Merge branch 'PHP-7.4' into PHP-8.0

cmb69 · cmb69 · commit d74c61c133e0 · 2021-04-12T12:15:07.000+02:00
* PHP-7.4:
  Fix #79812: Potential integer overflow in pcntl_exec()
diff --git a/NEWS b/NEWS
@@ -30,6 +30,9 @@ PHP                                                                        NEWS
   . Fixed bug #80861 (erronous array key overflow in 2D array with JIT).
     (Dmitry)
 
+- Pcntl:
+  . Fixed bug #79812 (Potential integer overflow in pcntl_exec()). (cmb)
+
 - PDO_ODBC:
   . Fixed bug #80783 (PDO ODBC truncates BLOB records at every 256th byte).
     (cmb)
diff --git a/ext/pcntl/pcntl.c b/ext/pcntl/pcntl.c
@@ -785,7 +785,7 @@ PHP_FUNCTION(pcntl_exec)
 	int envc = 0, envi = 0;
 	char **argv = NULL, **envp = NULL;
 	char **current_arg, **pair;
-	int pair_length;
+	size_t pair_length;
 	zend_string *key;
 	char *path;
 	size_t path_len;
@@ -845,8 +845,9 @@ PHP_FUNCTION(pcntl_exec)
 			}
 
 			/* Length of element + equal sign + length of key + null */
+			ZEND_ASSERT(Z_STRLEN_P(element) < SIZE_MAX && ZSTR_LEN(key) < SIZE_MAX);
+			*pair = safe_emalloc(Z_STRLEN_P(element) + 1, sizeof(char), ZSTR_LEN(key) + 1);
 			pair_length = Z_STRLEN_P(element) + ZSTR_LEN(key) + 2;
-			*pair = emalloc(pair_length);
 			strlcpy(*pair, ZSTR_VAL(key), ZSTR_LEN(key) + 1);
 			strlcat(*pair, "=", pair_length);
 			strlcat(*pair, Z_STRVAL_P(element), pair_length);
