tests gzinflate-bug42663.phpt gzinflate_length.phpt

Arnaud Le Blanc Thu, 24 Jul 2008 08:18:53 -0700

lbarnaud                Thu Jul 24 14:38:38 2008 UTC

  Added files:                 (Branch: PHP_5_3)
    /php-src/ext/zlib/tests     gzinflate-bug42663.phpt 
                                gzinflate_length.phpt


  Modified files:              
    /php-src    NEWS 
    /php-src/ext/zlib   zlib.c 
  Log:
  Fixed #42663 (gzinflate() try to allocate all memory with truncated data), 
not present in HEAD.
  
  
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.965.2.218&r2=1.2027.2.547.2.965.2.219&diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.2027.2.547.2.965.2.218 
php-src/NEWS:1.2027.2.547.2.965.2.219
--- php-src/NEWS:1.2027.2.547.2.965.2.218       Thu Jul 24 13:46:28 2008
+++ php-src/NEWS        Thu Jul 24 14:38:37 2008
@@ -283,6 +283,8 @@
 - Fixed bug #42737 (preg_split('//u') triggers a E_NOTICE with newlines).
   (Nuno)
 - Fixed bug #42736 (xmlrpc_server_call_method() crashes). (Tony)
+- Fixed bug #42663 (gzinflate() try to allocate all memory with truncated 
+  data). (Arnaud)
 - Fixed bug #42657 (ini_get() returns incorrect value when default is NULL).
   (Jani, Scott)
 - Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran)
http://cvs.php.net/viewvc.cgi/php-src/ext/zlib/zlib.c?r1=1.183.2.6.2.5.2.3&r2=1.183.2.6.2.5.2.4&diff_format=u
Index: php-src/ext/zlib/zlib.c
diff -u php-src/ext/zlib/zlib.c:1.183.2.6.2.5.2.3 
php-src/ext/zlib/zlib.c:1.183.2.6.2.5.2.4
--- php-src/ext/zlib/zlib.c:1.183.2.6.2.5.2.3   Thu Jul  3 01:55:48 2008
+++ php-src/ext/zlib/zlib.c     Thu Jul 24 14:38:37 2008
@@ -19,7 +19,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: zlib.c,v 1.183.2.6.2.5.2.3 2008/07/03 01:55:48 felipe Exp $ */
+/* $Id: zlib.c,v 1.183.2.6.2.5.2.4 2008/07/24 14:38:37 lbarnaud Exp $ */
 
 #ifdef HAVE_CONFIG_H
 #include "config.h"
@@ -620,6 +620,20 @@
        }
        plength = limit;
 
+       stream.zalloc = (alloc_func) Z_NULL;
+       stream.zfree = (free_func) Z_NULL;
+       stream.opaque = Z_NULL;
+       stream.avail_in = data_len + 1; /* there is room for \0 */
+       stream.next_in = (Bytef *) data;
+       stream.total_out = 0;
+
+       /* init with -MAX_WBITS disables the zlib internal headers */
+       status = inflateInit2(&stream, -MAX_WBITS);
+       if (status != Z_OK) {
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s", 
zError(status));
+               RETURN_FALSE;
+       }
+
        /*
          stream.avail_out wants to know the output data length
          if none was given as a parameter
@@ -627,43 +641,32 @@
          doubling it whenever it wasn't big enough
          that should be enaugh for all real life cases 
        */
-
-       stream.zalloc = (alloc_func) Z_NULL;
-       stream.zfree = (free_func) Z_NULL;
-
        do {
                length = plength ? plength : (unsigned long)data_len * (1 << 
factor++);
                s2 = (char *) erealloc(s1, length);
 
-               if (!s2 && s1) {
-                       efree(s1);
+               if (!s2) {
+                       if (s1) {
+                               efree(s1);
+                       }
+                       inflateEnd(&stream);
                        RETURN_FALSE;
                }
+               s1 = s2;
 
-               stream.next_in = (Bytef *) data;
-               stream.avail_in = (uInt) data_len + 1; /* there is room for \0 
*/
+               stream.next_out = (Bytef *) &s2[stream.total_out];
+               stream.avail_out = length - stream.total_out;
+               status = inflate(&stream, Z_NO_FLUSH);
 
-               stream.next_out = s2;
-               stream.avail_out = (uInt) length;
+       } while ((Z_BUF_ERROR == status || (Z_OK == status && stream.avail_in)) 
&& !plength && factor < maxfactor);
 
-               /* init with -MAX_WBITS disables the zlib internal headers */
-               status = inflateInit2(&stream, -MAX_WBITS);
-               if (status == Z_OK) {
-                       status = inflate(&stream, Z_FINISH);
-                       if (status != Z_STREAM_END) {
-                               inflateEnd(&stream);
-                               if (status == Z_OK) {
-                                       status = Z_BUF_ERROR;
-                               }
-                       } else {
-                               status = inflateEnd(&stream);
-                       }
-               }
-               s1 = s2;
-               
-       } while ((status == Z_BUF_ERROR) && (!plength) && (factor < maxfactor));
+       inflateEnd(&stream);
 
-       if (status == Z_OK) {
+       if ((plength && Z_OK == status) || factor >= maxfactor) {
+               status = Z_MEM_ERROR;
+       }
+
+       if (Z_STREAM_END == status || Z_OK == status) {
                s2 = erealloc(s2, stream.total_out + 1); /* room for \0 */
                s2[ stream.total_out ] = '\0';
                RETURN_STRINGL(s2, stream.total_out, 0);

http://cvs.php.net/viewvc.cgi/php-src/ext/zlib/tests/gzinflate-bug42663.phpt?view=markup&rev=1.1
Index: php-src/ext/zlib/tests/gzinflate-bug42663.phpt
+++ php-src/ext/zlib/tests/gzinflate-bug42663.phpt

http://cvs.php.net/viewvc.cgi/php-src/ext/zlib/tests/gzinflate_length.phpt?view=markup&rev=1.1
Index: php-src/ext/zlib/tests/gzinflate_length.phpt
+++ php-src/ext/zlib/tests/gzinflate_length.phpt



-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] cvs: php-src(PHP_5_3) / NEWS /ext/zlib zlib.c /ext/zlib/tests gzinflate-bug42663.phpt gzinflate_length.phpt

Reply via email to