From 82bef7d4c9003d68c5b73c7234d6ff38f78b2977 Mon Sep 17 00:00:00 2001
From: Alexandre Daubois <alex.daubois@gmail.com>
Date: Thu, 4 Sep 2025 16:38:45 +0200
Subject: [PATCH] Fix GH-19685: Segfault when bzip2 filter has invalid
 parameters

---
 NEWS                                         |  4 ++
 UPGRADING                                    |  5 +++
 ext/bz2/bz2_filter.c                         |  8 ++++
 ext/bz2/tests/bug72447.phpt                  |  2 +
 ext/bz2/tests/bz2_filter_invalid_params.phpt | 46 ++++++++++++++++++++
 5 files changed, 65 insertions(+)
 create mode 100644 ext/bz2/tests/bz2_filter_invalid_params.phpt

diff --git a/NEWS b/NEWS
index d688ef5aad399..9d0f4da7af23d 100644
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,10 @@ PHP                                                                        NEWS
 - BCMath:
   . Added NUL-byte validation to BCMath functions. (jorgsowa)
 
+- Bz2:
+  . Fixed bug GH-19685 (Segfault when bzip2 filter has invalid parameters).
+    (alexandre-daubois)
+
 - Date:
   . Update timelib to 2022.16. (Derick)
 
diff --git a/UPGRADING b/UPGRADING
index a97ad00061a27..0b58f386cd63b 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -183,6 +183,11 @@ PHP 8.6 UPGRADE NOTES
 9. Other Changes to Extensions
 ========================================
 
+- Bz2:
+  . The bzip2.compress filter now correctly rejects invalid values for the
+    blocks and work parameters by failing to create the filter instead of
+    emitting a warning and continuing with default values.
+
 - Hash:
   . The bundled version of xxHash was upgraded to 0.8.2.
 
diff --git a/ext/bz2/bz2_filter.c b/ext/bz2/bz2_filter.c
index 69ee483d21f12..759bb4b8ce642 100644
--- a/ext/bz2/bz2_filter.c
+++ b/ext/bz2/bz2_filter.c
@@ -442,6 +442,10 @@ static php_stream_filter *php_bz2_filter_create(const char *filtername, zval *fi
 					zend_long blocks = zval_get_long(tmpzval);
 					if (blocks < 1 || blocks > 9) {
 						php_error_docref(NULL, E_WARNING, "Invalid parameter given for number of blocks to allocate (" ZEND_LONG_FMT ")", blocks);
+						pefree(data->strm.next_in, persistent);
+						pefree(data->strm.next_out, persistent);
+						pefree(data, persistent);
+						return NULL;
 					} else {
 						blockSize100k = (int) blocks;
 					}
@@ -452,6 +456,10 @@ static php_stream_filter *php_bz2_filter_create(const char *filtername, zval *fi
 					zend_long work = zval_get_long(tmpzval);
 					if (work < 0 || work > 250) {
 						php_error_docref(NULL, E_WARNING, "Invalid parameter given for work factor (" ZEND_LONG_FMT ")", work);
+						pefree(data->strm.next_in, persistent);
+						pefree(data->strm.next_out, persistent);
+						pefree(data, persistent);
+						return NULL;
 					} else {
 						workFactor = (int) work;
 					}
diff --git a/ext/bz2/tests/bug72447.phpt b/ext/bz2/tests/bug72447.phpt
index 11f3bd9136b54..0738d25b99eed 100644
--- a/ext/bz2/tests/bug72447.phpt
+++ b/ext/bz2/tests/bug72447.phpt
@@ -17,3 +17,5 @@ unlink('testfile');
 ?>
 --EXPECTF--
 Warning: stream_filter_append(): Invalid parameter given for number of blocks to allocate (0) in %s%ebug72447.php on line %d
+
+Warning: stream_filter_append(): Unable to create or locate filter "bzip2.compress" in %s%ebug72447.php on line %d
diff --git a/ext/bz2/tests/bz2_filter_invalid_params.phpt b/ext/bz2/tests/bz2_filter_invalid_params.phpt
new file mode 100644
index 0000000000000..9b30340d1ba88
--- /dev/null
+++ b/ext/bz2/tests/bz2_filter_invalid_params.phpt
@@ -0,0 +1,46 @@
+--TEST--
+GH-19685: bzip2.compress filter with invalid parameters should fail gracefully
+--EXTENSIONS--
+bz2
+--FILE--
+<?php
+$stream = fopen('php://memory', 'w+');
+
+// too low
+$filter = stream_filter_append($stream, 'bzip2.compress', STREAM_FILTER_WRITE, array('blocks' => 0));
+var_dump($filter);
+
+// too high
+$filter = stream_filter_append($stream, 'bzip2.compress', STREAM_FILTER_WRITE, array('blocks' => 10));
+var_dump($filter);
+
+// too low work
+$filter = stream_filter_append($stream, 'bzip2.compress', STREAM_FILTER_WRITE, array('work' => -1));
+var_dump($filter);
+
+// too high work
+$filter = stream_filter_append($stream, 'bzip2.compress', STREAM_FILTER_WRITE, array('work' => 251));
+var_dump($filter);
+
+fclose($stream);
+?>
+--EXPECTF--
+Warning: stream_filter_append(): Invalid parameter given for number of blocks to allocate (0) in %s on line %d
+
+Warning: stream_filter_append(): Unable to create or locate filter "bzip2.compress" in %s on line %d
+bool(false)
+
+Warning: stream_filter_append(): Invalid parameter given for number of blocks to allocate (10) in %s on line %d
+
+Warning: stream_filter_append(): Unable to create or locate filter "bzip2.compress" in %s on line %d
+bool(false)
+
+Warning: stream_filter_append(): Invalid parameter given for work factor (-1) in %s on line %d
+
+Warning: stream_filter_append(): Unable to create or locate filter "bzip2.compress" in %s on line %d
+bool(false)
+
+Warning: stream_filter_append(): Invalid parameter given for work factor (251) in %s on line %d
+
+Warning: stream_filter_append(): Unable to create or locate filter "bzip2.compress" in %s on line %d
+bool(false)