Merge branch 'PHP-7.4' into PHP-8.0

cmb69 · cmb69 · commit f03e7c845e5a · 2021-07-21T15:33:17.000+02:00
* PHP-7.4:
  Fix #74960: Heap buffer overflow via str_repeat
diff --git a/NEWS b/NEWS
@@ -27,6 +27,7 @@ PHP                                                                        NEWS
   . Fixed bug #72146 (Integer overflow on substr_replace). (cmb)
   . Fixed bug #81265 (getimagesize returns 0 for 256px ICO images).
     (George Dietrich)
+  . Fixed bug #74960 (Heap buffer overflow via str_repeat). (cmb, Dmitry)
 
 29 Jul 2021, PHP 8.0.9
 
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
@@ -1882,7 +1882,7 @@ ZEND_API zend_result ZEND_FASTCALL concat_function(zval *result, zval *op1, zval
 		size_t result_len = op1_len + op2_len;
 		zend_string *result_str;
 
-		if (UNEXPECTED(op1_len > SIZE_MAX - op2_len)) {
+		if (UNEXPECTED(op1_len > ZSTR_MAX_LEN - op2_len)) {
 			zend_throw_error(NULL, "String size overflow");
 			zval_ptr_dtor_str(&op1_copy);
 			zval_ptr_dtor_str(&op2_copy);
diff --git a/Zend/zend_string.h b/Zend/zend_string.h
@@ -83,6 +83,8 @@ END_EXTERN_C()
 
 #define _ZSTR_STRUCT_SIZE(len) (_ZSTR_HEADER_SIZE + len + 1)
 
+#define ZSTR_MAX_LEN (SIZE_MAX - ZEND_MM_ALIGNED_SIZE(_ZSTR_HEADER_SIZE + 1))
+
 #define ZSTR_ALLOCA_ALLOC(str, _len, use_heap) do { \
 	(str) = (zend_string *)do_alloca(ZEND_MM_ALIGNED_SIZE_EX(_ZSTR_STRUCT_SIZE(_len), 8), (use_heap)); \
 	GC_SET_REFCOUNT(str, 1); \
