From 443d150c70621b6236e8c12ea37ac57d3354f319 Mon Sep 17 00:00:00 2001 From: Ilia Alshanetsky Date: Sun, 21 Jun 2026 08:04:23 -0400 Subject: [PATCH] Fix int truncation of read length in shmop_read() shmop_read() held the read length in an int while count and shmop->size are zend_long and the bounds checks above validate against the full 64-bit size. On a shared-memory segment larger than INT_MAX a read whose length sets the int sign bit was sign-extended into the size_t length argument of zend_string_init(), requesting a near-SIZE_MAX allocation; other truncated lengths silently returned a wrong-sized string. Hold the length in a zend_long, matching the zend_long writesize already used in shmop_write(). --- ext/shmop/shmop.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/shmop/shmop.c b/ext/shmop/shmop.c index 67f060f3c82c..d5d990bd2e91 100644 --- a/ext/shmop/shmop.c +++ b/ext/shmop/shmop.c @@ -224,7 +224,7 @@ PHP_FUNCTION(shmop_read) zend_long start, count; php_shmop *shmop; char *startaddr; - int bytes; + zend_long bytes; zend_string *return_string; if (zend_parse_parameters(ZEND_NUM_ARGS(), "Oll", &shmid, shmop_ce, &start, &count) == FAILURE) {