File php7-CVE-2017-8923.patch of Package php7.24162
Index: php-7.2.5/Zend/zend_vm_def.h
===================================================================
--- php-7.2.5.orig/Zend/zend_vm_def.h 2022-02-14 20:01:05.506276706 +0100
+++ php-7.2.5/Zend/zend_vm_def.h 2022-02-14 20:01:54.818552408 +0100
@@ -316,6 +316,9 @@ ZEND_VM_HANDLER(8, ZEND_CONCAT, CONST|TM
!ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) {
size_t len = ZSTR_LEN(op1_str);
+ if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) {
+ zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation");
+ }
str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0);
memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1);
ZVAL_NEW_STR(EX_VAR(opline->result.var), str);
Index: php-7.2.5/Zend/zend_vm_execute.h
===================================================================
--- php-7.2.5.orig/Zend/zend_vm_execute.h 2022-02-14 20:01:05.526276818 +0100
+++ php-7.2.5/Zend/zend_vm_execute.h 2022-02-14 20:38:00.022716996 +0100
@@ -9243,6 +9243,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FAST
!ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) {
size_t len = ZSTR_LEN(op1_str);
+ if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) {
+ zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation");
+ }
str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0);
memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1);
ZVAL_NEW_STR(EX_VAR(opline->result.var), str);
@@ -11264,6 +11267,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FAST
!ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) {
size_t len = ZSTR_LEN(op1_str);
+ if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) {
+ zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation");
+ }
str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0);
memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1);
ZVAL_NEW_STR(EX_VAR(opline->result.var), str);
@@ -34858,6 +34864,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FAST
!ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) {
size_t len = ZSTR_LEN(op1_str);
+ if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) {
+ zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation");
+ }
str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0);
memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1);
ZVAL_NEW_STR(EX_VAR(opline->result.var), str);
@@ -37410,6 +37419,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FAST
!ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) {
size_t len = ZSTR_LEN(op1_str);
+ if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) {
+ zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation");
+ }
str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0);
memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1);
ZVAL_NEW_STR(EX_VAR(opline->result.var), str);
@@ -41375,6 +41387,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FAST
!ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) {
size_t len = ZSTR_LEN(op1_str);
+ if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) {
+ zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation");
+ }
str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0);
memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1);
ZVAL_NEW_STR(EX_VAR(opline->result.var), str);
@@ -49667,6 +49682,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FAST
!ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) {
size_t len = ZSTR_LEN(op1_str);
+ if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) {
+ zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation");
+ }
str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0);
memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1);
ZVAL_NEW_STR(EX_VAR(opline->result.var), str);
@@ -51459,6 +51477,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FAST
!ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) {
size_t len = ZSTR_LEN(op1_str);
+ if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) {
+ zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation");
+ }
str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0);
memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1);
ZVAL_NEW_STR(EX_VAR(opline->result.var), str);
@@ -52789,6 +52810,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FAST
!ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) {
size_t len = ZSTR_LEN(op1_str);
+ if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) {
+ zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation");
+ }
str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0);
memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1);
ZVAL_NEW_STR(EX_VAR(opline->result.var), str);
Index: php-7.2.5/Zend/zend_string.h
===================================================================
--- php-7.2.5.orig/Zend/zend_string.h 2018-04-24 17:09:52.000000000 +0200
+++ php-7.2.5/Zend/zend_string.h 2022-02-14 20:01:05.526276818 +0100
@@ -74,6 +74,9 @@ END_EXTERN_C()
#define _ZSTR_STRUCT_SIZE(len) (_ZSTR_HEADER_SIZE + len + 1)
+#define ZSTR_MAX_OVERHEAD (ZEND_MM_ALIGNED_SIZE(_ZSTR_HEADER_SIZE + 1))
+#define ZSTR_MAX_LEN (SIZE_MAX - ZSTR_MAX_OVERHEAD)
+
#define ZSTR_ALLOCA_ALLOC(str, _len, use_heap) do { \
(str) = (zend_string *)do_alloca(ZEND_MM_ALIGNED_SIZE_EX(_ZSTR_STRUCT_SIZE(_len), 8), (use_heap)); \
GC_REFCOUNT(str) = 1; \
