From 789a37f14405e2d1a05a76c9fb4ed2d49d4580d5 Mon Sep 17 00:00:00 2001
From: guoyiyuan <yguoaz@gmail.com>
Date: Wed, 13 Jul 2022 20:55:51 +0800
Subject: [PATCH] Prevent potential buffer overflow for large value of
 php_cli_server_workers_max

Fixes #8989.
Closes #9000

Upstream-Status: Backport [https://github.com/php/php-src/commit/789a37f14405e2d1a05a76c9fb4ed2d49d4580d5]
CVE: CVE-2022-4900
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
 sapi/cli/php_cli_server.c | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/sapi/cli/php_cli_server.c b/sapi/cli/php_cli_server.c
index c3097861..48f8309d 100644
--- a/sapi/cli/php_cli_server.c
+++ b/sapi/cli/php_cli_server.c
@@ -517,13 +517,8 @@ static int sapi_cli_server_startup(sapi_module_struct *sapi_module) /* {{{ */
 		if (php_cli_server_workers_max > 1) {
 			zend_long php_cli_server_worker;
 
-			php_cli_server_workers = calloc(
-				php_cli_server_workers_max, sizeof(pid_t));
-			if (!php_cli_server_workers) {
-				php_cli_server_workers_max = 1;
-
-				return SUCCESS;
-			}
+			php_cli_server_workers = pecalloc(
+			php_cli_server_workers_max, sizeof(pid_t), 1);
 
 			php_cli_server_master = getpid();
 
@@ -2361,7 +2356,7 @@ static void php_cli_server_dtor(php_cli_server *server) /* {{{ */
 					  !WIFSIGNALED(php_cli_server_worker_status));
 		}
 
-		free(php_cli_server_workers);
+		pefree(php_cli_server_workers, 1);
 	}
 #endif
 } /* }}} */
-- 
2.25.1