Commit 237932f37be for php.net

commit 237932f37beb6a101de81913152adddd444dec41
Author: arshidkv12 <arshidkv12@gmail.com>
Date:   Sat Jun 6 20:44:06 2026 +0530

    ext/bz2: Reject oversized input in bzdecompress()

    close GH-22242

diff --git a/NEWS b/NEWS
index 79536c0ce21..4fbc7e89eb1 100644
--- a/NEWS
+++ b/NEWS
@@ -25,6 +25,9 @@ PHP                                                                        NEWS
 - BCMath:
   . Added NUL-byte validation to BCMath functions. (jorgsowa)

+- BZ2:
+  . Reject oversized input in bzdecompress(). (arshidkv12)
+
 - Date:
   . Update timelib to 2022.16. (Derick)

diff --git a/ext/bz2/bz2.c b/ext/bz2/bz2.c
index c505005ab00..512632fe8a2 100644
--- a/ext/bz2/bz2.c
+++ b/ext/bz2/bz2.c
@@ -519,11 +519,15 @@ PHP_FUNCTION(bzdecompress)
 	bzs.bzalloc = NULL;
 	bzs.bzfree = NULL;

+	if (source_len > UINT_MAX) {
+		zend_argument_value_error(1, "must have a length less than or equal to %u", UINT_MAX);
+		RETURN_THROWS();
+	}
+
 	if (BZ2_bzDecompressInit(&bzs, 0, (int)small) != BZ_OK) {
 		RETURN_FALSE;
 	}

-	// TODO Check source string length fits in unsigned int
 	bzs.next_in = source;
 	bzs.avail_in = source_len;

diff --git a/ext/bz2/tests/bzdecompress_input_too_large.phpt b/ext/bz2/tests/bzdecompress_input_too_large.phpt
new file mode 100644
index 00000000000..88c93d366c5
--- /dev/null
+++ b/ext/bz2/tests/bzdecompress_input_too_large.phpt
@@ -0,0 +1,24 @@
+--TEST--
+bzdecompress() rejects input larger than 4294967296
+--EXTENSIONS--
+bz2
+--INI--
+memory_limit=8G
+--SKIPIF--
+<?php
+if (!getenv('RUN_RESOURCE_HEAVY_TESTS')) die('skip resource-heavy test');
+if (getenv('SKIP_SLOW_TESTS')) die('skip slow test');
+if (PHP_INT_SIZE != 8) die('skip 64-bit only');
+?>
+--FILE--
+<?php
+
+try {
+    $data = str_repeat("A", 4294967296);
+    bzdecompress($data);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+bzdecompress(): Argument #1 ($data) must have a length less than or equal to 4294967295