jani Wed, 09 Dec 2009 17:47:38 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=291925
Log: - Fixed BC problem in new zlib implementation: truncated (invalid) short data was not caught Changed paths: U php/php-src/trunk/ext/zlib/tests/006.phpt U php/php-src/trunk/ext/zlib/tests/gzinflate-bug42663.phpt U php/php-src/trunk/ext/zlib/zlib.c Modified: php/php-src/trunk/ext/zlib/tests/006.phpt =================================================================== --- php/php-src/trunk/ext/zlib/tests/006.phpt 2009-12-09 17:40:19 UTC (rev 291924) +++ php/php-src/trunk/ext/zlib/tests/006.phpt 2009-12-09 17:47:38 UTC (rev 291925) @@ -31,7 +31,6 @@ var_dump(gzinflate($data2)); $data2[4] = 0; var_dump(gzinflate((binary)$data2)); - echo "Done\n"; ?> --EXPECTF-- @@ -57,8 +56,12 @@ Warning: gzinflate(): length (-1) must be greater or equal zero in %s on line %d bool(false) -string(0) "" -string(0) "" + +Warning: gzinflate(): data error in %s on line %d +bool(false) + +Warning: gzinflate(): data error in %s on line %d +bool(false) string(94) "Answer me, it can't be so hard Cry to relieve what's in your heart Desolation, grief and agony" Modified: php/php-src/trunk/ext/zlib/tests/gzinflate-bug42663.phpt =================================================================== --- php/php-src/trunk/ext/zlib/tests/gzinflate-bug42663.phpt 2009-12-09 17:40:19 UTC (rev 291924) +++ php/php-src/trunk/ext/zlib/tests/gzinflate-bug42663.phpt 2009-12-09 17:47:38 UTC (rev 291925) @@ -15,9 +15,12 @@ $truncated = substr($deflated, 0, 65535); var_dump(strlen($truncated)); // inflate $truncated string (check if it will not eat all memory) -gzinflate($truncated); +var_dump(gzinflate($truncated)); ?> ---EXPECT-- +--EXPECTF-- int(168890) int(66743) int(65535) + +Warning: gzinflate(): data error in %s on line %d +bool(false) Modified: php/php-src/trunk/ext/zlib/zlib.c =================================================================== --- php/php-src/trunk/ext/zlib/zlib.c 2009-12-09 17:40:19 UTC (rev 291924) +++ php/php-src/trunk/ext/zlib/zlib.c 2009-12-09 17:47:38 UTC (rev 291925) @@ -344,15 +344,19 @@ } } while ((Z_BUF_ERROR == status || (Z_OK == status && Z->avail_in)) && ++round < 100); - if (status == Z_OK || status == Z_STREAM_END) { + if (status == Z_STREAM_END) { buffer.data = erealloc(buffer.data, buffer.used + 1); buffer.data[buffer.used] = '\0'; *buf = buffer.data; *len = buffer.used; - } else if (buffer.data) { - efree(buffer.data); + } else { + if (buffer.data) { + efree(buffer.data); + } + /* HACK: See zlib/examples/zpipe.c inf() function for explanation. */ + /* This works as long as this function is not used for streaming. Required to catch very short invalid data. */ + status = (status == Z_OK) ? Z_DATA_ERROR : status; } - return status; } /* }}} */ @@ -375,7 +379,6 @@ Z.avail_in = in_len; switch (status = php_zlib_inflate_rounds(&Z, max_len, out_buf, out_len)) { - case Z_OK: case Z_STREAM_END: inflateEnd(&Z); return SUCCESS;
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php