From 2f05830a5fb8d8b00c9496fa64906c8a92be90aa Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+ndossche@users.noreply.github.com> Date: Sun, 16 Nov 2025 23:01:44 +0100 Subject: [PATCH] zip: Don't truncate return value of zip_fread() with user sizes The return type has been zip_int64_t since 2009, so we shouldn't truncate to an int because the user may have requested a size that won't fit in an int. Closes GH-20509. --- NEWS | 1 + ext/zip/php_zip.c | 7 ++----- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/NEWS b/NEWS index 0ef238afe42..516f6abd462 100644 --- a/NEWS +++ b/NEWS @@ -52,6 +52,7 @@ PHP NEWS - Zip: . Fix crash in property existence test. (ndossche) + . Don't truncate return value of zip_fread() with user sizes. (ndossche) - Zlib: . Fix assertion failures resulting in crashes with stream filter diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c index 15f55cba712..f1630192e60 100644 --- a/ext/zip/php_zip.c +++ b/ext/zip/php_zip.c @@ -1332,7 +1332,6 @@ PHP_FUNCTION(zip_entry_read) zend_long len = 0; zip_read_rsrc * zr_rsrc; zend_string *buffer; - int n = 0; if (zend_parse_parameters(ZEND_NUM_ARGS(), "r|l", &zip_entry, &len) == FAILURE) { RETURN_THROWS(); @@ -1348,7 +1347,7 @@ PHP_FUNCTION(zip_entry_read) if (zr_rsrc->zf) { buffer = zend_string_safe_alloc(1, len, 0, 0); - n = zip_fread(zr_rsrc->zf, ZSTR_VAL(buffer), ZSTR_LEN(buffer)); + zip_int64_t n = zip_fread(zr_rsrc->zf, ZSTR_VAL(buffer), ZSTR_LEN(buffer)); if (n > 0) { ZSTR_VAL(buffer)[n] = '\0'; ZSTR_LEN(buffer) = n; @@ -2910,8 +2909,6 @@ static void php_zip_get_from(INTERNAL_FUNCTION_PARAMETERS, int type) /* {{{ */ zend_string *filename; zend_string *buffer; - int n = 0; - if (type == 1) { if (zend_parse_parameters(ZEND_NUM_ARGS(), "P|ll", &filename, &len, &flags) == FAILURE) { RETURN_THROWS(); @@ -2948,7 +2945,7 @@ static void php_zip_get_from(INTERNAL_FUNCTION_PARAMETERS, int type) /* {{{ */ } buffer = zend_string_safe_alloc(1, len, 0, 0); - n = zip_fread(zf, ZSTR_VAL(buffer), ZSTR_LEN(buffer)); + zip_int64_t n = zip_fread(zf, ZSTR_VAL(buffer), ZSTR_LEN(buffer)); if (n < 1) { zend_string_efree(buffer); RETURN_EMPTY_STRING();