diff options
| -rw-r--r-- | ext/bz2/bz2.c | 6 | ||||
| -rw-r--r-- | ext/bz2/tests/72613.bz2 | bin | 0 -> 351 bytes | |||
| -rw-r--r-- | ext/bz2/tests/bug72613.phpt | 23 | ||||
| -rw-r--r-- | ext/curl/interface.c | 4 | ||||
| -rw-r--r-- | ext/mcrypt/mcrypt.c | 8 | ||||
| -rw-r--r-- | ext/pdo_pgsql/tests/bug72570.phpt | 4 |
6 files changed, 42 insertions, 3 deletions
diff --git a/ext/bz2/bz2.c b/ext/bz2/bz2.c index 359425437d..bc6379aeea 100644 --- a/ext/bz2/bz2.c +++ b/ext/bz2/bz2.c @@ -148,7 +148,11 @@ static size_t php_bz2iop_read(php_stream *stream, char *buf, size_t count) just_read = BZ2_bzread(self->bz_file, buf, to_read); if (just_read < 1) { - stream->eof = 0 == just_read; + /* it is not safe to keep reading after an error, see #72613 */ + stream->eof = 1; + if (just_read < 0) { + return -1; + } break; } diff --git a/ext/bz2/tests/72613.bz2 b/ext/bz2/tests/72613.bz2 Binary files differnew file mode 100644 index 0000000000..0b932f8d91 --- /dev/null +++ b/ext/bz2/tests/72613.bz2 diff --git a/ext/bz2/tests/bug72613.phpt b/ext/bz2/tests/bug72613.phpt new file mode 100644 index 0000000000..82547e6ae0 --- /dev/null +++ b/ext/bz2/tests/bug72613.phpt @@ -0,0 +1,23 @@ +--TEST-- +Bug #72613 (Inadequate error handling in bzread()) +--SKIPIF-- +<?php if (!extension_loaded("bz2")) print "skip"; ?> +--FILE-- +<?php +$fp = bzopen(__DIR__.'/72613.bz2', 'r'); +if ($fp === FALSE) { + exit("ERROR: bzopen()"); +} +$data = ""; +while (!feof($fp)) { + $res = bzread($fp); + if ($res === FALSE) { + exit("ERROR: bzread()"); + } + $data .= $res; +} +bzclose($fp); +?> +DONE +--EXPECT-- +DONE
\ No newline at end of file diff --git a/ext/curl/interface.c b/ext/curl/interface.c index 6a616411ef..7d085de73c 100644 --- a/ext/curl/interface.c +++ b/ext/curl/interface.c @@ -3595,6 +3595,10 @@ PHP_FUNCTION(curl_unescape) RETURN_FALSE; } + if (str_len > INT_MAX) { + RETURN_FALSE; + } + if ((out = curl_easy_unescape(ch->cp, str, str_len, &out_len))) { RETVAL_STRINGL(out, out_len); curl_free(out); diff --git a/ext/mcrypt/mcrypt.c b/ext/mcrypt/mcrypt.c index fb5c638c97..73acaa29f2 100644 --- a/ext/mcrypt/mcrypt.c +++ b/ext/mcrypt/mcrypt.c @@ -645,6 +645,10 @@ PHP_FUNCTION(mcrypt_generic) memset(ZSTR_VAL(data_str), 0, data_size); memcpy(ZSTR_VAL(data_str), data, data_len); } else { /* It's not a block algorithm */ + if (data_len > INT_MAX) { + php_error_docref(NULL, E_WARNING, "Data size too large, %d maximum", INT_MAX); + RETURN_FALSE; + } data_size = (int)data_len; data_str = zend_string_alloc(data_size, 0); memset(ZSTR_VAL(data_str), 0, data_size); @@ -695,6 +699,10 @@ PHP_FUNCTION(mdecrypt_generic) memset(data_s, 0, data_size); memcpy(data_s, data, data_len); } else { /* It's not a block algorithm */ + if (data_len > INT_MAX) { + php_error_docref(NULL, E_WARNING, "Data size too large, %d maximum", INT_MAX); + RETURN_FALSE; + } data_size = (int)data_len; data_s = emalloc(data_size + 1); memset(data_s, 0, data_size); diff --git a/ext/pdo_pgsql/tests/bug72570.phpt b/ext/pdo_pgsql/tests/bug72570.phpt index 1ac68a3892..e52efd93bb 100644 --- a/ext/pdo_pgsql/tests/bug72570.phpt +++ b/ext/pdo_pgsql/tests/bug72570.phpt @@ -18,11 +18,11 @@ $db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); $stmt = $db->prepare("SELECT 1"); try { - $stmt->execute([1]); + var_dump($stmt->execute([1])); } catch (PDOException $e) { var_dump($e->getCode()); } ?> --EXPECT-- -string(5) "08P01" +bool(false) |