php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 00:02:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'PHP-8.5'

Browse Source 
* PHP-8.5:
  bz2: Fix truncation of total output size causing erroneous errors
This commit is contained in:
ndossche
2026-02-27 23:49:46 +01:00
parent 114c0d6e93 9248a6c70e
commit c68ede953a
2 changed files with 21 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
ext/bz2/bz2.c
View File

@@ -537,18 +537,17 @@ PHP_FUNCTION(bzdecompress)
while ((error = BZ2_bzDecompress(&bzs)) == BZ_OK && bzs.avail_in > 0) {
/* compression is better then 2:1, need to allocate more memory */
bzs.avail_out = source_len;
size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32;
size = (((uint64_t) bzs.total_out_hi32) << 32U) + bzs.total_out_lo32;
if (UNEXPECTED(size > SIZE_MAX)) {
/* no reason to continue if we're going to drop it anyway */
break;
}
dest = zend_string_safe_realloc(dest, 1, bzs.avail_out+1, (size_t) size, 0);
bzs.next_out = ZSTR_VAL(dest) + size;
}
if (error == BZ_STREAM_END || error == BZ_OK) {
size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32;
size = (((uint64_t) bzs.total_out_hi32) << 32U) + bzs.total_out_lo32;
if (UNEXPECTED(size > SIZE_MAX)) {
php_error_docref(NULL, E_WARNING, "Decompressed size too big, max is %zu", SIZE_MAX);
zend_string_efree(dest);

19
ext/bz2/tests/gh20807.phpt Normal file
View File

File diff suppressed because one or more lines are too long