mirrors/php-src
0
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-01-15 08:14:23 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix faulty fix for Bug #40189, and provide real fix for the bug

Browse Source
This commit is contained in:
Greg Beaver 2008-01-12 21:25:43 +00:00
parent 64cb8c8111
commit 368ba87ead
5 changed files with 51 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
ext/bz2/bz2_filter.c
View File

@ -108,12 +108,7 @@ static php_stream_filter_status_t php_bz2_decompress_filter(
consumed += desired;
bin += desired;
if (!desired) {
flags |= PSFS_FLAG_FLUSH_CLOSE;
break;
}
if (data->strm.avail_out < data->outbuf_len) {
if (status == BZ_STREAM_END || data->strm.avail_out < data->outbuf_len) {
php_stream_bucket *out_bucket;
size_t bucketlen = data->outbuf_len - data->strm.avail_out;
out_bucket = php_stream_bucket_new(stream, estrndup(data->outbuf, bucketlen), bucketlen, 1, 0 TSRMLS_CC);
@ -121,6 +116,13 @@ static php_stream_filter_status_t php_bz2_decompress_filter(
data->strm.avail_out = data->outbuf_len;
data->strm.next_out = data->outbuf;
exit_status = PSFS_PASS_ON;
if (status == BZ_STREAM_END) {
/* no more data to decompress, and nothing was spat out */
if (data->strm.avail_out >= data->outbuf_len) {
php_stream_bucket_delref(bucket TSRMLS_CC);
}
return PSFS_PASS_ON;
}
}
}
php_stream_bucket_delref(bucket TSRMLS_CC);

BIN
ext/zlib/tests/bug.tar Normal file
View File

Binary file not shown.

21
ext/zlib/tests/bug_40189.phpt Normal file
View File

@ -0,0 +1,21 @@
--TEST--
Bug #40189 (endless loop in zlib.inflate stream filter)
--SKIPIF--
<?php if (!extension_loaded("zlib")) print "skip"; ?>
--FILE--
<?php
// this string is an excerpt of a phar archive that caused an infinite loop
$a = "\x3\x0\x85\x46\x2f\x7c\xc2\xaa\x69\x2b\x6d\xe5\xdb\xfe\xe4\x21\x8f\x0\x97\x21\x1d\x2\x0\x0\x0\x47\x42\x4d\x42";
var_dump(base64_encode($a));
$gp = fopen('test.other', 'wb');
$fp = fopen('data://text/plain;base64,AwCFRi98wqppK23l2/7kIY8AlyEdAgAAAEdCTUI=', 'r');
stream_filter_append($fp, 'zlib.inflate', STREAM_FILTER_READ);
var_dump(stream_copy_to_stream($fp, $gp, 5));
fclose($fp);
fclose($gp);
var_dump(file_get_contents('test.other'));
?>
--EXPECT--
string(40) "AwCFRi98wqppK23l2/7kIY8AlyEdAgAAAEdCTUI="
int(0)
string(0) ""

14
ext/zlib/tests/bug_40189_2.phpt Normal file
View File

@ -0,0 +1,14 @@
--TEST--
Bug #40189 (test for truncated deflate, also part of erroneous fix for #40189)
--SKIPIF--
<?php if (!extension_loaded("zlib")) print "skip"; ?>
--FILE--
<?php
$a = fopen('ext/zlib/tests/bug.tar', 'rb');
stream_filter_append($a, 'zlib.deflate', STREAM_FILTER_READ, array('window' => 15+16));
$b = fread($a, 4716032);
var_dump(strlen($b));
// when broken, this outputs "int(686904)"
?>
--EXPECT--
int(1676116)

14
ext/zlib/zlib_filter.c
View File

@ -106,12 +106,7 @@ static php_stream_filter_status_t php_zlib_inflate_filter(
data->strm.avail_in = 0;
bin += desired;
if (!desired) {
flags |= PSFS_FLAG_FLUSH_CLOSE;
break;
}
if (data->strm.avail_out < data->outbuf_len) {
if (status == Z_STREAM_END || data->strm.avail_out < data->outbuf_len) {
php_stream_bucket *out_bucket;
size_t bucketlen = data->outbuf_len - data->strm.avail_out;
out_bucket = php_stream_bucket_new(stream, estrndup(data->outbuf, bucketlen), bucketlen, 1, 0 TSRMLS_CC);
@ -119,6 +114,13 @@ static php_stream_filter_status_t php_zlib_inflate_filter(
data->strm.avail_out = data->outbuf_len;
data->strm.next_out = data->outbuf;
exit_status = PSFS_PASS_ON;
if (status == Z_STREAM_END) {
/* no more data to decompress, and nothing was spat out */
if (data->strm.avail_out >= data->outbuf_len) {
php_stream_bucket_delref(bucket TSRMLS_CC);
}
return PSFS_PASS_ON;
}
}
}
consumed += bucket->buflen;