From f4b275b998734e0c65de1ae73cea0ce3b837c32b Mon Sep 17 00:00:00 2001 From: lamentxu <1372449351@qq.com> Date: Sat, 4 Apr 2026 02:24:54 +0800 Subject: [PATCH 1/4] Update zend_string.c --- Zend/zend_string.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Zend/zend_string.c b/Zend/zend_string.c index 348f37999efd..7d907be39c06 100644 --- a/Zend/zend_string.c +++ b/Zend/zend_string.c @@ -18,6 +18,7 @@ #include "zend.h" #include "zend_globals.h" +#include "zend_multiply.h" #ifdef HAVE_VALGRIND # include "valgrind/callgrind.h" @@ -474,7 +475,7 @@ ZEND_API zend_string *zend_string_concat2( const char *str1, size_t str1_len, const char *str2, size_t str2_len) { - size_t len = str1_len + str2_len; + size_t len = zend_safe_address_guarded(1, str1_len, str2_len); zend_string *res = zend_string_alloc(len, 0); char *p = ZSTR_VAL(res); @@ -490,7 +491,8 @@ ZEND_API zend_string *zend_string_concat3( const char *str2, size_t str2_len, const char *str3, size_t str3_len) { - size_t len = str1_len + str2_len + str3_len; + size_t tmp_len = zend_safe_address_guarded(1, str1_len, str2_len); + size_t len = zend_safe_address_guarded(1, tmp_len, str3_len); zend_string *res = zend_string_alloc(len, 0); char *p = ZSTR_VAL(res); From 4b34079b8e789ff46bc40caeace979e22e951f3d Mon Sep 17 00:00:00 2001 From: lamentxu <1372449351@qq.com> Date: Sat, 4 Apr 2026 11:28:33 +0800 Subject: [PATCH 2/4] use zend_string_safe_alloc --- Zend/zend_string.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Zend/zend_string.c b/Zend/zend_string.c index 7d907be39c06..9997cd842baf 100644 --- a/Zend/zend_string.c +++ b/Zend/zend_string.c @@ -475,8 +475,8 @@ ZEND_API zend_string *zend_string_concat2( const char *str1, size_t str1_len, const char *str2, size_t str2_len) { - size_t len = zend_safe_address_guarded(1, str1_len, str2_len); - zend_string *res = zend_string_alloc(len, 0); + size_t len = str1_len + str2_len; + zend_string *res = zend_string_safe_alloc(len, 0); char *p = ZSTR_VAL(res); p = zend_mempcpy(p, str1, str1_len); From 1827e0c31d5525e232cd412c4ebe5408a9618869 Mon Sep 17 00:00:00 2001 From: Weilin Du <108666168+LamentXU123@users.noreply.github.com> Date: Sat, 4 Apr 2026 11:36:35 +0800 Subject: [PATCH 3/4] Update zend_string.c --- Zend/zend_string.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Zend/zend_string.c b/Zend/zend_string.c index 9997cd842baf..8a6ac2413c76 100644 --- a/Zend/zend_string.c +++ b/Zend/zend_string.c @@ -474,9 +474,8 @@ ZEND_API zend_never_inline NOIPA bool ZEND_FASTCALL zend_string_equal_val(const ZEND_API zend_string *zend_string_concat2( const char *str1, size_t str1_len, const char *str2, size_t str2_len) -{ - size_t len = str1_len + str2_len; - zend_string *res = zend_string_safe_alloc(len, 0); +} + zend_string *res = zend_string_safe_alloc(1, str1_len, str2_len, 0); char *p = ZSTR_VAL(res); p = zend_mempcpy(p, str1, str1_len); From ab762f681b06db05911e844eaec59ac265cb0730 Mon Sep 17 00:00:00 2001 From: Weilin Du <108666168+LamentXU123@users.noreply.github.com> Date: Sat, 4 Apr 2026 11:37:10 +0800 Subject: [PATCH 4/4] Update zend_string.c --- Zend/zend_string.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Zend/zend_string.c b/Zend/zend_string.c index 8a6ac2413c76..efec7ceb7a2a 100644 --- a/Zend/zend_string.c +++ b/Zend/zend_string.c @@ -474,7 +474,7 @@ ZEND_API zend_never_inline NOIPA bool ZEND_FASTCALL zend_string_equal_val(const ZEND_API zend_string *zend_string_concat2( const char *str1, size_t str1_len, const char *str2, size_t str2_len) -} +{ zend_string *res = zend_string_safe_alloc(1, str1_len, str2_len, 0); char *p = ZSTR_VAL(res);