PHP :: Bug #43589 :: infinite loop in bz2

Bug #43589	infinite loop in bz2_filter.c
Submitted:	2007-12-13 19:32 UTC	Modified:	2007-12-16 17:22 UTC
From:	greg at chiaraquartet dot net	Assigned:
Status:	Closed	Package:	Streams related
PHP Version:	5.3CVS-2007-12-13 (CVS)	OS:	n/a
Private report:	No	CVE-ID:	None

View Developer Edit

[2007-12-13 19:32 UTC] greg at chiaraquartet dot net

Description:
------------
An endless loop is possible in the bz2 stream filter bzip2.decompress if status == BZ_OK and data->strm.avail_out < data->outbuf_len

Reproduce code:
---------------
Index: ext/bz2/bz2_filter.c
===================================================================
RCS file: /repository/php-src/ext/bz2/bz2_filter.c,v
retrieving revision 1.3.2.2.2.5
diff -u -r1.3.2.2.2.5 bz2_filter.c
--- ext/bz2/bz2_filter.c        9 Aug 2007 23:27:22 -0000       1.3.2.2.2.5
+++ ext/bz2/bz2_filter.c        13 Dec 2007 19:29:27 -0000
@@ -132,6 +132,8 @@
                                data->strm.avail_out = data->outbuf_len;
                                data->strm.next_out = data->outbuf;
                                exit_status = PSFS_PASS_ON;
+                       } else {
+                               break;
                        }
                }
        }

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-12-13 19:35 UTC] cellog@php.net

bad patch - missing if condition:

Index: ext/bz2/bz2_filter.c
===================================================================
RCS file: /repository/php-src/ext/bz2/bz2_filter.c,v
retrieving revision 1.3.2.2.2.5
diff -u -r1.3.2.2.2.5 bz2_filter.c
--- ext/bz2/bz2_filter.c        9 Aug 2007 23:27:22 -0000       1.3.2.2.2.5
+++ ext/bz2/bz2_filter.c        13 Dec 2007 19:34:48 -0000
@@ -132,6 +132,8 @@
                                data->strm.avail_out = data->outbuf_len;
                                data->strm.next_out = data->outbuf;
                                exit_status = PSFS_PASS_ON;
+                       } elseif (status == BZ_OK) {
+                               break;
                        }
                }
        }

[2007-12-16 17:22 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 09:01:32 2024 UTC