Merge pull request #26366 from protocolbuffers/php-cherrypick-33.x

shaod2 · web-flow · commit ea68cc0128b5 · 2026-03-18T11:59:26.000-04:00
Backport php fixes to 33.x
diff --git a/php/src/Google/Protobuf/Internal/CodedInputStream.php b/php/src/Google/Protobuf/Internal/CodedInputStream.php
@@ -271,7 +271,8 @@ public function readTag()
     public function readRaw($size, &$buffer)
     {
         $current_buffer_size = 0;
-        if ($this->bufferSize() < $size) {
+        // size (varint) read from the wire could be negative.
+        if ($size < 0 || $this->bufferSize() < $size) {
             return false;
         }
 
@@ -337,7 +338,7 @@ public function incrementRecursionDepthAndPushLimit(
         $byte_limit, &$old_limit, &$recursion_budget)
     {
         $old_limit = $this->pushLimit($byte_limit);
-        $recursion_limit = --$this->recursion_limit;
+        $recursion_budget = --$this->recursion_budget;
     }
 
     public function decrementRecursionDepthAndPopLimit($byte_limit)
diff --git a/php/tests/EncodeDecodeTest.php b/php/tests/EncodeDecodeTest.php
@@ -603,6 +603,38 @@ public function testDecodeNegativeInt32()
         $this->assertEquals(-1, $m->getOptionalInt32());
     }
 
+    public function testInvalidVarintLength() {
+        $this->expectException(Exception::class);
+
+        $m = new TestMessage();
+        $m->mergeFromString(hex2bin("0afaffffff0f"));
+    }
+
+    private function makeRecursiveMessage($depth) {
+        $m = new TestMessage();
+        $m->setOptionalInt32(1);
+        if ($depth == 0) {
+            return $m;
+        }
+        $m->setRecursive($this->makeRecursiveMessage($depth - 1));
+        return $m;
+    }
+
+    public function testRecursiveMessage() {
+        $payload = $this->makeRecursiveMessage(99)->serializeToString();
+
+        $m = new TestMessage();
+        $m->mergeFromString($payload);
+    }
+
+    public function testOverlyRecursiveMessage() {
+        $this->expectException(Exception::class);
+        $payload = $this->makeRecursiveMessage(101)->serializeToString();
+
+        $m = new TestMessage();
+        $m->mergeFromString($payload);
+    }
+
     public function testRandomFieldOrder()
     {
         $m = new TestRandomFieldOrder();

Original file line number	Diff line number	Diff line change
`@@ -271,7 +271,8 @@ public function readTag()`
`271`	`271`	`public function readRaw($size, &$buffer)`
`272`	`272`	`{`
`273`	`273`	`$current_buffer_size = 0;`
`274`		`- if ($this->bufferSize() < $size) {`
	`274`	`+ // size (varint) read from the wire could be negative.`
	`275`	`+ if ($size < 0 \|\| $this->bufferSize() < $size) {`
`275`	`276`	`return false;`
`276`	`277`	`}`
`277`	`278`
`@@ -337,7 +338,7 @@ public function incrementRecursionDepthAndPushLimit(`
`337`	`338`	`$byte_limit, &$old_limit, &$recursion_budget)`
`338`	`339`	`{`
`339`	`340`	`$old_limit = $this->pushLimit($byte_limit);`
`340`		`- $recursion_limit = --$this->recursion_limit;`
	`341`	`+ $recursion_budget = --$this->recursion_budget;`
`341`	`342`	`}`
`342`	`343`
`343`	`344`	`public function decrementRecursionDepthAndPopLimit($byte_limit)`