Use safe_*erealloc* flavor in few places to mitigate possible overflows.

devnexen · devnexen · commit dfbb42529505 · 2022-07-04T14:41:04.000+01:00
diff --git a/NEWS b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.2.0alpha3
 
+- Core:
+  . Uses safe_perealloc instead of perealloc for the
+    ZEND_PTR_STACK_RESIZE_IF_NEEDED to avoid possible overflows. (David Carlier)
+
 - DBA:
   . Fixed LMDB driver hanging when attempting to delete a non-existing key
     (Girgias)
@@ -14,8 +18,14 @@ PHP                                                                        NEWS
 - Sockets:
   . Added TCP_CONGESTION socket option. (David Carlier)
 
+- SPL:
+  . Uses safe_erealloc instead of erealloc to handle heap growth
+    for the SplHeap::insert method to avoid possible overflows. (David Carlier)
+
 - Standard:
   . Fixed the crypt_sha256/512 api build with clang > 12. (David Carlier)
+  . Uses safe_erealloc instead of erealloc to handle options in getopt
+    to avoid possible overflows. (David Carlier)
 
 - Zip:
 
diff --git a/Zend/zend_ptr_stack.h b/Zend/zend_ptr_stack.h
@@ -48,7 +48,7 @@ END_EXTERN_C()
 		do {												\
 			stack->max += PTR_STACK_BLOCK_SIZE;				\
 		} while (stack->top+count > stack->max);			\
-		stack->elements = (void **) perealloc(stack->elements, (sizeof(void *) * (stack->max)), stack->persistent);	\
+		stack->elements = (void **) safe_perealloc(stack->elements, sizeof(void *), (stack->max), 0, stack->persistent);	\
 		stack->top_element = stack->elements+stack->top;	\
 	}
 
diff --git a/ext/spl/spl_heap.c b/ext/spl/spl_heap.c
@@ -278,7 +278,7 @@ static void spl_ptr_heap_insert(spl_ptr_heap *heap, void *elem, void *cmp_userda
 	if (heap->count+1 > heap->max_size) {
 		size_t alloc_size = heap->max_size * heap->elem_size;
 		/* we need to allocate more memory */
-		heap->elements  = erealloc(heap->elements, 2 * alloc_size);
+		heap->elements  = safe_erealloc(heap->elements, 2, alloc_size, 0);
 		memset((char *) heap->elements + alloc_size, 0, alloc_size);
 		heap->max_size *= 2;
 	}
diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c
@@ -1099,7 +1099,7 @@ PHP_FUNCTION(getopt)
 
 		/* the first <len> slots are filled by the one short ops
 		 * we now extend our array and jump to the new added structs */
-		opts = (opt_struct *) erealloc(opts, sizeof(opt_struct) * (len + count + 1));
+		opts = (opt_struct *) safe_erealloc(opts, sizeof(opt_struct), (len + count + 1), 0);
 		orig_opts = opts;
 		opts += len;
 

Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,7 @@ END_EXTERN_C()`
`48`	`48`	`do { \`
`49`	`49`	`stack->max += PTR_STACK_BLOCK_SIZE; \`
`50`	`50`	`} while (stack->top+count > stack->max); \`
`51`		`- stack->elements = (void *) perealloc(stack->elements, (sizeof(void ) * (stack->max)), stack->persistent); \`
	`51`	`+ stack->elements = (void *) safe_perealloc(stack->elements, sizeof(void ), (stack->max), 0, stack->persistent); \`
`52`	`52`	`stack->top_element = stack->elements+stack->top; \`
`53`	`53`	`}`
`54`	`54`
Original file line number	Diff line number	Diff line change
`@@ -278,7 +278,7 @@ static void spl_ptr_heap_insert(spl_ptr_heap heap, void elem, void *cmp_userda`
`278`	`278`	`if (heap->count+1 > heap->max_size) {`
`279`	`279`	`size_t alloc_size = heap->max_size * heap->elem_size;`
`280`	`280`	`/* we need to allocate more memory */`
`281`		`- heap->elements = erealloc(heap->elements, 2 * alloc_size);`
	`281`	`+ heap->elements = safe_erealloc(heap->elements, 2, alloc_size, 0);`
`282`	`282`	`memset((char *) heap->elements + alloc_size, 0, alloc_size);`
`283`	`283`	`heap->max_size *= 2;`
`284`	`284`	`}`