Skip to content

Instantly share code, notes, and snippets.

/72837.diff Secret
Created Aug 16, 2016

Embed
What would you like to do?
Patch for 72837
commit 27b9daa8f58defdfce71163340ff58374cc5eb4f
Author: Stanislav Malyshev <stas@php.net>
Date: Mon Aug 15 23:17:26 2016 -0700
Fix bug #72837 - integer overflow in bzdecompress caused heap corruption
diff --git a/ext/bz2/bz2.c b/ext/bz2/bz2.c
index 54b59f7..79ec3ec 100644
--- a/ext/bz2/bz2.c
+++ b/ext/bz2/bz2.c
@@ -574,15 +574,25 @@ static PHP_FUNCTION(bzdecompress)
/* compression is better then 2:1, need to allocate more memory */
bzs.avail_out = source_len;
size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32;
+ if (size > INT_MAX) {
+ /* no reason to continue if we're going to drop it anyway */
+ break;
+ }
dest = safe_erealloc(dest, 1, bzs.avail_out+1, (size_t) size );
bzs.next_out = dest + size;
}
if (error == BZ_STREAM_END || error == BZ_OK) {
size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32;
+ if (size > INT_MAX) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Decompressed size too big, max is %d", INT_MAX);
+ efree(dest);
+ RETVAL_LONG(BZ_MEM_ERROR);
+ } else {
dest = safe_erealloc(dest, 1, (size_t) size, 1);
dest[size] = '\0';
RETVAL_STRINGL(dest, (int) size, 0);
+ }
} else { /* real error */
efree(dest);
RETVAL_LONG(error);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.