-
-
Save anonymous/2019d9cbc3808628f8b87c0cb80b3139 to your computer and use it in GitHub Desktop.
Patch for 72837
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 27b9daa8f58defdfce71163340ff58374cc5eb4f | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Mon Aug 15 23:17:26 2016 -0700 | |
Fix bug #72837 - integer overflow in bzdecompress caused heap corruption | |
diff --git a/ext/bz2/bz2.c b/ext/bz2/bz2.c | |
index 54b59f7..79ec3ec 100644 | |
--- a/ext/bz2/bz2.c | |
+++ b/ext/bz2/bz2.c | |
@@ -574,15 +574,25 @@ static PHP_FUNCTION(bzdecompress) | |
/* compression is better then 2:1, need to allocate more memory */ | |
bzs.avail_out = source_len; | |
size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32; | |
+ if (size > INT_MAX) { | |
+ /* no reason to continue if we're going to drop it anyway */ | |
+ break; | |
+ } | |
dest = safe_erealloc(dest, 1, bzs.avail_out+1, (size_t) size ); | |
bzs.next_out = dest + size; | |
} | |
if (error == BZ_STREAM_END || error == BZ_OK) { | |
size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32; | |
+ if (size > INT_MAX) { | |
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Decompressed size too big, max is %d", INT_MAX); | |
+ efree(dest); | |
+ RETVAL_LONG(BZ_MEM_ERROR); | |
+ } else { | |
dest = safe_erealloc(dest, 1, (size_t) size, 1); | |
dest[size] = '\0'; | |
RETVAL_STRINGL(dest, (int) size, 0); | |
+ } | |
} else { /* real error */ | |
efree(dest); | |
RETVAL_LONG(error); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment