Check that readRaw does not accept negative length value.

protobuf-github-bot · shaod2 · commit 60e93d2d104f · 2026-03-13T16:43:25.000Z
Fixes #24159 PiperOrigin-RevId: 855837030
diff --git a/php/src/Google/Protobuf/Internal/CodedInputStream.php b/php/src/Google/Protobuf/Internal/CodedInputStream.php
@@ -271,7 +271,8 @@ public function readTag()
     public function readRaw($size, &$buffer)
     {
         $current_buffer_size = 0;
-        if ($this->bufferSize() < $size) {
+        // size (varint) read from the wire could be negative.
+        if ($size < 0 || $this->bufferSize() < $size) {
             return false;
         }
 
diff --git a/php/tests/EncodeDecodeTest.php b/php/tests/EncodeDecodeTest.php
@@ -603,6 +603,13 @@ public function testDecodeNegativeInt32()
         $this->assertEquals(-1, $m->getOptionalInt32());
     }
 
+    public function testInvalidVarintLength() {
+        $this->expectException(Exception::class);
+
+        $m = new TestMessage();
+        $m->mergeFromString(hex2bin("0afaffffff0f"));
+    }
+
     private function makeRecursiveMessage($depth) {
         $m = new TestMessage();
         $m->setOptionalInt32(1);

Original file line number	Diff line number	Diff line change
`@@ -271,7 +271,8 @@ public function readTag()`
`271`	`271`	`public function readRaw($size, &$buffer)`
`272`	`272`	`{`
`273`	`273`	`$current_buffer_size = 0;`
`274`		`- if ($this->bufferSize() < $size) {`
	`274`	`+ // size (varint) read from the wire could be negative.`
	`275`	`+ if ($size < 0 \|\| $this->bufferSize() < $size) {`
`275`	`276`	`return false;`
`276`	`277`	`}`
`277`	`278`