Fix bug #71637: Multiple Heap Overflow due to integer overflows

10 years ago · 57b997ebf9
3 changed files with 3 additions and 3 deletions
--- a/ext/filter/sanitizing_filters.c
+++ b/ext/filter/sanitizing_filters.c
@ -87,7 +87,7 @@ static void php_filter_encode_url(zval *value, const unsigned char* chars, const
 		memset(tmp, 1, 32);
 	}
 */
-	str = zend_string_alloc(3 * Z_STRLEN_P(value), 0);
+	str = zend_string_safe_alloc(Z_STRLEN_P(value), 3, 0, 0);
 	p = (unsigned char *) ZSTR_VAL(str);
 	s = (unsigned char *) Z_STRVAL_P(value);
 	e = s + Z_STRLEN_P(value);
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@ -5372,7 +5372,7 @@ PHP_FUNCTION(str_pad)
 		return;
 	}

-	result = zend_string_alloc(ZSTR_LEN(input) + num_pad_chars, 0);
+	result = zend_string_safe_alloc(ZSTR_LEN(input), 1, num_pad_chars, 0);
 	ZSTR_LEN(result) = 0;

 	/* We need to figure out the left/right padding lengths. */
--- a/ext/xml/xml.c
+++ b/ext/xml/xml.c
@ -581,7 +581,7 @@ PHP_XML_API zend_string *xml_utf8_encode(const char *s, size_t len, const XML_Ch
 	}
 	/* This is the theoretical max (will never get beyond len * 2 as long
 	 * as we are converting from single-byte characters, though) */
-	str = zend_string_alloc(len * 4, 0);
+	str = zend_string_safe_alloc(len, 4, 0, 0);
 	ZSTR_LEN(str) = 0;
 	while (pos > 0) {
 		c = encoder ? encoder((unsigned char)(*s)) : (unsigned short)(*s);