mirrors/php-src
0
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-01-27 06:03:45 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix bug #72837 - integer overflow in bzdecompress caused heap corruption

Browse Source 
Conflicts:
	ext/bz2/bz2.c
This commit is contained in:
Anatol Belski 2016-08-16 12:34:25 +02:00
parent c2a13ced42
commit 67d0fe39ee
1 changed files with 14 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
ext/bz2/bz2.c
View File

@ -594,16 +594,26 @@ static PHP_FUNCTION(bzdecompress)
/* compression is better then 2:1, need to allocate more memory */
bzs.avail_out = source_len;
size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32;
if (size > SIZE_MAX) {
/* no reason to continue if we're going to drop it anyway */
break;
}
dest = safe_erealloc(dest, 1, bzs.avail_out+1, (size_t) size );
bzs.next_out = dest + size;
}
if (error == BZ_STREAM_END || error == BZ_OK) {
size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32;
dest = safe_erealloc(dest, 1, (size_t) size, 1);
dest[size] = '\0';
RETVAL_STRINGL(dest, (int) size);
efree(dest);
if (size > SIZE_MAX) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Decompressed size too big, max is %zd", SIZE_MAX);
efree(dest);
RETVAL_LONG(BZ_MEM_ERROR);
} else {
dest = safe_erealloc(dest, 1, (size_t) size, 1);
dest[size] = '\0';
RETVAL_STRINGL(dest, (size_t) size);
efree(dest);
}
} else { /* real error */
efree(dest);
RETVAL_LONG(error);