From 5630bf375071228bf3323d2ea43ed9532df1661c Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Thu, 8 Apr 2021 18:00:56 +0200
Subject: [PATCH 1/3] Fix #79812: Potential integer overflow in pcntl_exec()

We use the proper type.
---
 ext/pcntl/pcntl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/pcntl/pcntl.c b/ext/pcntl/pcntl.c
index 1bb67af6c541c..d7fea874a13f6 100644
--- a/ext/pcntl/pcntl.c
+++ b/ext/pcntl/pcntl.c
@@ -955,7 +955,7 @@ PHP_FUNCTION(pcntl_exec)
 	int envc = 0, envi = 0;
 	char **argv = NULL, **envp = NULL;
 	char **current_arg, **pair;
-	int pair_length;
+	size_t pair_length;
 	zend_string *key;
 	char *path;
 	size_t path_len;

From d535c495f5506fecadb158a3d26e07e81eeb1df0 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Fri, 9 Apr 2021 10:44:43 +0200
Subject: [PATCH 2/3] Make sure that no overflow can occur

We can assume that neither string length is `SIZE_MAX`, and then use
`safe_emalloc()` to ensure that the addition does not overflow.
---
 ext/pcntl/pcntl.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ext/pcntl/pcntl.c b/ext/pcntl/pcntl.c
index d7fea874a13f6..1da1beaef19a6 100644
--- a/ext/pcntl/pcntl.c
+++ b/ext/pcntl/pcntl.c
@@ -1015,8 +1015,9 @@ PHP_FUNCTION(pcntl_exec)
 			}
 
 			/* Length of element + equal sign + length of key + null */
+			ZEND_ASSERT(Z_STRLEN_P(element) < SIZE_MAX && ZSTR_LEN(key) < SIZE_MAX);
+			*pair = safe_emalloc(Z_STRLEN_P(element) + 1, sizeof(char) + ZSTR_LEN(key) + 1);
 			pair_length = Z_STRLEN_P(element) + ZSTR_LEN(key) + 2;
-			*pair = emalloc(pair_length);
 			strlcpy(*pair, ZSTR_VAL(key), ZSTR_LEN(key) + 1);
 			strlcat(*pair, "=", pair_length);
 			strlcat(*pair, Z_STRVAL_P(element), pair_length);

From 09c323958b1c3eb4bee0b62ac4ec38c3252b4ff9 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Fri, 9 Apr 2021 13:08:21 +0200
Subject: [PATCH 3/3] Fix syntax error

---
 ext/pcntl/pcntl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/pcntl/pcntl.c b/ext/pcntl/pcntl.c
index 1da1beaef19a6..2d19b7d4edce5 100644
--- a/ext/pcntl/pcntl.c
+++ b/ext/pcntl/pcntl.c
@@ -1016,7 +1016,7 @@ PHP_FUNCTION(pcntl_exec)
 
 			/* Length of element + equal sign + length of key + null */
 			ZEND_ASSERT(Z_STRLEN_P(element) < SIZE_MAX && ZSTR_LEN(key) < SIZE_MAX);
-			*pair = safe_emalloc(Z_STRLEN_P(element) + 1, sizeof(char) + ZSTR_LEN(key) + 1);
+			*pair = safe_emalloc(Z_STRLEN_P(element) + 1, sizeof(char), ZSTR_LEN(key) + 1);
 			pair_length = Z_STRLEN_P(element) + ZSTR_LEN(key) + 2;
 			strlcpy(*pair, ZSTR_VAL(key), ZSTR_LEN(key) + 1);
 			strlcat(*pair, "=", pair_length);