php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #43589 infinite loop in bz2_filter.c
Submitted: 2007-12-13 19:32 UTC Modified: 2007-12-16 17:22 UTC
From: greg at chiaraquartet dot net Assigned:
Status: Closed Package: Streams related
PHP Version: 5.3CVS-2007-12-13 (CVS) OS: n/a
Private report: No CVE-ID: None
 [2007-12-13 19:32 UTC] greg at chiaraquartet dot net
Description:
------------
An endless loop is possible in the bz2 stream filter bzip2.decompress if status == BZ_OK and data->strm.avail_out < data->outbuf_len

Reproduce code:
---------------
Index: ext/bz2/bz2_filter.c
===================================================================
RCS file: /repository/php-src/ext/bz2/bz2_filter.c,v
retrieving revision 1.3.2.2.2.5
diff -u -r1.3.2.2.2.5 bz2_filter.c
--- ext/bz2/bz2_filter.c        9 Aug 2007 23:27:22 -0000       1.3.2.2.2.5
+++ ext/bz2/bz2_filter.c        13 Dec 2007 19:29:27 -0000
@@ -132,6 +132,8 @@
                                data->strm.avail_out = data->outbuf_len;
                                data->strm.next_out = data->outbuf;
                                exit_status = PSFS_PASS_ON;
+                       } else {
+                               break;
                        }
                }
        }



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-12-13 19:35 UTC] cellog@php.net
bad patch - missing if condition:

Index: ext/bz2/bz2_filter.c
===================================================================
RCS file: /repository/php-src/ext/bz2/bz2_filter.c,v
retrieving revision 1.3.2.2.2.5
diff -u -r1.3.2.2.2.5 bz2_filter.c
--- ext/bz2/bz2_filter.c        9 Aug 2007 23:27:22 -0000       1.3.2.2.2.5
+++ ext/bz2/bz2_filter.c        13 Dec 2007 19:34:48 -0000
@@ -132,6 +132,8 @@
                                data->strm.avail_out = data->outbuf_len;
                                data->strm.next_out = data->outbuf;
                                exit_status = PSFS_PASS_ON;
+                       } elseif (status == BZ_OK) {
+                               break;
                        }
                }
        }

 [2007-12-16 17:22 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 30 14:01:28 2024 UTC