From 1c6e924bad0dc0590a93a3e45d4d04a7c2d6beaf Mon Sep 17 00:00:00 2001 From: arshidkv12 Date: Sat, 6 Jun 2026 20:44:06 +0530 Subject: [PATCH 1/8] ext/bz2: Reject oversized input in bzdecompress() --- ext/bz2/bz2.c | 5 +++- .../tests/bzdecompress_input_too_large.phpt | 24 +++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 ext/bz2/tests/bzdecompress_input_too_large.phpt diff --git a/ext/bz2/bz2.c b/ext/bz2/bz2.c index c505005ab00a..e9c796e7b025 100644 --- a/ext/bz2/bz2.c +++ b/ext/bz2/bz2.c @@ -523,7 +523,10 @@ PHP_FUNCTION(bzdecompress) RETURN_FALSE; } - // TODO Check source string length fits in unsigned int + if (source_len > UINT_MAX) { + zend_argument_value_error(1, "must not exceed %u bytes", UINT_MAX); + RETURN_THROWS(); + } bzs.next_in = source; bzs.avail_in = source_len; diff --git a/ext/bz2/tests/bzdecompress_input_too_large.phpt b/ext/bz2/tests/bzdecompress_input_too_large.phpt new file mode 100644 index 000000000000..6da760d1bed9 --- /dev/null +++ b/ext/bz2/tests/bzdecompress_input_too_large.phpt @@ -0,0 +1,24 @@ +--TEST-- +bzdecompress() rejects input larger than 4294967296 +--EXTENSIONS-- +bz2 +--INI-- +memory_limit=8G +--SKIPIF-- + +--FILE-- +getMessage(), "\n"; +} +?> +--EXPECTF-- +bzdecompress(): Argument #1 ($data) must not exceed %d bytes \ No newline at end of file From 1e686ec1870827c954f41da60e3f28e17d931138 Mon Sep 17 00:00:00 2001 From: arshidkv12 Date: Sat, 6 Jun 2026 21:30:29 +0530 Subject: [PATCH 2/8] ext/bz2: Reject oversized input in bzdecompress() --- ext/bz2/bz2.c | 9 +++++---- ext/bz2/tests/bzdecompress_input_too_large.phpt | 2 +- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/ext/bz2/bz2.c b/ext/bz2/bz2.c index e9c796e7b025..396e28715d50 100644 --- a/ext/bz2/bz2.c +++ b/ext/bz2/bz2.c @@ -519,14 +519,15 @@ PHP_FUNCTION(bzdecompress) bzs.bzalloc = NULL; bzs.bzfree = NULL; - if (BZ2_bzDecompressInit(&bzs, 0, (int)small) != BZ_OK) { - RETURN_FALSE; - } - if (source_len > UINT_MAX) { zend_argument_value_error(1, "must not exceed %u bytes", UINT_MAX); RETURN_THROWS(); } + + if (BZ2_bzDecompressInit(&bzs, 0, (int)small) != BZ_OK) { + RETURN_FALSE; + } + bzs.next_in = source; bzs.avail_in = source_len; diff --git a/ext/bz2/tests/bzdecompress_input_too_large.phpt b/ext/bz2/tests/bzdecompress_input_too_large.phpt index 6da760d1bed9..c28a45677ad5 100644 --- a/ext/bz2/tests/bzdecompress_input_too_large.phpt +++ b/ext/bz2/tests/bzdecompress_input_too_large.phpt @@ -21,4 +21,4 @@ try { } ?> --EXPECTF-- -bzdecompress(): Argument #1 ($data) must not exceed %d bytes \ No newline at end of file +bzdecompress(): Argument #1 ($data) must not exceed %d bytes From ade9280ad339baaf7bf4a637c30b94152294d0dd Mon Sep 17 00:00:00 2001 From: arshidkv12 Date: Sun, 7 Jun 2026 11:52:16 +0530 Subject: [PATCH 3/8] ext/bz2: Reject oversized input in bzdecompress() --- ext/bz2/tests/bzdecompress_input_too_large.phpt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ext/bz2/tests/bzdecompress_input_too_large.phpt b/ext/bz2/tests/bzdecompress_input_too_large.phpt index c28a45677ad5..04f06d48f22f 100644 --- a/ext/bz2/tests/bzdecompress_input_too_large.phpt +++ b/ext/bz2/tests/bzdecompress_input_too_large.phpt @@ -6,9 +6,9 @@ bz2 memory_limit=8G --SKIPIF-- --FILE-- Date: Sun, 7 Jun 2026 12:07:20 +0530 Subject: [PATCH 4/8] ext/bz2: Reject oversized input in bzdecompress() --- ext/bz2/bz2.c | 4 ++-- ext/bz2/tests/bzdecompress_input_too_large.phpt | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/ext/bz2/bz2.c b/ext/bz2/bz2.c index 396e28715d50..8467ab0989ad 100644 --- a/ext/bz2/bz2.c +++ b/ext/bz2/bz2.c @@ -519,8 +519,8 @@ PHP_FUNCTION(bzdecompress) bzs.bzalloc = NULL; bzs.bzfree = NULL; - if (source_len > UINT_MAX) { - zend_argument_value_error(1, "must not exceed %u bytes", UINT_MAX); + if (source_len >= UINT_MAX) { + zend_argument_value_error(1, "must have a length less than or equal to %u", UINT_MAX); RETURN_THROWS(); } diff --git a/ext/bz2/tests/bzdecompress_input_too_large.phpt b/ext/bz2/tests/bzdecompress_input_too_large.phpt index 04f06d48f22f..d142a7c4a741 100644 --- a/ext/bz2/tests/bzdecompress_input_too_large.phpt +++ b/ext/bz2/tests/bzdecompress_input_too_large.phpt @@ -6,8 +6,8 @@ bz2 memory_limit=8G --SKIPIF-- --FILE-- @@ -21,4 +21,4 @@ try { } ?> --EXPECTF-- -bzdecompress(): Argument #1 ($data) must not exceed %d bytes +bzdecompress(): Argument #1 ($data) must have a length less than or equal to %d From e6b393aee404c9bc39796175308fba478acbda3c Mon Sep 17 00:00:00 2001 From: arshidkv12 Date: Sun, 7 Jun 2026 12:17:39 +0530 Subject: [PATCH 5/8] ext/bz2: Reject oversized input in bzdecompress() --- ext/bz2/tests/bzdecompress_input_too_large.phpt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ext/bz2/tests/bzdecompress_input_too_large.phpt b/ext/bz2/tests/bzdecompress_input_too_large.phpt index d142a7c4a741..15c9140062db 100644 --- a/ext/bz2/tests/bzdecompress_input_too_large.phpt +++ b/ext/bz2/tests/bzdecompress_input_too_large.phpt @@ -6,8 +6,8 @@ bz2 memory_limit=8G --SKIPIF-- --FILE-- From 8bacbce57c29e499f6ab942073581168a9b9d52e Mon Sep 17 00:00:00 2001 From: arshidkv12 Date: Sun, 7 Jun 2026 13:47:43 +0530 Subject: [PATCH 6/8] ext/bz2: Reject oversized input in bzdecompress() --- ext/bz2/bz2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/bz2/bz2.c b/ext/bz2/bz2.c index 8467ab0989ad..512632fe8a22 100644 --- a/ext/bz2/bz2.c +++ b/ext/bz2/bz2.c @@ -519,7 +519,7 @@ PHP_FUNCTION(bzdecompress) bzs.bzalloc = NULL; bzs.bzfree = NULL; - if (source_len >= UINT_MAX) { + if (source_len > UINT_MAX) { zend_argument_value_error(1, "must have a length less than or equal to %u", UINT_MAX); RETURN_THROWS(); } From 13deb8b256797d3a251a1265db4d173a07d13f94 Mon Sep 17 00:00:00 2001 From: arshidkv12 Date: Sun, 7 Jun 2026 14:09:30 +0530 Subject: [PATCH 7/8] ext/bz2: test changed --- ext/bz2/tests/bzdecompress_input_too_large.phpt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ext/bz2/tests/bzdecompress_input_too_large.phpt b/ext/bz2/tests/bzdecompress_input_too_large.phpt index 15c9140062db..cddc723b556d 100644 --- a/ext/bz2/tests/bzdecompress_input_too_large.phpt +++ b/ext/bz2/tests/bzdecompress_input_too_large.phpt @@ -20,5 +20,5 @@ try { echo $e->getMessage(), "\n"; } ?> ---EXPECTF-- -bzdecompress(): Argument #1 ($data) must have a length less than or equal to %d +--EXPECT-- +bzdecompress(): Argument #1 ($data) must have a length less than or equal to 4294967295 From dc160274ee4b334d33864b022ba93951cd5c9cd2 Mon Sep 17 00:00:00 2001 From: arshidkv12 Date: Sun, 7 Jun 2026 14:33:35 +0530 Subject: [PATCH 8/8] ext/bz2: test changed --- ext/bz2/tests/bzdecompress_input_too_large.phpt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/bz2/tests/bzdecompress_input_too_large.phpt b/ext/bz2/tests/bzdecompress_input_too_large.phpt index cddc723b556d..88c93d366c54 100644 --- a/ext/bz2/tests/bzdecompress_input_too_large.phpt +++ b/ext/bz2/tests/bzdecompress_input_too_large.phpt @@ -8,7 +8,7 @@ memory_limit=8G --FILE--