File tree 2 files changed +13
-4
lines changed
2 files changed +13
-4
lines changed Original file line number Diff line number Diff line change @@ -28,6 +28,8 @@ PHP NEWS
2828 . Fixed bug GH-16508 (Incorrect line number in inheritance errors of delayed
2929 early bound classes). (ilutov)
3030 . Fixed bug GH-16648 (Use-after-free during array sorting). (ilutov)
31+ . Fixed bug GH-15915 (overflow with a high value for precision INI).
32+ (David Carlier / cmb)
3133
3234- Curl:
3335 . Fixed bug GH-16302 (CurlMultiHandle holds a reference to CurlHandle if
Original file line number Diff line number Diff line change @@ -3613,13 +3613,20 @@ rv_alloc(i) int i;
36133613rv_alloc (int i )
36143614#endif
36153615{
3616- int k , * r ;
36173616
3618- size_t j = sizeof (ULong );
3617+ int j , k , * r ;
3618+ size_t rem ;
3619+
3620+ rem = sizeof (Bigint ) - sizeof (ULong ) - sizeof (int );
3621+
3622+
3623+ j = sizeof (ULong );
3624+ if (i > ((INT_MAX >> 2 ) + rem ))
3625+ zend_error_noreturn (E_ERROR , "rv_alloc() allocation overflow %d" , i );
36193626 for (k = 0 ;
3620- sizeof (Bigint ) - sizeof (ULong ) - sizeof (int ) + j <= (size_t )i ;
3621- j <<= 1 )
3627+ rem + j <= (size_t )i ; j <<= 1 )
36223628 k ++ ;
3629+
36233630 r = (int * )Balloc (k );
36243631 * r = k ;
36253632 return
You can’t perform that action at this time.
0 commit comments