archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'PHP-8.3' into PHP-8.4

Browse source 
* PHP-8.3:
  Fix zlib support for large files
  Fix memory leak on overflow in _php_stream_scandir()
This commit is contained in:
Niels Dossche 2025-02-14 23:10:40 +01:00
commit 8f8d4be5eb
No known key found for this signature in database
GPG key ID: B8A8AD166DF0E2E5
3 changed files with 55 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

2
NEWS
View file

@ -55,6 +55,7 @@ PHP NEWS
- Streams: - Streams:
. Fixed bug GH-17650 (realloc with size 0 in user_filters.c). (nielsdos) . Fixed bug GH-17650 (realloc with size 0 in user_filters.c). (nielsdos)
. Fix memory leak on overflow in _php_stream_scandir(). (nielsdos)
- Windows: - Windows:
. Fixed phpize for Windows 11 (24H2). (bwoebi) . Fixed phpize for Windows 11 (24H2). (bwoebi)
@ -63,6 +64,7 @@ PHP NEWS
. Fixed bug GH-17745 (zlib extension incorrectly handles object arguments). . Fixed bug GH-17745 (zlib extension incorrectly handles object arguments).
(nielsdos) (nielsdos)
. Fix memory leak when encoding check fails. (nielsdos) . Fix memory leak when encoding check fails. (nielsdos)
. Fix zlib support for large files. (nielsdos)
30 Jan 2025, PHP 8.4.4 30 Jan 2025, PHP 8.4.4

41
ext/zlib/zlib_fopen_wrapper.c
View file

@ -33,24 +33,55 @@ struct php_gz_stream_data_t {
static ssize_t php_gziop_read(php_stream *stream, char *buf, size_t count) static ssize_t php_gziop_read(php_stream *stream, char *buf, size_t count)
{ {
struct php_gz_stream_data_t *self = (struct php_gz_stream_data_t *) stream->abstract; struct php_gz_stream_data_t *self = (struct php_gz_stream_data_t *) stream->abstract;
int read; ssize_t total_read = 0;
/* XXX this needs to be looped for the case count > UINT_MAX */ /* Despite the count argument of gzread() being "unsigned int",
read = gzread(self->gz_file, buf, count); * the return value is "int". Error returns are values < 0, otherwise the count is returned.
* To properly distinguish error values from success value, we therefore need to cap at INT_MAX.
*/
do {
unsigned int chunk_size = MIN(count, INT_MAX);
int read = gzread(self->gz_file, buf, chunk_size);
count -= chunk_size;
if (gzeof(self->gz_file)) { if (gzeof(self->gz_file)) {
stream->eof = 1; stream->eof = 1;
} }
if (UNEXPECTED(read < 0)) {
return read; return read;
}
total_read += read;
buf += read;
} while (count > 0 && !stream->eof);
return total_read;
} }
static ssize_t php_gziop_write(php_stream *stream, const char *buf, size_t count) static ssize_t php_gziop_write(php_stream *stream, const char *buf, size_t count)
{ {
struct php_gz_stream_data_t *self = (struct php_gz_stream_data_t *) stream->abstract; struct php_gz_stream_data_t *self = (struct php_gz_stream_data_t *) stream->abstract;
ssize_t total_written = 0;
/* XXX this needs to be looped for the case count > UINT_MAX */ /* Despite the count argument of gzread() being "unsigned int",
return gzwrite(self->gz_file, (char *) buf, count); * the return value is "int". Error returns are values < 0, otherwise the count is returned.
* To properly distinguish error values from success value, we therefore need to cap at INT_MAX.
*/
do {
unsigned int chunk_size = MIN(count, INT_MAX);
int written = gzwrite(self->gz_file, buf, chunk_size);
count -= chunk_size;
if (UNEXPECTED(written < 0)) {
return written;
}
total_written += written;
buf += written;
} while (count > 0);
return total_written;
} }
static int php_gziop_seek(php_stream *stream, zend_off_t offset, int whence, zend_off_t *newoffs) static int php_gziop_seek(php_stream *stream, zend_off_t offset, int whence, zend_off_t *newoffs)

24
main/streams/streams.c
View file

@ -2469,25 +2469,19 @@ PHPAPI int _php_stream_scandir(const char *dirname, zend_string **namelist[], in
vector_size = 10; vector_size = 10;
} else { } else {
if(vector_size*2 < vector_size) { if(vector_size*2 < vector_size) {
/* overflow */ goto overflow;
php_stream_closedir(stream);
efree(vector);
return -1;
} }
vector_size *= 2; vector_size *= 2;
} }
vector = (zend_string **) safe_erealloc(vector, vector_size, sizeof(char *), 0); vector = (zend_string **) safe_erealloc(vector, vector_size, sizeof(zend_string *), 0);
} }
vector[nfiles] = zend_string_init(sdp.d_name, strlen(sdp.d_name), 0); vector[nfiles] = zend_string_init(sdp.d_name, strlen(sdp.d_name), 0);
nfiles++; if(vector_size < 10 || nfiles + 1 == 0) {
if(vector_size < 10 || nfiles == 0) { goto overflow;
/* overflow */
php_stream_closedir(stream);
efree(vector);
return -1;
} }
nfiles++;
} }
php_stream_closedir(stream); php_stream_closedir(stream);
@ -2497,5 +2491,13 @@ PHPAPI int _php_stream_scandir(const char *dirname, zend_string **namelist[], in
qsort(*namelist, nfiles, sizeof(zend_string *), (int(*)(const void *, const void *))compare); qsort(*namelist, nfiles, sizeof(zend_string *), (int(*)(const void *, const void *))compare);
} }
return nfiles; return nfiles;
overflow:
php_stream_closedir(stream);
for (unsigned int i = 0; i < nfiles; i++) {
zend_string_efree(vector[i]);
}
efree(vector);
return -1;
} }
/* }}} */ /* }}} */