File tree Expand file tree Collapse file tree 1 file changed +12
-3
lines changed Expand file tree Collapse file tree 1 file changed +12
-3
lines changed Original file line number Diff line number Diff line change @@ -3613,13 +3613,22 @@ rv_alloc(i) int i;
36133613rv_alloc (int i )
36143614#endif
36153615{
3616- int j , k , * r ;
3616+
3617+ int k , * r ;
3618+ size_t j , rem ;
3619+
3620+ rem = sizeof (Bigint ) - sizeof (ULong ) - sizeof (int );
3621+
3622+ if (i > rem )
3623+ zend_error_noreturn (E_ERROR , "rv_alloc() allocation overflow %d" , i );
36173624
36183625 j = sizeof (ULong );
36193626 for (k = 0 ;
3620- j <= (INT_MAX >> 1 ) && sizeof (Bigint ) - sizeof (ULong ) - sizeof (int ) + j <= (size_t )i ;
3621- j <<= 1 )
3627+ j <= (INT_MAX >> 1 ) && rem + j <= (size_t )i ; j <<= 1 )
36223628 k ++ ;
3629+ if (j > (INT_MAX >> 1 ))
3630+ zend_error_noreturn (E_ERROR , "rv_alloc() computation overflow " ZEND_LONG_FMT , j );
3631+
36233632 r = (int * )Balloc (k );
36243633 * r = k ;
36253634 return
You can’t perform that action at this time.
0 commit comments