MFH: fix #40189 (possible endless loop in zlib.inflate stream filter)

diff --git a/NEWS b/NEWS
index 00090af3b8f1ffc07b1df83899090fabcdb12cee..9b2a9eead581cceb920419c6fc32d428c1e8ff41 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,8 @@ PHP                                                                        NEWS
   thread safe version). (Dmitry)
 - Fixed bug #40191 (use of array_unique() with objects triggers segfault).
   (Tony)
+- Fixed bug #40189 (possible endless loop in zlib.inflate stream filter).
+  (Greg, Tony)
 - Fixed bug #40169 (CURLOPT_TCP_NODELAY only available in curl >= 7.11.2). 
   (Tony)
 - Fixed bug #40092 (chroot() doesn't clear realpath cache). (Dmitry)

diff --git a/ext/bz2/bz2_filter.c b/ext/bz2/bz2_filter.c
index 9cdd5f019fdcfe9c080f0e8502c89d9bc3c60376..e29346e567648256decb28b64db53192ac9b8ce1 100644 (file)
--- a/ext/bz2/bz2_filter.c
+++ b/ext/bz2/bz2_filter.c
@@ -101,6 +101,11 @@ static php_stream_filter_status_t php_bz2_decompress_filter(
                        consumed += desired;
                        bin += desired;
 
+                       if (!desired) {
+                               flags |= PSFS_FLAG_FLUSH_CLOSE;
+                               break;
+                       }
+
                        if (data->strm.avail_out < data->outbuf_len) {
                                php_stream_bucket *out_bucket;
                                size_t bucketlen = data->outbuf_len - data->strm.avail_out;

diff --git a/ext/zlib/zlib_filter.c b/ext/zlib/zlib_filter.c
index 240da216463d7021905415df0c25a626a5538a33..1fa090f86c54eea35661c26dde26772b030d4206 100644 (file)
--- a/ext/zlib/zlib_filter.c
+++ b/ext/zlib/zlib_filter.c
@@ -100,6 +100,11 @@ static php_stream_filter_status_t php_zlib_inflate_filter(
                        consumed += desired;
                        bin += desired;
 
+                       if (!desired) {
+                               flags |= PSFS_FLAG_FLUSH_CLOSE;
+                               break;
+                       }
+
                        if (data->strm.avail_out < data->outbuf_len) {
                                php_stream_bucket *out_bucket;
                                size_t bucketlen = data->outbuf_len - data->strm.avail_out;
@@ -208,6 +213,11 @@ static php_stream_filter_status_t php_zlib_deflate_filter(
                        consumed += desired;
                        bin += desired;
 
+                       if (!desired) {
+                               flags |= PSFS_FLAG_FLUSH_CLOSE;
+                               break;
+                       }
+
                        if (data->strm.avail_out < data->outbuf_len) {
                                php_stream_bucket *out_bucket;
                                size_t bucketlen = data->outbuf_len - data->strm.avail_out;