php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #68955 Int overflow in ext/bz2/bz2.c
Submitted: 2015-01-30 03:14 UTC Modified: 2015-02-01 07:56 UTC
From: bugreports at internot dot info Assigned:
Status: Not a bug Package: Bzip2 Related
PHP Version: master-Git-2015-01-30 (Git) OS: Linux Ubuntu 14.04
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: bugreports at internot dot info
New email:
PHP Version: OS:

 

 [2015-01-30 03:14 UTC] bugreports at internot dot info 
Description:
------------
Hi,

In /ext/bz2/bz2.c:



597                size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32;

and

603                size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32;



bzs.total_out_hi32 should be cast to unsigned int, to avoid an int overflow.
(is that -1 even right? that'll be a huge number since it's unsigned)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-02-01 07:06 UTC] stas@php.net
-Summary: Int overflow +Summary: Int overflow in ext/bz2/bz2.c -Status: Open +Status: Not a bug -Type: Security +Type: Bug
 [2015-02-01 07:06 UTC] stas@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

total_out_hi32 already is unsigned int:

      unsigned int total_out_hi32;
 [2015-02-01 07:56 UTC] bugreports at internot dot info 
I mean unsigned long long, sorry.


unsigned long long size = 0;
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jan 02 11:01:29 2025 UTC