From 115eb0fc263970ea5b9066c281745e819f69811f Mon Sep 17 00:00:00 2001
From: Weilin Du <108666168+LamentXU123@users.noreply.github.com>
Date: Sat, 9 May 2026 22:10:47 +0800
Subject: [PATCH] zend: avoid potential integer overflow in zend_string_concat2
 and zend_string_concat3 (#21626)

---
 Zend/zend_string.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/Zend/zend_string.c b/Zend/zend_string.c
index a9e1a7dea099..52fca0cd4346 100644
--- a/Zend/zend_string.c
+++ b/Zend/zend_string.c
@@ -17,6 +17,7 @@
 
 #include "zend.h"
 #include "zend_globals.h"
+#include "zend_multiply.h"
 
 #ifdef HAVE_VALGRIND
 # include "valgrind/callgrind.h"
@@ -473,8 +474,7 @@ ZEND_API zend_string *zend_string_concat2(
 		const char *str1, size_t str1_len,
 		const char *str2, size_t str2_len)
 {
-	size_t len = str1_len + str2_len;
-	zend_string *res = zend_string_alloc(len, 0);
+	zend_string *res = zend_string_safe_alloc(1, str1_len, str2_len, 0);
 
 	char *p = ZSTR_VAL(res);
 	p = zend_mempcpy(p, str1, str1_len);
@@ -489,7 +489,8 @@ ZEND_API zend_string *zend_string_concat3(
 		const char *str2, size_t str2_len,
 		const char *str3, size_t str3_len)
 {
-	size_t len = str1_len + str2_len + str3_len;
+	size_t tmp_len = zend_safe_address_guarded(1, str1_len, str2_len);
+	size_t len = zend_safe_address_guarded(1, tmp_len, str3_len);
 	zend_string *res = zend_string_alloc(len, 0);
 
 	char *p = ZSTR_VAL(res);