From: Antony Dovgal <tony2001@php.net>
Date: Thu, 25 Jan 2007 12:22:21 +0000 (+0000)
Subject: MFH: fix #40189 (possible endless loop in zlib.inflate stream filter)
X-Git-Tag: RELEASE_1_2_3~4
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0bc0e57b855c7b8c3919fd2cb944b13ea0565d48;p=php

MFH: fix #40189 (possible endless loop in zlib.inflate stream filter)
---

diff --git a/NEWS b/NEWS
index 00090af3b8..9b2a9eead5 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,8 @@ PHP                                                                        NEWS
   thread safe version). (Dmitry)
 - Fixed bug #40191 (use of array_unique() with objects triggers segfault).
   (Tony)
+- Fixed bug #40189 (possible endless loop in zlib.inflate stream filter).
+  (Greg, Tony)
 - Fixed bug #40169 (CURLOPT_TCP_NODELAY only available in curl >= 7.11.2). 
   (Tony)
 - Fixed bug #40092 (chroot() doesn't clear realpath cache). (Dmitry)
diff --git a/ext/bz2/bz2_filter.c b/ext/bz2/bz2_filter.c
index 9cdd5f019f..e29346e567 100644
--- a/ext/bz2/bz2_filter.c
+++ b/ext/bz2/bz2_filter.c
@@ -101,6 +101,11 @@ static php_stream_filter_status_t php_bz2_decompress_filter(
 			consumed += desired;
 			bin += desired;
 
+			if (!desired) {
+				flags |= PSFS_FLAG_FLUSH_CLOSE;
+				break;
+			}
+
 			if (data->strm.avail_out < data->outbuf_len) {
 				php_stream_bucket *out_bucket;
 				size_t bucketlen = data->outbuf_len - data->strm.avail_out;
diff --git a/ext/zlib/zlib_filter.c b/ext/zlib/zlib_filter.c
index 240da21646..1fa090f86c 100644
--- a/ext/zlib/zlib_filter.c
+++ b/ext/zlib/zlib_filter.c
@@ -100,6 +100,11 @@ static php_stream_filter_status_t php_zlib_inflate_filter(
 			consumed += desired;
 			bin += desired;
 
+			if (!desired) {
+				flags |= PSFS_FLAG_FLUSH_CLOSE;
+				break;
+			}
+
 			if (data->strm.avail_out < data->outbuf_len) {
 				php_stream_bucket *out_bucket;
 				size_t bucketlen = data->outbuf_len - data->strm.avail_out;
@@ -208,6 +213,11 @@ static php_stream_filter_status_t php_zlib_deflate_filter(
 			consumed += desired;
 			bin += desired;
 
+			if (!desired) {
+				flags |= PSFS_FLAG_FLUSH_CLOSE;
+				break;
+			}
+
 			if (data->strm.avail_out < data->outbuf_len) {
 				php_stream_bucket *out_bucket;
 				size_t bucketlen = data->outbuf_len - data->strm.avail_out;