Commit 115eb0fc263 for php.net

commit 115eb0fc263970ea5b9066c281745e819f69811f
Author: Weilin Du <108666168+LamentXU123@users.noreply.github.com>
Date:   Sat May 9 22:10:47 2026 +0800

    zend: avoid potential integer overflow in zend_string_concat2 and zend_string_concat3 (#21626)

diff --git a/Zend/zend_string.c b/Zend/zend_string.c
index a9e1a7dea09..52fca0cd434 100644
--- a/Zend/zend_string.c
+++ b/Zend/zend_string.c
@@ -17,6 +17,7 @@

 #include "zend.h"
 #include "zend_globals.h"
+#include "zend_multiply.h"

 #ifdef HAVE_VALGRIND
 # include "valgrind/callgrind.h"
@@ -473,8 +474,7 @@ ZEND_API zend_string *zend_string_concat2(
 		const char *str1, size_t str1_len,
 		const char *str2, size_t str2_len)
 {
-	size_t len = str1_len + str2_len;
-	zend_string *res = zend_string_alloc(len, 0);
+	zend_string *res = zend_string_safe_alloc(1, str1_len, str2_len, 0);

 	char *p = ZSTR_VAL(res);
 	p = zend_mempcpy(p, str1, str1_len);
@@ -489,7 +489,8 @@ ZEND_API zend_string *zend_string_concat3(
 		const char *str2, size_t str2_len,
 		const char *str3, size_t str3_len)
 {
-	size_t len = str1_len + str2_len + str3_len;
+	size_t tmp_len = zend_safe_address_guarded(1, str1_len, str2_len);
+	size_t len = zend_safe_address_guarded(1, tmp_len, str3_len);
 	zend_string *res = zend_string_alloc(len, 0);

 	char *p = ZSTR_VAL(res);