1 files changed, 45 insertions, 0 deletions

diff --git a/bug72837.patch b/bug72837.patch
new file mode 100644
index 0000000..2dfe6f4
--- /dev/null
+++ b/bug72837.patch
@@ -0,0 +1,45 @@
+Backported from 5.6.25 by Remi.
+
+From 69236ea9793b76b778c6cd64748cfee817521118 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 15 Aug 2016 23:17:26 -0700
+Subject: [PATCH] Fix bug #72837 - integer overflow in bzdecompress caused heap
+ corruption
+
+---
+ ext/bz2/bz2.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/ext/bz2/bz2.c b/ext/bz2/bz2.c
+index 54b59f7..79ec3ec 100644
+--- a/ext/bz2/bz2.c
++++ b/ext/bz2/bz2.c
+@@ -573,15 +573,25 @@ static PHP_FUNCTION(bzdecompress)
+ 		/* compression is better then 2:1, need to allocate more memory */
+ 		bzs.avail_out = source_len;
+ 		size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32;
++		if (size > INT_MAX) {
++			/* no reason to continue if we're going to drop it anyway */
++			break;
++		}
+ 		dest = safe_erealloc(dest, 1, bzs.avail_out+1, (size_t) size );
+ 		bzs.next_out = dest + size;
+ 	}
+ 
+ 	if (error == BZ_STREAM_END || error == BZ_OK) {
+ 		size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32;
+-		dest = safe_erealloc(dest, 1, (size_t) size, 1);
+-		dest[size] = '\0';
+-		RETVAL_STRINGL(dest, (int) size, 0);
++		if (size > INT_MAX) {
++			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Decompressed size too big, max is %d", INT_MAX);
++			efree(dest);
++			RETVAL_LONG(BZ_MEM_ERROR);
++		} else {
++			dest = safe_erealloc(dest, 1, (size_t) size, 1);
++			dest[size] = '\0';
++			RETVAL_STRINGL(dest, (int) size, 0);
++		}
+ 	} else { /* real error */
+ 		efree(dest);
+ 		RETVAL_LONG(error);