Skip to content

Fix GH-20620: bzcompress() overflow on large source size. #20621

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: PHP-8.3
Choose a base branch
from
Open

Fix GH-20620: bzcompress() overflow on large source size. #20621

wants to merge 2 commits into from
+26 −1

Conversation

@devnexen
Copy link
Member

@devnexen devnexen commented Nov 29, 2025

No description provided.

@devnexen devnexen linked an issue Nov 29, 2025 that may be closed by this pull request
undefined behavior in bzcompress #20620
Open
@devnexen devnexen marked this pull request as ready for review November 30, 2025 08:40
@devnexen devnexen requested a review from ndossche December 4, 2025 06:08
ndossche
ndossche requested changes Dec 4, 2025
View reviewed changes
ext/bz2/tests/gh20620.phpt
--EXTENSIONS--
bz2
--SKIPIF--
<?php if (PHP_INT_SIZE != 8) die('skip this test is for 64bit platforms only'); ?>
Copy link
Member

@ndossche ndossche Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should also add the "slow test" environment variable skipif in my opinion, so that CI won't blow up.

ext/bz2/bz2.c
Comment on lines +458 to +460
double chunk_len = (double)source_len * 1.01 + 600.0;

if (source_len > UINT_MAX || chunk_len > UINT_MAX) {
Copy link
Member

@ndossche ndossche Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's better to do this with unsigned integer math (untested, but should be something like this)

The first check (chunk_len < source_len) checks whether we got an overflow.
The second check is necessary to not go beyond either the 32-bit limit or the string length limit.

Suggested change
double chunk_len = (double)source_len * 1.01 + 600.0;
if (source_len > UINT_MAX || chunk_len > UINT_MAX) {
size_t chunk_len = source_len + source_len / 100 + 600;
if (chunk_len < source_len || chunk_len > MIN(UINT_MAX, ZSTR_MAX_LEN)) {

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ndossche ndossche ndossche requested changes

Assignees

No one assigned

Labels

Extension: bz2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

undefined behavior in bzcompress

2 participants

@devnexen @ndossche