Prevent potential buffer overflow for large value of php_cli_server_workers_max

yiyuaner · devnexen · commit 789a37f14405 · 2022-07-14T12:12:25.000+01:00
Fixes php#8989. Closes php#9000.
diff --git a/NEWS b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2022, PHP 8.0.22
 
+- CLI:
+  . Fixed potential overflow for the builtin server via the PHP_CLI_SERVER_WORKERS
+    environment variable. (yiyuaner)
+
 - Core:
   . Fixed bug GH-8923 (error_log on Windows can hold the file write lock). (cmb)
 
diff --git a/sapi/cli/php_cli_server.c b/sapi/cli/php_cli_server.c
@@ -2299,7 +2299,7 @@ static void php_cli_server_dtor(php_cli_server *server) /* {{{ */
 					  !WIFSIGNALED(php_cli_server_worker_status));
 		}
 
-		free(php_cli_server_workers);
+		pefree(php_cli_server_workers, 1);
 	}
 #endif
 } /* }}} */
@@ -2385,12 +2385,8 @@ static void php_cli_server_startup_workers() {
 	if (php_cli_server_workers_max > 1) {
 		zend_long php_cli_server_worker;
 
-		php_cli_server_workers = calloc(
-			php_cli_server_workers_max, sizeof(pid_t));
-		if (!php_cli_server_workers) {
-			php_cli_server_workers_max = 1;
-			return;
-		}
+		php_cli_server_workers = pecalloc(
+			php_cli_server_workers_max, sizeof(pid_t), 1);
 
 		php_cli_server_master = getpid();
 
