Fixed GH-21376: gzfile and readgzfile no longer detect corrupted gzip data

Gabriel Cordeiro · Gabriel Cordeiro · commit 48028bc53f70 · 2026-03-07T18:21:44.000-03:00
When gzip data is corrupted, gzread() can return positive byte count while
gzerror() indicates Z_DATA_ERROR. The zlib stream wrapper now checks gzerror()
after each gzread() and returns -1 so that gzfile() returns an empty array
and readgzfile() returns -1 as in previous PHP versions.
readgzfile() also now uses ssize_t for php_stream_passthru() result so that
-1 is correctly returned on error instead of being cast to a large size_t.
diff --git a/NEWS b/NEWS
@@ -320,6 +320,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-20439 (xml_set_default_handler() does not properly handle
     special characters in attributes when passing data to callback). (ndossche)
 
+- Zlib:
+  . Fixed bug GH-21376 (gzfile and readgzfile no longer detect corrupted gzip
+    data). (GabrielCordeiroBarrosoTeles)
+
 - Zip:
   . Fix crash in property existence test. (ndossche)
   . Don't truncate return value of zip_fread() with user sizes. (ndossche)
diff --git a/ext/zlib/tests/bug21376_corrupt_gz.phpt b/ext/zlib/tests/bug21376_corrupt_gz.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Bug #21376: gzfile and readgzfile must detect corrupted gzip data
+--EXTENSIONS--
+zlib
+--FILE--
+<?php
+/* Minimal invalid gzip: magic + garbage so zlib reports Z_DATA_ERROR */
+$corrupt = __DIR__ . '/bug21376_corrupt.gz';
+file_put_contents($corrupt, "\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\x03" . "invalid compressed data");
+
+$result = @gzfile($corrupt);
+var_dump($result);
+
+ob_start();
+$result = @readgzfile($corrupt);
+ob_end_clean();
+var_dump($result);
+
+@unlink($corrupt);
+?>
+--EXPECT--
+array(0) {
+}
+int(-1)
diff --git a/ext/zlib/zlib.c b/ext/zlib/zlib.c
@@ -677,7 +677,7 @@ PHP_FUNCTION(readgzfile)
 	size_t filename_len;
 	int flags = REPORT_ERRORS;
 	php_stream *stream;
-	size_t size;
+	ssize_t size;
 	bool use_include_path = false;
 
 	if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|b", &filename, &filename_len, &use_include_path) == FAILURE) {
@@ -695,7 +695,7 @@ PHP_FUNCTION(readgzfile)
 	}
 	size = php_stream_passthru(stream);
 	php_stream_close(stream);
-	RETURN_LONG(size);
+	RETURN_LONG((zend_long) size);
 }
 /* }}} */
 
diff --git a/ext/zlib/zlib_fopen_wrapper.c b/ext/zlib/zlib_fopen_wrapper.c
@@ -65,6 +65,17 @@ static ssize_t php_gziop_read(php_stream *stream, char *buf, size_t count)
 			return read;
 		}
 
+		/* Corrupt gzip data: gzread() may return bytes while gzerror indicates Z_DATA_ERROR */
+		if (read > 0) {
+			int zerr;
+			gzerror(self->gz_file, &zerr);
+			if (zerr == Z_DATA_ERROR || zerr == Z_STREAM_ERROR) {
+				stream->eof = 1;
+				php_gziop_report_errors(stream, chunk_size, "Read");
+				return -1;
+			}
+		}
+
 		total_read += read;
 		buf += read;
 	} while (count > 0 && !stream->eof);
