From 4c88e07676787bd2d47bcf369a501a881c025a82 Mon Sep 17 00:00:00 2001 From: Alexandre Daubois Date: Thu, 4 Sep 2025 16:38:45 +0200 Subject: [PATCH] Fix GH-19685: Segfault when bzip2 filter has invalid parameters --- NEWS | 4 ++ ext/bz2/bz2_filter.c | 8 ++++ ext/bz2/tests/bug72447.phpt | 2 + ext/bz2/tests/bz2_filter_invalid_params.phpt | 46 ++++++++++++++++++++ 4 files changed, 60 insertions(+) create mode 100644 ext/bz2/tests/bz2_filter_invalid_params.phpt diff --git a/NEWS b/NEWS index b2b2dccd1cde2..ddfd5562ea145 100644 --- a/NEWS +++ b/NEWS @@ -12,6 +12,10 @@ PHP NEWS . Fixed bug GH-19613 (Stale array iterator pointer). (ilutov) . Fixed bug GH-19679 (zend_ssa_range_widening may fail to converge). (Arnaud) +- Bz2: + . Fixed bug GH-19685 (Segfault when bzip2 filter has invalid parameters). + (alexandre-daubois) + - Date: . Fixed date_sunrise() and date_sunset() with partial-hour UTC offset. (ilutov) diff --git a/ext/bz2/bz2_filter.c b/ext/bz2/bz2_filter.c index 9b3480b4a5ca9..be9732a4e8c72 100644 --- a/ext/bz2/bz2_filter.c +++ b/ext/bz2/bz2_filter.c @@ -367,6 +367,10 @@ static php_stream_filter *php_bz2_filter_create(const char *filtername, zval *fi zend_long blocks = zval_get_long(tmpzval); if (blocks < 1 || blocks > 9) { php_error_docref(NULL, E_WARNING, "Invalid parameter given for number of blocks to allocate (" ZEND_LONG_FMT ")", blocks); + pefree(data->strm.next_in, persistent); + pefree(data->strm.next_out, persistent); + pefree(data, persistent); + return NULL; } else { blockSize100k = (int) blocks; } @@ -377,6 +381,10 @@ static php_stream_filter *php_bz2_filter_create(const char *filtername, zval *fi zend_long work = zval_get_long(tmpzval); if (work < 0 || work > 250) { php_error_docref(NULL, E_WARNING, "Invalid parameter given for work factor (" ZEND_LONG_FMT ")", work); + pefree(data->strm.next_in, persistent); + pefree(data->strm.next_out, persistent); + pefree(data, persistent); + return NULL; } else { workFactor = (int) work; } diff --git a/ext/bz2/tests/bug72447.phpt b/ext/bz2/tests/bug72447.phpt index 11f3bd9136b54..0738d25b99eed 100644 --- a/ext/bz2/tests/bug72447.phpt +++ b/ext/bz2/tests/bug72447.phpt @@ -17,3 +17,5 @@ unlink('testfile'); ?> --EXPECTF-- Warning: stream_filter_append(): Invalid parameter given for number of blocks to allocate (0) in %s%ebug72447.php on line %d + +Warning: stream_filter_append(): Unable to create or locate filter "bzip2.compress" in %s%ebug72447.php on line %d diff --git a/ext/bz2/tests/bz2_filter_invalid_params.phpt b/ext/bz2/tests/bz2_filter_invalid_params.phpt new file mode 100644 index 0000000000000..9b30340d1ba88 --- /dev/null +++ b/ext/bz2/tests/bz2_filter_invalid_params.phpt @@ -0,0 +1,46 @@ +--TEST-- +GH-19685: bzip2.compress filter with invalid parameters should fail gracefully +--EXTENSIONS-- +bz2 +--FILE-- + 0)); +var_dump($filter); + +// too high +$filter = stream_filter_append($stream, 'bzip2.compress', STREAM_FILTER_WRITE, array('blocks' => 10)); +var_dump($filter); + +// too low work +$filter = stream_filter_append($stream, 'bzip2.compress', STREAM_FILTER_WRITE, array('work' => -1)); +var_dump($filter); + +// too high work +$filter = stream_filter_append($stream, 'bzip2.compress', STREAM_FILTER_WRITE, array('work' => 251)); +var_dump($filter); + +fclose($stream); +?> +--EXPECTF-- +Warning: stream_filter_append(): Invalid parameter given for number of blocks to allocate (0) in %s on line %d + +Warning: stream_filter_append(): Unable to create or locate filter "bzip2.compress" in %s on line %d +bool(false) + +Warning: stream_filter_append(): Invalid parameter given for number of blocks to allocate (10) in %s on line %d + +Warning: stream_filter_append(): Unable to create or locate filter "bzip2.compress" in %s on line %d +bool(false) + +Warning: stream_filter_append(): Invalid parameter given for work factor (-1) in %s on line %d + +Warning: stream_filter_append(): Unable to create or locate filter "bzip2.compress" in %s on line %d +bool(false) + +Warning: stream_filter_append(): Invalid parameter given for work factor (251) in %s on line %d + +Warning: stream_filter_append(): Unable to create or locate filter "bzip2.compress" in %s on line %d +bool(false)