diff options
author | Anatol Belski <ab@php.net> | 2016-08-16 12:34:25 +0200 |
---|---|---|
committer | Anatol Belski <ab@php.net> | 2016-08-17 11:33:06 +0200 |
commit | a20112a1d69e550fafee88aa9065851925bcf3e0 (patch) | |
tree | f4af29be40027e6681851ca8ed596fc9d0b72b6a | |
parent | 5ba1cbec0784636faeb7a527dbc1510f61bd5732 (diff) | |
download | php-git-a20112a1d69e550fafee88aa9065851925bcf3e0.tar.gz |
Fix bug #72837 - integer overflow in bzdecompress caused heap corruption
Conflicts:
ext/bz2/bz2.c
(cherry picked from commit 67d0fe39ee554563476ecae13c626580ae1a6612)
-rw-r--r-- | ext/bz2/bz2.c | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/ext/bz2/bz2.c b/ext/bz2/bz2.c index bc6379aeea..60bb71ee8d 100644 --- a/ext/bz2/bz2.c +++ b/ext/bz2/bz2.c @@ -594,16 +594,26 @@ static PHP_FUNCTION(bzdecompress) /* compression is better then 2:1, need to allocate more memory */ bzs.avail_out = source_len; size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32; + if (size > SIZE_MAX) { + /* no reason to continue if we're going to drop it anyway */ + break; + } dest = safe_erealloc(dest, 1, bzs.avail_out+1, (size_t) size ); bzs.next_out = dest + size; } if (error == BZ_STREAM_END || error == BZ_OK) { size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32; - dest = safe_erealloc(dest, 1, (size_t) size, 1); - dest[size] = '\0'; - RETVAL_STRINGL(dest, (int) size); - efree(dest); + if (size > SIZE_MAX) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Decompressed size too big, max is %zd", SIZE_MAX); + efree(dest); + RETVAL_LONG(BZ_MEM_ERROR); + } else { + dest = safe_erealloc(dest, 1, (size_t) size, 1); + dest[size] = '\0'; + RETVAL_STRINGL(dest, (size_t) size); + efree(dest); + } } else { /* real error */ efree(dest); RETVAL_LONG(error); |