Fixed bug #74240 (deflate_add can allocate too much memory)

2 files changed, 32 insertions, 4 deletions

diff --git a/ext/zlib/tests/bug74240.phpt b/ext/zlib/tests/bug74240.phpt
new file mode 100644
index 0000000000..f3d656ae9d
--- /dev/null
+++ b/ext/zlib/tests/bug74240.phpt
@@ -0,0 +1,30 @@
+--TEST--
+Bug #74240 (deflate_add can allocate too much memory)
+--SKIPIF--
+<?php
+if (!extension_loaded("zlib")) {
+    print "skip - ZLIB extension not loaded";
+}
+?>
+--FILE--
+<?php
+
+ini_set('memory_limit', '64M');
+
+$deflator = deflate_init(ZLIB_ENCODING_RAW);
+
+$bytes = str_repeat("*", 65536);
+
+// this crashes after about 500 iterations if PHP is
+// configured for 64M
+for ($i = 0; $i < 1000; $i++) {
+    $output = deflate_add(
+        $deflator,
+        $bytes,
+        ZLIB_SYNC_FLUSH
+    );
+}
+echo "Completed\n";
+?>
+--EXPECT--
+Completed
diff --git a/ext/zlib/zlib.c b/ext/zlib/zlib.c
index 5c558ea6a6..80607b6600 100644
--- a/ext/zlib/zlib.c
+++ b/ext/zlib/zlib.c
@@ -1154,10 +1154,8 @@ PHP_FUNCTION(deflate_add)
 		RETURN_EMPTY_STRING();
 	}
 
-	out_size = PHP_ZLIB_BUFFER_SIZE_GUESS(ctx->total_in + in_len);
-	out_size = (ctx->total_out >= out_size) ? 16 : (out_size - ctx->total_out);
-	out_size = (out_size < 16) ? 16 : out_size;
-	out_size += 64;
+	out_size = PHP_ZLIB_BUFFER_SIZE_GUESS(in_len);
+	out_size = (out_size < 64) ? 64 : out_size;
 	out = zend_string_alloc(out_size, 0);
 
 	ctx->next_in = (Bytef *) in_buf;