Fix int truncation of read length in shmop_read()

shmop_read() held the read length in an int while count and shmop->size
are zend_long and the bounds checks above validate against the full
64-bit size. On a shared-memory segment larger than INT_MAX a read whose
length sets the int sign bit was sign-extended into the size_t length
argument of zend_string_init(), requesting a near-SIZE_MAX allocation;
other truncated lengths silently returned a wrong-sized string. Hold the
length in a zend_long, matching the zend_long writesize already used in
shmop_write().

Author: iliaal

ext/shmop/shmop.c

@@ -224,7 +224,7 @@ PHP_FUNCTION(shmop_read)
 	zend_long start, count;
 	php_shmop *shmop;
 	char *startaddr;
-	int bytes;
+	zend_long bytes;
 	zend_string *return_string;
 
 	if (zend_parse_parameters(ZEND_NUM_ARGS(), "Oll", &shmid, shmop_ce, &start, &count) == FAILURE) {