Skip to content

Commit 85275ea

Browse files
ndosschearnaud-lb
ndossche
and
arnaud-lb
committed
bz2: Fix truncation of total output size causing erroneous errors
Also switch to uint64_t as that's used on master and makes the code simpler to fix. Co-authored-by: Arnaud Le Blanc <arnaud.lb@gmail.com>
1 parent 1709689 commit 85275ea

File tree

2 files changed

+21
-13
lines changed

2 files changed

+21
-13
lines changed

ext/bz2/bz2.c

Lines changed: 4 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -502,11 +502,7 @@ PHP_FUNCTION(bzdecompress)
502502
size_t source_len;
503503
int error;
504504
bool small = 0;
505-
#ifdef PHP_WIN32
506-
unsigned __int64 size = 0;
507-
#else
508-
unsigned long long size = 0;
509-
#endif
505+
uint64_t size = 0;
510506
bz_stream bzs;
511507

512508
if (FAILURE == zend_parse_parameters(ZEND_NUM_ARGS(), "s|b", &source, &source_len, &small)) {
@@ -531,27 +527,22 @@ PHP_FUNCTION(bzdecompress)
531527
while ((error = BZ2_bzDecompress(&bzs)) == BZ_OK && bzs.avail_in > 0) {
532528
/* compression is better then 2:1, need to allocate more memory */
533529
bzs.avail_out = source_len;
534-
size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32;
535-
#ifndef ZEND_ENABLE_ZVAL_LONG64
530+
size = (((uint64_t) bzs.total_out_hi32) << 32U) + bzs.total_out_lo32;
536531
if (size > SIZE_MAX) {
537532
/* no reason to continue if we're going to drop it anyway */
538533
break;
539534
}
540-
#endif
541535
dest = zend_string_safe_realloc(dest, 1, bzs.avail_out+1, (size_t) size, 0);
542536
bzs.next_out = ZSTR_VAL(dest) + size;
543537
}
544538

545539
if (error == BZ_STREAM_END || error == BZ_OK) {
546-
size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32;
547-
#ifndef ZEND_ENABLE_ZVAL_LONG64
540+
size = (((uint64_t) bzs.total_out_hi32) << 32U) + bzs.total_out_lo32;
548541
if (UNEXPECTED(size > SIZE_MAX)) {
549542
php_error_docref(NULL, E_WARNING, "Decompressed size too big, max is %zd", SIZE_MAX);
550543
zend_string_efree(dest);
551544
RETVAL_LONG(BZ_MEM_ERROR);
552-
} else
553-
#endif
554-
{
545+
} else {
555546
dest = zend_string_safe_realloc(dest, 1, (size_t)size, 1, 0);
556547
ZSTR_LEN(dest) = (size_t)size;
557548
ZSTR_VAL(dest)[(size_t)size] = '\0';

ext/bz2/tests/gh20807.phpt

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
--TEST--
2+
Truncation of total output size causing erroneous size and data
3+
--EXTENSIONS--
4+
bz2
5+
--INI--
6+
memory_limit=-1
7+
--SKIPIF--
8+
<?php
9+
if (!getenv('RUN_RESOURCE_HEAVY_TESTS')) die('skip resource-heavy test');
10+
if (getenv("SKIP_SLOW_TESTS")) die('skip slow test');
11+
?>
12+
--FILE--
13+
<?php
14+
var_dump(sha1(bzdecompress(base64_decode("QlpoOTFBWSZTWei3pg8BX44IAMAAAAggADCATUZCoCWpCoCXMUFZJlNZ6LemDwFfjggAwAAACCAAMIBNRkKgJakKgJcxQVkmU1not6YPAV+OCADAAAAIIAAwgE1GQqAlqQqAlzFBWSZTWei3pg8BX44IAMAAAAggADCATUZCoCWpCoCXMUFZJlNZ6LemDwFfjggAwAAACCAAMIBNRkKgJakKgJcxQVkmU1not6YPAV+OCADAAAAIIAAwgE1GQqAlqQqAlzFBWSZTWei3pg8BX44IAMAAAAggADCATUZCoCWpCoCXMUFZJlNZ6LemDwFfjggAwAAACCAAMIBNRkKgJakKgJcxQVkmU1not6YPAV+OCADAAAAIIAAwgE1GQqAlqQqAlzFBWSZTWei3pg8BX44IAMAAAAggADCATUZCoCWpCoCXMUFZJlNZ6LemDwFfjggAwAAACCAAMIBNRkKgJakKgJcxQVkmU1not6YPAV+OCADAAAAIIAAwgE1GQqAlqQqAlzFBWSZTWei3pg8BX44IAMAAAAggADCATUZCoCWpCoCXMUFZJlNZ6LemDwFfjggAwAAACCAAMIBNRkKgJakKgJcxQVkmU1not6YPAV+OCADAAAAIIAAwgE1GQqAlqQqAlzFBWSZTWei3pg8BX44IAMAAAAggADCATUZCoCWpCoCXMUFZJlNZ6LemDwFfjggAwAAACCAAMIBNRkKgJakKgJcxQVkmU1not6YPAV+OCADAAAAIIAAwgE1GQqAlqQqAlzFBWSZTWei3pg8BX44IAMAAAAggADCATUZCoCWpCoCXMUFZJlNZ6LemDwFfjggAwAAACCAAMIBNRkKgJakKgJcxQVkmU1not6YPAV+OCADAAAAIIAAwgE1GQqAlqQqAlzFBWSZTWei3pg8BX44IAMAAAAggADCATUZCoCWpCoCXMUFZJlNZ6LemDwFfjggAwAAACCAAMIBNRkKgJakKgJcxQVkmU1kuvJCFAIpSiADgBAAIIABwM00E1SepopKSrpQIKdEKSTZKIArRSUlXCFJJ8xQVkmU1ntbvo0AV+OCACgAAAIIAAwgE1GQqAlqQqAlzFBWSZTWe1u+jQBX44IAKAAAAggADCATUZCoCWpCoCXMUFZJlNZ7W76NAFfjggAoAAACCAAMIBNRkKgJakKgJcxQVkmU1ntbvo0AV+OCACgAAAIIAAwgE1GQqAlqQqAlzFBWSZTWe1u+jQBX44IAKAAAAggADCATUZCoCWpCoCXMUFZJlNZ7W76NAFfjggAoAAACCAAMIBNRkKgJakKgJcxQVkmU1ntbvo0AV+OCACgAAAIIAAwgE1GQqAlqQqAlzFBWSZTWe1u+jQBX44IAKAAAAggADCATUZCoCWpCoCXMUFZJlNZ7W76NAFfjggAoAAACCAAMIBNRkKgJakKgJcxQVkmU1ntbvo0AV+OCACgAAAIIAAwgE1GQqAlqQqAlzFBWSZTWe1u+jQBX44IAKAAAAggADCATUZCoCWpCoCXMUFZJlNZ7W76NAFfjggAoAAACCAAMIBNRkKgJakKgJcxQVkmU1ntbvo0AV+OCACgAAAIIAAwgE1GQqAlqQqAlzFBWSZTWe1u+jQBX44IAKAAAAggADCATUZCoCWpCoCXMUFZJlNZ7W76NAFfjggAoAAACCAAMIBNRkKgJakKgJcxQVkmU1ntbvo0AV+OCACgAAAIIAAwgE1GQqAlqQqAlzFBWSZTWe1u+jQBX44IAKAAAAggADCATUZCoCWpCoCXMUFZJlNZ7W76NAFfjggAoAAACCAAMIBNRkKgJakKgJcxQVkmU1ntbvo0AV+OCACgAAAIIAAwgE1GQqAlqQqAlzFBWSZTWe1u+jQBX44IAKAAAAggADCATUZCoCWpCoCXMUFZJlNZ7W76NAFfjggAoAAACCAAMIBNRkKgJakKgJcxQVkmU1ntbvo0AV+OCACgAAAIIAAwgE1GQqAlqQqAlzFBWSZTWTNWeUMBFKWIALAEAAggAGoKUAUqPTiiRIYRVSqLAlSRtRUgViiRIehKkjzFBWSZTWeMFHnkBX44IAJAAAAggADCATUZCoCWpCoCXMUFZJlNZ4wUeeQFfjggAkAAACCAAMIBNRkKgJakKgJcxQVkmU1njBR55AV+OCACQAAAIIAAwgE1GQqAlqQqAlzFBWSZTWeMFHnkBX44IAJAAAAggADCATUZCoCWpCoCXMUFZJlNZ4wUeeQFfjggAkAAACCAAMIBNRkKgJakKgJcxQVkmU1njBR55AV+OCACQAAAIIAAwgE1GQqAlqQqAlzFBWSZTWeMFHnkBX44IAJAAAAggADCATUZCoCWpCoCXMUFZJlNZ4wUeeQFfjggAkAAACCAAMIBNRkKgJakKgJcxQVkmU1njBR55AV+OCACQAAAIIAAwgE1GQqAlqQqAlzFBWSZTWeMFHnkBX44IAJAAAAggADCATUZCoCWpCoCXMUFZJlNZ4wUeeQFfjggAkAAACCAAMIBNRkKgJakKgJcxQVkmU1njBR55AV+OCACQAAAIIAAwgE1GQqAlqQqAlzFBWSZTWeMFHnkBX44IAJAAAAggADCATUZCoCWpCoCXMUFZJlNZ4wUeeQFfjggAkAAACCAAMIBNRkKgJakKgJcxQVkmU1njBR55AV+OCACQAAAIIAAwgE1GQqAlqQqAlzFBWSZTWeMFHnkBX44IAJAAAAggADCATUZCoCWpCoCXMUFZJlNZ4wUeeQFfjggAkAAACCAAMIBNRkKgJakKgJcxQVkmU1njBR55AV+OCACQAAAIIAAwgE1GQqAlqQqAlzFBWSZTWeMFHnkBX44IAJAAAAggADCATUZCoCWpCoCXMUFZJlNZ4wUeeQFfjggAkAAACCAAMIBNRkKgJakKgJcxQVkmU1njBR55AV+OCACQAAAIIAAwgE1GQqAlqQqAlzFBWSZTWeMFHnkBX44IAJAAAAggADCATUZCoCWpCoCXMUFZJlNZ4wUeeQFfjggAkAAACCAAMIBNRkKgJakKgJcxQVkmU1mtxU0XAD9qCACYBAAIIABwM00ClJ6mklKq6qqFVOqEAjYUoClpJSquEQCPmKCskyms824hIQCvxwQARAAABBAAGEAmoyFQEtSFQEuYoKyTKazzbiEhAK/HBABEAAAEEAAYQCajIVAS1IVAS5igrJMprPNuISEAr8cEAEQAAAQQABhAJqMhUBLUhUBLmKCskyms824hIQCvxwQARAAABBAAGEAmoyFQEtSFQEuYoKyTKazzbiEhAK/HBABEAAAEEAAYQCajIVAS1IVAS5igrJMprPNuISEAr8cEAEQAAAQQABhAJqMhUBLUhUBLmKCskyms824hIQCvxwQARAAABBAAGEAmoyFQEtSFQEuYoKyTKazzbiEhAK/HBABEAAAEEAAYQCajIVAS1IVAS5igrJMprPNuISEAr8cEAEQAAAQQABhAJqMhUBLUhUBLmKCskyms824hIQCvxwQARAAABBAAGEAmoyFQEtSFQEuYoKyTKazzbiEhAK/HBABEAAAEEAAYQCajIVAS1IVAS5igrJMprPNuISEAr8cEAEQAAAQQABhAJqMhUBLUhUBLmKCskyms824hIQCvxwQARAAABBAAGEAmoyFQEtSFQEuYoKyTKazzbiEhAK/HBABEAAAEEAAYQCajIVAS1IVAS5igrJMprPNuISEAr8cEAEQAAAQQABhAJqMhUBLUhUBLmKCskyms824hIQCvxwQARAAABBAAGEAmoyFQEtSFQEuYoKyTKazzbiEhAK/HBABEAAAEEAAYQCajIVAS1IVAS5igrJMprPNuISEAr8cEAEQAAAQQABhAJqMhUBLUhUBLmKCskyms824hIQCvxwQARAAABBAAGEAmoyFQEtSFQEuYoKyTKazzbiEhAK/HBABEAAAEEAAYQCajIVAS1IVAS5igrJMprPNuISEAr8cEAEQAAAQQABhAJqMhUBLUhUBLmKCskyms824hIQCvxwQARAAABBAAGEAmoyFQEtSFQEuYoKyTKayOlbYVgGTehABGAgAEEAA4GaaCapPUxBFKcqFISuVSElbRQlVGIIpTpUhJXzFBWSZTWf/S1uMBX44IAIQAAAggADCATUZCoCWpCoCXMUFZJlNZ/9LW4wFfjggAhAAACCAAMIBNRkKgJakKgJcxQVkmU1n/0tbjAV+OCACEAAAIIAAwgE1GQqAlqQqAlzFBWSZTWf/S1uMBX44IAIQAAAggADCATUZCoCWpCoCXMUFZJlNZ/9LW4wFfjggAhAAACCAAMIBNRkKgJakKgJcxQVkmU1n/0tbjAV+OCACEAAAIIAAwgE1GQqAlqQqAlzFBWSZTWf/S1uMBX44IAIQAAAggADCATUZCoCWpCoCXMUFZJlNZ/9LW4wFfjggAhAAACCAAMIBNRkKgJakKgJcxQVkmU1n/0tbjAV+OCACEAAAIIAAwgE1GQqAlqQqAlzFBWSZTWf/S1uMBX44IAIQAAAggADCATUZCoCWpCoCXMUFZJlNZ/9LW4wFfjggAhAAACCAAMIBNRkKgJakKgJcxQVkmU1n/0tbjAV+OCACEAAAIIAAwgE1GQqAlqQqAlzFBWSZTWf/S1uMBX44IAIQAAAggADCATUZCoCWpCoCXMUFZJlNZ/9LW4wFfjggAhAAACCAAMIBNRkKgJakKgJcxQVkmU1n/0tbjAV+OCACEAAAIIAAwgE1GQqAlqQqAlzFBWSZTWf/S1uMBX44IAIQAAAggADCATUZCoCWpCoCXMUFZJlNZ/9LW4wFfjggAhAAACCAAMIBNRkKgJakKgJcxQVkmU1n/0tbjAV+OCACEAAAIIAAwgE1GQqAlqQqAlzFBWSZTWf/S1uMBX44IAIQAAAggADCATUZCoCWpCoCXMUFZJlNZ/9LW4wFfjggAhAAACCAAMIBNRkKgJakKgJcxQVkmU1n/0tbjAV+OCACEAAAIIAAwgE1GQqAlqQqAlzFBWSZTWf/S1uMBX44IAIQAAAggADCATUZCoCWpCoCXMUFZJlNZ9EMghAFUEAgAhgQACCAAUGaaBSk9TQQJJ1CgqqupVSmxKohoIEk4qqU+YoKyTKaz9BcVsAK/HBABBAAAEEAAYQCajIVAS1IVAS5igrJMprP0FxWwAr8cEAEEAAAQQABhAJqMhUBLUhUBLmKCskyms/QXFbACvxwQAQQAABBAAGEAmoyFQEtSFQEuYoKyTKaz9BcVsAK/HBABBAAAEEAAYQCajIVAS1IVAS5igrJMprP0FxWwAr8cEAEEAAAQQABhAJqMhUBLUhUBLmKCskyms/QXFbACvxwQAQQAABBAAGEAmoyFQEtSFQEuYoKyTKaz9BcVsAK/HBABBAAAEEAAYQCajIVAS1IVAS5igrJMprP0FxWwAr8cEAEEAAAQQABhAJqMhUBLUhUBLmKCskyms/QXFbACvxwQAQQAABBAAGEAmoyFQEtSFQEuYoKyTKaz9BcVsAK/HBABBAAAEEAAYQCajIVAS1IVAS5igrJMprP0FxWwAr8cEAEEAAAQQABhAJqMhUBLUhUBLmKCskyms/QXFbACvxwQAQQAABBAAGEAmoyFQEtSFQEuYoKyTKaz9BcVsAK/HBABBAAAEEAAYQCajIVAS1IVAS5igrJMprP0FxWwAr8cEAEEAAAQQABhAJqMhUBLUhUBLmKCskyms/QXFbACvxwQAQQAABBAAGEAmoyFQEtSFQEuYoKyTKaz9BcVsAK/HBABBAAAEEAAYQCajIVAS1IVAS5igrJMprP0FxWwAr8cEAEEAAAQQABhAJqMhUBLUhUBLmKCskyms/QXFbACvxwQAQQAABBAAGEAmoyFQEtSFQEuYoKyTKaz9BcVsAK/HBABBAAAEEAAYQCajIVAS1IVAS5igrJMprP0FxWwAr8cEAEEAAAQQABhAJqMhUBLUhUBLmKCskyms/QXFbACvxwQAQQAABBAAGEAmoyFQEtSFQEuYoKyTKaz9BcVsAK/HBABBAAAEEAAYQCajIVAS1IVAS5igrJMprP0FxWwAr8cEAEEAAAQQABhAJqMhUBLUhUBLmKCskymsiUnBUgA/akQAQYIABBAAOBmmgmqT1NJIgdAKgXShKqNlEqVJaSRA4oSqj5igrJMprPowN0qAr8cEAECAAAQQABhAJqMhUBLUhUBLmKCskyms+jA3SoCvxwQAQIAABBAAGEAmoyFQEtSFQEuYoKyTKaz6MDdKgK/HBABAgAAEEAAYQCajIVAS1IVAS5igrJMprPowN0qAr8cEAECAAAQQABhAJqMhUBLUhUBLmKCskyms+jA3SoCvxwQAQIAABBAAGEAmoyFQEtSFQEuYoKyTKaz6MDdKgK/HBABAgAAEEAAYQCajIVAS1IVAS5igrJMprPowN0qAr8cEAECAAAQQABhAJqMhUBLUhUBLmKCskyms+jA3SoCvxwQAQIAABBAAGEAmoyFQEtSFQEuYoKyTKaz6MDdKgK/HBABAgAAEEAAYQCajIVAS1IVAS5igrJMprPowN0qAr8cEAECAAAQQABhAJqMhUBLUhUBLmKCskyms+jA3SoCvxwQAQIAABBAAGEAmoyFQEtSFQEuYoKyTKaz6MDdKgK/HBABAgAAEEAAYQCajIVAS1IVAS5igrJMprPowN0qAr8cEAECAAAQQABhAJqMhUBLUhUBLmKCskyms+jA3SoCvxwQAQIAABBAAGEAmoyFQEtSFQEuYoKyTKaz6MDdKgK/HBABAgAAEEAAYQCajIVAS1IVAS5igrJMprPowN0qAr8cEAECAAAQQABhAJqMhUBLUhUBLmKCskyms+jA3SoCvxwQAQIAABBAAGEAmoyFQEtSFQEuYoKyTKaz6MDdKgK/HBABAgAAEEAAYQCajIVAS1IVAS5igrJMprPowN0qAr8cEAECAAAQQABhAJqMhUBLUhUBLmKCskyms+jA3SoCvxwQAQIAABBAAGEAmoyFQEtSFQEuYoKyTKaz6MDdKgK/HBABAgAAEEAAYQCajIVAS1IVAS5igrJMprPowN0qAr8cEAECAAAQQABhAJqMhUBLUhUBLmKCskyms4qxPEQCEk8QAQMIABBAAOBmmgUpPUwSIg4KpShcUUUm1RRQGCREHSiik+YoKyTKaz43JlXAK/HBABAQAAEEAAYQCajIVAS1IVAS5igrJMprPjcmVcAr8cEAEBAAAQQABhAJqMhUBLUhUBLmKCskyms+NyZVwCvxwQAQEAABBAAGEAmoyFQEtSFQEuYoKyTKaz43JlXAK/HBABAQAAEEAAYQCajIVAS1IVAS5igrJMprPjcmVcAr8cEAEBAAAQQABhAJqMhUBLUhUBLmKCskyms+NyZVwCvxwQAQEAABBAAGEAmoyFQEtSFQEuYoKyTKaz43JlXAK/HBABAQAAEEAAYQCajIVAS1IVAS5igrJMprPjcmVcAr8cEAEBAAAQQABhAJqMhUBLUhUBLmKCskyms+NyZVwCvxwQAQEAABBAAGEAmoyFQEtSFQEuYoKyTKaz43JlXAK/HBABAQAAEEAAYQCajIVAS1IVAS5igrJMprPjcmVcAr8cEAEBAAAQQABhAJqMhUBLUhUBLmKCskyms+NyZVwCvxwQAQEAABBAAGEAmoyFQEtSFQEuYoKyTKaz43JlXAK/HBABAQAAEEAAYQCajIVAS1IVAS5igrJMprPjcmVcAr8cEAEBAAAQQABhAJqMhUBLUhUBLmKCskyms+NyZVwCvxwQAQEAABBAAGEAmoyFQEtSFQEuYoKyTKaz43JlXAK/HBABAQAAEEAAYQCajIVAS1IVAS5igrJMprPjcmVcAr8cEAEBAAAQQABhAJqMhUBLUhUBLmKCskyms+NyZVwCvxwQAQEAABBAAGEAmoyFQEtSFQEuYoKyTKaz43JlXAK/HBABAQAAEEAAYQCajIVAS1IVAS5igrJMprPjcmVcAr8cEAEBAAAQQABhAJqMhUBLUhUBLmKCskyms+NyZVwCvxwQAQEAABBAAGEAmoyFQEtSFQEuYoKyTKaz43JlXAK/HBABAQAAEEAAYQCajIVAS1IVAS5igrJMprPjcmVcAr8cEAEBAAAQQABhAJqMhUBLUhUBLmKCskymswVrRDAAZ9gQAQEIABBAAGGYE1TTVECm1KIFPF3JFOFCQLW69vQ"))));
15+
?>
16+
--EXPECT--
17+
string(40) "d4b5e52ed34a774fa645f94369b0c61375436d30"

0 commit comments

Comments
 (0)