php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 00:02:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'PHP-8.5'

Browse Source 
* PHP-8.5:
  Fix assertion failures resulting in crashes with stream filter object parameters
This commit is contained in:
Niels Dossche
2025-11-17 18:24:42 +01:00
parent f411e7fd0f 6cac6d49ce
commit a1ed754066
5 changed files with 65 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
ext/zlib/tests/filter_broken_object_options.phpt Normal file
View File

@@ -0,0 +1,21 @@
--TEST--
zlib filter assertion failure with non-dynamic properties in filter param object
--EXTENSIONS--
zlib
--FILE--
<?php
class Params {
public int $memory = 6;
public int $window = 15;
public int $level = 6;
}
$fp = fopen('php://stdout', 'w');
stream_filter_append($fp, 'zlib.deflate', STREAM_FILTER_WRITE, new Params);
stream_filter_append($fp, 'zlib.inflate', STREAM_FILTER_WRITE, new Params);
fwrite($fp, "Hello world, hopefully not broken\n");
?>
--EXPECT--
Hello world, hopefully not broken

13
ext/zlib/zlib_filter.c
View File

@@ -323,7 +323,7 @@ static php_stream_filter *php_zlib_filter_create(const char *filtername, zval *f
zval *tmpzval;
if ((Z_TYPE_P(filterparams) == IS_ARRAY || Z_TYPE_P(filterparams) == IS_OBJECT) &&
(tmpzval = zend_hash_str_find(HASH_OF(filterparams), "window", sizeof("window") - 1))) {
(tmpzval = zend_hash_str_find_ind(HASH_OF(filterparams), "window", sizeof("window") - 1))) {
/* log-2 base of history window (9 - 15) */
zend_long tmp = zval_get_long(tmpzval);
if (tmp < -MAX_WBITS || tmp > MAX_WBITS + 32) {
@@ -354,8 +354,10 @@ static php_stream_filter *php_zlib_filter_create(const char *filtername, zval *f
switch (Z_TYPE_P(filterparams)) {
case IS_ARRAY:
case IS_OBJECT:
if ((tmpzval = zend_hash_str_find(HASH_OF(filterparams), "memory", sizeof("memory") -1))) {
case IS_OBJECT: {
HashTable *ht = HASH_OF(filterparams);
if ((tmpzval = zend_hash_str_find_ind(ht, "memory", sizeof("memory") -1))) {
/* Memory Level (1 - 9) */
tmp = zval_get_long(tmpzval);
if (tmp < 1 || tmp > MAX_MEM_LEVEL) {
@@ -365,7 +367,7 @@ static php_stream_filter *php_zlib_filter_create(const char *filtername, zval *f
}
}
if ((tmpzval = zend_hash_str_find(HASH_OF(filterparams), "window", sizeof("window") - 1))) {
if ((tmpzval = zend_hash_str_find_ind(ht, "window", sizeof("window") - 1))) {
/* log-2 base of history window (9 - 15) */
tmp = zval_get_long(tmpzval);
if (tmp < -MAX_WBITS || tmp > MAX_WBITS + 16) {
@@ -375,13 +377,14 @@ static php_stream_filter *php_zlib_filter_create(const char *filtername, zval *f
}
}
if ((tmpzval = zend_hash_str_find(HASH_OF(filterparams), "level", sizeof("level") - 1))) {
if ((tmpzval = zend_hash_str_find_ind(ht, "level", sizeof("level") - 1))) {
tmp = zval_get_long(tmpzval);
/* Pseudo pass through to catch level validating code */
goto factory_setlevel;
}
break;
}
case IS_STRING:
case IS_DOUBLE:
case IS_LONG: