ext/bz2: Reject oversized input in bzdecompress()

arshidkv12 · devnexen · commit 237932f37beb · 2026-06-07T20:03:54.000+01:00
close phpGH-22242
diff --git a/NEWS b/NEWS
@@ -25,6 +25,9 @@ PHP                                                                        NEWS
 - BCMath:
   . Added NUL-byte validation to BCMath functions. (jorgsowa)
 
+- BZ2:
+  . Reject oversized input in bzdecompress(). (arshidkv12)
+
 - Date:
   . Update timelib to 2022.16. (Derick)
 
diff --git a/ext/bz2/bz2.c b/ext/bz2/bz2.c
@@ -519,11 +519,15 @@ PHP_FUNCTION(bzdecompress)
 	bzs.bzalloc = NULL;
 	bzs.bzfree = NULL;
 
+	if (source_len > UINT_MAX) {
+		zend_argument_value_error(1, "must have a length less than or equal to %u", UINT_MAX);
+		RETURN_THROWS();
+	}
+
 	if (BZ2_bzDecompressInit(&bzs, 0, (int)small) != BZ_OK) {
 		RETURN_FALSE;
 	}
 
-	// TODO Check source string length fits in unsigned int
 	bzs.next_in = source;
 	bzs.avail_in = source_len;
 
diff --git a/ext/bz2/tests/bzdecompress_input_too_large.phpt b/ext/bz2/tests/bzdecompress_input_too_large.phpt
@@ -0,0 +1,24 @@
+--TEST--
+bzdecompress() rejects input larger than 4294967296
+--EXTENSIONS--
+bz2
+--INI--
+memory_limit=8G
+--SKIPIF--
+<?php
+if (!getenv('RUN_RESOURCE_HEAVY_TESTS')) die('skip resource-heavy test');
+if (getenv('SKIP_SLOW_TESTS')) die('skip slow test');
+if (PHP_INT_SIZE != 8) die('skip 64-bit only');
+?>
+--FILE--
+<?php
+
+try {
+    $data = str_repeat("A", 4294967296);
+    bzdecompress($data);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+bzdecompress(): Argument #1 ($data) must have a length less than or equal to 4294967295
