Pure PHP: Reject 10-byte varints with bit above the 64th bit set.

protobuf-github-bot · copybara-github · commit fe7a6135f6b1 · 2026-04-13T12:36:03.000-07:00
PiperOrigin-RevId: 899065019
diff --git a/php/src/Google/Protobuf/Internal/CodedInputStream.php b/php/src/Google/Protobuf/Internal/CodedInputStream.php
@@ -138,6 +138,15 @@ public function readVarint64(&$var)
                     return false;
                 }
                 $b = ord($this->buffer[$this->current]);
+                if ($count === 9) {
+                    // If the 10th byte has a continuation bit set, immediately
+                    // fail.
+                    if ($b & 0x80) {
+                        return false;
+                    }
+                    // Discard bits above bit 0 in the 10th byte.
+                    $b &= 0x01;
+                }
                 $bits = 7 * $count;
                 if ($bits >= 32) {
                     $high |= (($b & 0x7F) << ($bits - 32));
@@ -170,7 +179,20 @@ public function readVarint64(&$var)
                 }
 
                 $byte = ord($this->buffer[$this->current]);
-                $result |= ($byte & 0x7f) << $shift;
+
+                if ($count === 9) {
+                    // If the 10th byte has a continuation bit set, fail.
+                    if ($byte & 0x80) {
+                        return false;
+                    }
+                    // Silently discards bits above bit 0 in the 10th byte.
+                    if ($byte & 1) {
+                        $result |= PHP_INT_MIN;
+                    }
+                } else {
+                    $result |= ($byte & 0x7f) << $shift;
+                }
+
                 $shift += 7;
                 $this->advance(1);
                 $count += 1;
diff --git a/php/tests/PhpImplementationTest.php b/php/tests/PhpImplementationTest.php
@@ -383,6 +383,13 @@ public function testReadVarint64()
         $input = new CodedInputStream(hex2bin('8080808080808080808001'));
         $this->assertFalse($input->readVarint64($var));
 
+        // 10-byte varint with high bits set in the 10th byte.
+        // Bits above bit 0 in the 10th byte are discarded, leaving valid varint
+        // operations modulo bounds.
+        $input = new CodedInputStream(hex2bin('87808080808080808002'));
+        $this->assertTrue($input->readVarint64($var));
+        $this->assertEquals(7, $var);
+
         // Corrupted varint.
         $input = new CodedInputStream(hex2bin('808080'));
         $this->assertFalse($input->readVarint64($var));
