From 37e3c9ecc8495a01333f4d00049acce909bd9616 Mon Sep 17 00:00:00 2001 From: Marc Bennewitz Date: Tue, 8 Jul 2025 14:06:32 +0200 Subject: [PATCH 1/2] Better size check in bzdecompress --- ext/bz2/bz2.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/ext/bz2/bz2.c b/ext/bz2/bz2.c index 9ed5342a7df8f..c412a241e0aca 100644 --- a/ext/bz2/bz2.c +++ b/ext/bz2/bz2.c @@ -493,11 +493,7 @@ PHP_FUNCTION(bzdecompress) size_t source_len; int error; bool small = 0; -#ifdef PHP_WIN32 - unsigned __int64 size = 0; -#else unsigned long long size = 0; -#endif bz_stream bzs; if (FAILURE == zend_parse_parameters(ZEND_NUM_ARGS(), "s|b", &source, &source_len, &small)) { @@ -524,7 +520,7 @@ PHP_FUNCTION(bzdecompress) /* compression is better then 2:1, need to allocate more memory */ bzs.avail_out = source_len; size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32; -#ifndef ZEND_ENABLE_ZVAL_LONG64 +#if SIZEOF_LONG_LONG > SIZEOF_SIZE_T if (size > SIZE_MAX) { /* no reason to continue if we're going to drop it anyway */ break; @@ -536,9 +532,9 @@ PHP_FUNCTION(bzdecompress) if (error == BZ_STREAM_END || error == BZ_OK) { size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32; -#ifndef ZEND_ENABLE_ZVAL_LONG64 +#if SIZEOF_LONG_LONG > SIZEOF_SIZE_T if (UNEXPECTED(size > SIZE_MAX)) { - php_error_docref(NULL, E_WARNING, "Decompressed size too big, max is %zd", SIZE_MAX); + php_error_docref(NULL, E_WARNING, "Decompressed size too big, max is %zu", SIZE_MAX); zend_string_efree(dest); RETVAL_LONG(BZ_MEM_ERROR); } else From 2fde3382e956b7f05013a9563f47bda393cd8032 Mon Sep 17 00:00:00 2001 From: Marc Bennewitz Date: Fri, 29 Aug 2025 11:10:44 +0200 Subject: [PATCH 2/2] Use uint64_t and removed preprocessor checks --- ext/bz2/bz2.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/ext/bz2/bz2.c b/ext/bz2/bz2.c index c412a241e0aca..ffe19c9f15d32 100644 --- a/ext/bz2/bz2.c +++ b/ext/bz2/bz2.c @@ -493,7 +493,7 @@ PHP_FUNCTION(bzdecompress) size_t source_len; int error; bool small = 0; - unsigned long long size = 0; + uint64_t size = 0; bz_stream bzs; if (FAILURE == zend_parse_parameters(ZEND_NUM_ARGS(), "s|b", &source, &source_len, &small)) { @@ -520,26 +520,22 @@ PHP_FUNCTION(bzdecompress) /* compression is better then 2:1, need to allocate more memory */ bzs.avail_out = source_len; size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32; -#if SIZEOF_LONG_LONG > SIZEOF_SIZE_T - if (size > SIZE_MAX) { + if (UNEXPECTED(size > SIZE_MAX)) { /* no reason to continue if we're going to drop it anyway */ break; } -#endif + dest = zend_string_safe_realloc(dest, 1, bzs.avail_out+1, (size_t) size, 0); bzs.next_out = ZSTR_VAL(dest) + size; } if (error == BZ_STREAM_END || error == BZ_OK) { size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32; -#if SIZEOF_LONG_LONG > SIZEOF_SIZE_T if (UNEXPECTED(size > SIZE_MAX)) { php_error_docref(NULL, E_WARNING, "Decompressed size too big, max is %zu", SIZE_MAX); zend_string_efree(dest); RETVAL_LONG(BZ_MEM_ERROR); - } else -#endif - { + } else { dest = zend_string_safe_realloc(dest, 1, (size_t)size, 1, 0); ZSTR_LEN(dest) = (size_t)size; ZSTR_VAL(dest)[(size_t)size] = '\0';