71637.diff

commit 57b997ebf99e0eb9a073e0dafd2ab100bd4a112d
Author: Stanislav Malyshev <stas@php.net>
Date:   Sun Feb 21 23:14:29 2016 -0800

    Fix bug #71637: Multiple Heap Overflow due to integer overflows

diff --git a/ext/filter/sanitizing_filters.c b/ext/filter/sanitizing_filters.c
index ff27bdb..0b11ecf 100644
--- a/ext/filter/sanitizing_filters.c
+++ b/ext/filter/sanitizing_filters.c
@@ -87,7 +87,7 @@ static void php_filter_encode_url(zval *value, const unsigned char* chars, const
 		memset(tmp, 1, 32);
 	}
 */
-	str = zend_string_alloc(3 * Z_STRLEN_P(value), 0);
+	str = zend_string_safe_alloc(Z_STRLEN_P(value), 3, 0, 0);
 	p = (unsigned char *) ZSTR_VAL(str);
 	s = (unsigned char *) Z_STRVAL_P(value);
 	e = s + Z_STRLEN_P(value);
diff --git a/ext/standard/string.c b/ext/standard/string.c
index 489006b..7b6ad8e 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -5372,7 +5372,7 @@ PHP_FUNCTION(str_pad)
 		return;
 	}
 
-	result = zend_string_alloc(ZSTR_LEN(input) + num_pad_chars, 0);
+	result = zend_string_safe_alloc(ZSTR_LEN(input), 1, num_pad_chars, 0);
 	ZSTR_LEN(result) = 0;
 
 	/* We need to figure out the left/right padding lengths. */
diff --git a/ext/xml/xml.c b/ext/xml/xml.c
index d6eae46..bfa1b85 100644
--- a/ext/xml/xml.c
+++ b/ext/xml/xml.c
@@ -581,7 +581,7 @@ PHP_XML_API zend_string *xml_utf8_encode(const char *s, size_t len, const XML_Ch
 	}
 	/* This is the theoretical max (will never get beyond len * 2 as long
 	 * as we are converting from single-byte characters, though) */
-	str = zend_string_alloc(len * 4, 0);
+	str = zend_string_safe_alloc(len, 4, 0, 0);
 	ZSTR_LEN(str) = 0;
 	while (pos > 0) {
 		c = encoder ? encoder((unsigned char)(*s)) : (unsigned short)(*s);