@@ -1465,8 +1465,8 @@ static zend_never_inline void *zend_mm_realloc_huge(zend_mm_heap *heap, void *pt
 			}
 		} else /* if (new_size > old_size) */ {
 #if ZEND_MM_LIMIT
-			if (UNEXPECTED(heap->real_size + (new_size - old_size) > heap->limit)) {
-				if (zend_mm_gc(heap) && heap->real_size + (new_size - old_size) <= heap->limit) {
+			if (UNEXPECTED(new_size - old_size > heap->limit - heap->real_size)) {
+				if (zend_mm_gc(heap) && new_size - old_size <= heap->limit - heap->real_size) {
 					/* pass */
 				} else if (heap->overflow == 0) {
 #if ZEND_DEBUG
@@ -1752,8 +1752,8 @@ static void *zend_mm_alloc_huge(zend_mm_heap *heap, size_t size ZEND_FILE_LINE_D
 	void *ptr;
 
 #if ZEND_MM_LIMIT
-	if (UNEXPECTED(heap->real_size + new_size > heap->limit)) {
-		if (zend_mm_gc(heap) && heap->real_size + new_size <= heap->limit) {
+	if (UNEXPECTED(new_size > heap->limit - heap->real_size)) {
+		if (zend_mm_gc(heap) && new_size <= heap->limit - heap->real_size) {
 			/* pass */
 		} else if (heap->overflow == 0) {
 #if ZEND_DEBUG

ext/standard/tests/strings/wordwrap_memory_limit.phpt

@@ -0,0 +1,18 @@
+--TEST--
+No overflow should occur during the memory_limit check for wordwrap()
+--SKIPIF--
+<?php
+if (getenv("USE_ZEND_ALLOC") === "0") die("skip Zend MM disabled");
+?>
+--INI--
+memory_limit=128M
+--FILE--
+<?php
+
+$str = str_repeat('x', 65534);
+$str2 = str_repeat('x', 65535);
+wordwrap($str, 1, $str2);
+
+?>
+--EXPECTF--
+Fatal error: Allowed memory size of 134217728 bytes exhausted%s(tried to allocate %d bytes) in %s on line %d