From 83fff8ed8c8148b4fe30a9384000e3b8e89f7189 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Wed, 2 Oct 2019 10:53:31 +0200 Subject: [PATCH 1/3] Fix #78620: Out of memory error If the integer addition in `ZEND_MM_ALIGNED_SIZE_EX` overflows, the macro evaluates to `0`, what we should catch early. --- Zend/zend_alloc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Zend/zend_alloc.c b/Zend/zend_alloc.c index 3a43027346dba..af331e37930c6 100644 --- a/Zend/zend_alloc.c +++ b/Zend/zend_alloc.c @@ -1730,10 +1730,10 @@ static void *zend_mm_alloc_huge(zend_mm_heap *heap, size_t size ZEND_FILE_LINE_D void *ptr; #if ZEND_MM_LIMIT - if (UNEXPECTED(new_size > heap->limit - heap->real_size)) { - if (zend_mm_gc(heap) && new_size <= heap->limit - heap->real_size) { + if (UNEXPECTED(new_size == 0 || new_size > heap->limit - heap->real_size)) { + if (new_size > 0 && zend_mm_gc(heap) && new_size <= heap->limit - heap->real_size) { /* pass */ - } else if (heap->overflow == 0) { + } else if (new_size == 0 || heap->overflow == 0) { #if ZEND_DEBUG zend_mm_safe_error(heap, "Allowed memory size of %zu bytes exhausted at %s:%d (tried to allocate %zu bytes)", heap->limit, __zend_filename, __zend_lineno, size); #else From 68914e273bfd8d6677272520b9efbe9df258094b Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Wed, 2 Oct 2019 16:17:03 +0200 Subject: [PATCH 2/3] Use goto instead of multiple checks We also add a comment. --- Zend/zend_alloc.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/Zend/zend_alloc.c b/Zend/zend_alloc.c index af331e37930c6..479028fb08d94 100644 --- a/Zend/zend_alloc.c +++ b/Zend/zend_alloc.c @@ -1730,10 +1730,15 @@ static void *zend_mm_alloc_huge(zend_mm_heap *heap, size_t size ZEND_FILE_LINE_D void *ptr; #if ZEND_MM_LIMIT - if (UNEXPECTED(new_size == 0 || new_size > heap->limit - heap->real_size)) { - if (new_size > 0 && zend_mm_gc(heap) && new_size <= heap->limit - heap->real_size) { + if (UNEXPECTED(new_size == 0)) { + /* overflow in ZEND_MM_ALIGNED_SIZE_EX */ + goto memory_limit_exhausted; + } + if (UNEXPECTED(new_size > heap->limit - heap->real_size)) { + if (zend_mm_gc(heap) && new_size <= heap->limit - heap->real_size) { /* pass */ - } else if (new_size == 0 || heap->overflow == 0) { + } else if (heap->overflow == 0) { + memory_limit_exhausted: #if ZEND_DEBUG zend_mm_safe_error(heap, "Allowed memory size of %zu bytes exhausted at %s:%d (tried to allocate %zu bytes)", heap->limit, __zend_filename, __zend_lineno, size); #else From 119206b31e552fa2da34a215a3207dbf00b53889 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Wed, 2 Oct 2019 16:42:28 +0200 Subject: [PATCH 3/3] Unindent label --- Zend/zend_alloc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Zend/zend_alloc.c b/Zend/zend_alloc.c index 479028fb08d94..222f08f49e4a4 100644 --- a/Zend/zend_alloc.c +++ b/Zend/zend_alloc.c @@ -1738,7 +1738,7 @@ static void *zend_mm_alloc_huge(zend_mm_heap *heap, size_t size ZEND_FILE_LINE_D if (zend_mm_gc(heap) && new_size <= heap->limit - heap->real_size) { /* pass */ } else if (heap->overflow == 0) { - memory_limit_exhausted: +memory_limit_exhausted: #if ZEND_DEBUG zend_mm_safe_error(heap, "Allowed memory size of %zu bytes exhausted at %s:%d (tried to allocate %zu bytes)", heap->limit, __zend_filename, __zend_lineno, size); #else