lbarnaud Thu Jul 24 14:38:38 2008 UTC Added files: (Branch: PHP_5_3) /php-src/ext/zlib/tests gzinflate-bug42663.phpt gzinflate_length.phpt
Modified files: /php-src NEWS /php-src/ext/zlib zlib.c Log: Fixed #42663 (gzinflate() try to allocate all memory with truncated data), not present in HEAD. http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.965.2.218&r2=1.2027.2.547.2.965.2.219&diff_format=u Index: php-src/NEWS diff -u php-src/NEWS:1.2027.2.547.2.965.2.218 php-src/NEWS:1.2027.2.547.2.965.2.219 --- php-src/NEWS:1.2027.2.547.2.965.2.218 Thu Jul 24 13:46:28 2008 +++ php-src/NEWS Thu Jul 24 14:38:37 2008 @@ -283,6 +283,8 @@ - Fixed bug #42737 (preg_split('//u') triggers a E_NOTICE with newlines). (Nuno) - Fixed bug #42736 (xmlrpc_server_call_method() crashes). (Tony) +- Fixed bug #42663 (gzinflate() try to allocate all memory with truncated + data). (Arnaud) - Fixed bug #42657 (ini_get() returns incorrect value when default is NULL). (Jani, Scott) - Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) http://cvs.php.net/viewvc.cgi/php-src/ext/zlib/zlib.c?r1=1.183.2.6.2.5.2.3&r2=1.183.2.6.2.5.2.4&diff_format=u Index: php-src/ext/zlib/zlib.c diff -u php-src/ext/zlib/zlib.c:1.183.2.6.2.5.2.3 php-src/ext/zlib/zlib.c:1.183.2.6.2.5.2.4 --- php-src/ext/zlib/zlib.c:1.183.2.6.2.5.2.3 Thu Jul 3 01:55:48 2008 +++ php-src/ext/zlib/zlib.c Thu Jul 24 14:38:37 2008 @@ -19,7 +19,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: zlib.c,v 1.183.2.6.2.5.2.3 2008/07/03 01:55:48 felipe Exp $ */ +/* $Id: zlib.c,v 1.183.2.6.2.5.2.4 2008/07/24 14:38:37 lbarnaud Exp $ */ #ifdef HAVE_CONFIG_H #include "config.h" @@ -620,6 +620,20 @@ } plength = limit; + stream.zalloc = (alloc_func) Z_NULL; + stream.zfree = (free_func) Z_NULL; + stream.opaque = Z_NULL; + stream.avail_in = data_len + 1; /* there is room for \0 */ + stream.next_in = (Bytef *) data; + stream.total_out = 0; + + /* init with -MAX_WBITS disables the zlib internal headers */ + status = inflateInit2(&stream, -MAX_WBITS); + if (status != Z_OK) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s", zError(status)); + RETURN_FALSE; + } + /* stream.avail_out wants to know the output data length if none was given as a parameter @@ -627,43 +641,32 @@ doubling it whenever it wasn't big enough that should be enaugh for all real life cases */ - - stream.zalloc = (alloc_func) Z_NULL; - stream.zfree = (free_func) Z_NULL; - do { length = plength ? plength : (unsigned long)data_len * (1 << factor++); s2 = (char *) erealloc(s1, length); - if (!s2 && s1) { - efree(s1); + if (!s2) { + if (s1) { + efree(s1); + } + inflateEnd(&stream); RETURN_FALSE; } + s1 = s2; - stream.next_in = (Bytef *) data; - stream.avail_in = (uInt) data_len + 1; /* there is room for \0 */ + stream.next_out = (Bytef *) &s2[stream.total_out]; + stream.avail_out = length - stream.total_out; + status = inflate(&stream, Z_NO_FLUSH); - stream.next_out = s2; - stream.avail_out = (uInt) length; + } while ((Z_BUF_ERROR == status || (Z_OK == status && stream.avail_in)) && !plength && factor < maxfactor); - /* init with -MAX_WBITS disables the zlib internal headers */ - status = inflateInit2(&stream, -MAX_WBITS); - if (status == Z_OK) { - status = inflate(&stream, Z_FINISH); - if (status != Z_STREAM_END) { - inflateEnd(&stream); - if (status == Z_OK) { - status = Z_BUF_ERROR; - } - } else { - status = inflateEnd(&stream); - } - } - s1 = s2; - - } while ((status == Z_BUF_ERROR) && (!plength) && (factor < maxfactor)); + inflateEnd(&stream); - if (status == Z_OK) { + if ((plength && Z_OK == status) || factor >= maxfactor) { + status = Z_MEM_ERROR; + } + + if (Z_STREAM_END == status || Z_OK == status) { s2 = erealloc(s2, stream.total_out + 1); /* room for \0 */ s2[ stream.total_out ] = '\0'; RETURN_STRINGL(s2, stream.total_out, 0); http://cvs.php.net/viewvc.cgi/php-src/ext/zlib/tests/gzinflate-bug42663.phpt?view=markup&rev=1.1 Index: php-src/ext/zlib/tests/gzinflate-bug42663.phpt +++ php-src/ext/zlib/tests/gzinflate-bug42663.phpt http://cvs.php.net/viewvc.cgi/php-src/ext/zlib/tests/gzinflate_length.phpt?view=markup&rev=1.1 Index: php-src/ext/zlib/tests/gzinflate_length.phpt +++ php-src/ext/zlib/tests/gzinflate_length.phpt -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php