php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #68955 Int overflow in ext/bz2/bz2.c
Submitted: 2015-01-30 03:14 UTC Modified: 2015-02-01 07:56 UTC
From: bugreports at internot dot info Assigned:
Status: Not a bug Package: Bzip2 Related
PHP Version: master-Git-2015-01-30 (Git) OS: Linux Ubuntu 14.04
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: bugreports at internot dot info
New email:
PHP Version: OS:

 

 [2015-01-30 03:14 UTC] bugreports at internot dot info 
Description:
------------
Hi,

In /ext/bz2/bz2.c:



597                size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32;

and

603                size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32;



bzs.total_out_hi32 should be cast to unsigned int, to avoid an int overflow.
(is that -1 even right? that'll be a huge number since it's unsigned)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-02-01 07:06 UTC] stas@php.net
-Summary: Int overflow +Summary: Int overflow in ext/bz2/bz2.c -Status: Open +Status: Not a bug -Type: Security +Type: Bug
 [2015-02-01 07:06 UTC] stas@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

total_out_hi32 already is unsigned int:

      unsigned int total_out_hi32;
 [2015-02-01 07:56 UTC] bugreports at internot dot info 
I mean unsigned long long, sorry.


unsigned long long size = 0;
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 23 10:01:29 2024 UTC