From 140e585f86d3371ec72844178437abb8c26c0e9a Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Wed, 14 Jul 2021 17:55:15 +0200
Subject: [PATCH] Fix #72595: php_output_handler_append illegal write access

We must make sure that `handler->buffer.size + grow_max` does not
overflow, so we're using `safe_erealloc()` instead.
---
 main/output.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main/output.c b/main/output.c
index 7751586dbc9a..70bc532f30fb 100644
--- a/main/output.c
+++ b/main/output.c
@@ -889,7 +889,7 @@ static inline int php_output_handler_append(php_output_handler *handler, const p
 			size_t grow_buf = PHP_OUTPUT_HANDLER_INITBUF_SIZE(buf->used - (handler->buffer.size - handler->buffer.used));
 			size_t grow_max = MAX(grow_int, grow_buf);
 
-			handler->buffer.data = erealloc(handler->buffer.data, handler->buffer.size + grow_max);
+			handler->buffer.data = safe_erealloc(handler->buffer.data, 1, handler->buffer.size, grow_max);
 			handler->buffer.size += grow_max;
 		}
 		memcpy(handler->buffer.data + handler->buffer.used, buf->data, buf->used);