Skip to content

Commit 237932f

Browse files
arshidkv12devnexen
authored andcommitted
ext/bz2: Reject oversized input in bzdecompress()
close phpGH-22242
1 parent 7aff22c commit 237932f

3 files changed

Lines changed: 32 additions & 1 deletion

File tree

NEWS

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,9 @@ PHP NEWS
2525
- BCMath:
2626
. Added NUL-byte validation to BCMath functions. (jorgsowa)
2727

28+
- BZ2:
29+
. Reject oversized input in bzdecompress(). (arshidkv12)
30+
2831
- Date:
2932
. Update timelib to 2022.16. (Derick)
3033

ext/bz2/bz2.c

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -519,11 +519,15 @@ PHP_FUNCTION(bzdecompress)
519519
bzs.bzalloc = NULL;
520520
bzs.bzfree = NULL;
521521

522+
if (source_len > UINT_MAX) {
523+
zend_argument_value_error(1, "must have a length less than or equal to %u", UINT_MAX);
524+
RETURN_THROWS();
525+
}
526+
522527
if (BZ2_bzDecompressInit(&bzs, 0, (int)small) != BZ_OK) {
523528
RETURN_FALSE;
524529
}
525530

526-
// TODO Check source string length fits in unsigned int
527531
bzs.next_in = source;
528532
bzs.avail_in = source_len;
529533

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
--TEST--
2+
bzdecompress() rejects input larger than 4294967296
3+
--EXTENSIONS--
4+
bz2
5+
--INI--
6+
memory_limit=8G
7+
--SKIPIF--
8+
<?php
9+
if (!getenv('RUN_RESOURCE_HEAVY_TESTS')) die('skip resource-heavy test');
10+
if (getenv('SKIP_SLOW_TESTS')) die('skip slow test');
11+
if (PHP_INT_SIZE != 8) die('skip 64-bit only');
12+
?>
13+
--FILE--
14+
<?php
15+
16+
try {
17+
$data = str_repeat("A", 4294967296);
18+
bzdecompress($data);
19+
} catch (ValueError $e) {
20+
echo $e->getMessage(), "\n";
21+
}
22+
?>
23+
--EXPECT--
24+
bzdecompress(): Argument #1 ($data) must have a length less than or equal to 4294967295

0 commit comments

Comments
 (0)