diff options
| author | Stanislav Malyshev <stas@php.net> | 2015-07-04 23:47:48 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2015-07-07 09:38:31 -0700 |
| commit | 6dedeb40db13971af45276f80b5375030aa7e76f (patch) | |
| tree | f6e8cbb138444702008f48ca74bd76e5e515c906 | |
| parent | bf58162ddf970f63502837f366930e44d6a992cf (diff) | |
| download | php-git-6dedeb40db13971af45276f80b5375030aa7e76f.tar.gz | |
Fix bug #69923 - Buffer overflow and stack smashing error in phar_fix_filepath
| -rw-r--r-- | ext/phar/phar.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/ext/phar/phar.c b/ext/phar/phar.c index 223bfe84c6..ba73462936 100644 --- a/ext/phar/phar.c +++ b/ext/phar/phar.c @@ -2142,7 +2142,7 @@ char *tsrm_strtok_r(char *s, const char *delim, char **last) /* {{{ */ */ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{ */ { - char newpath[MAXPATHLEN]; + char *newpath; int newpath_len; char *ptr; char *tok; @@ -2150,8 +2150,10 @@ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{ if (PHAR_G(cwd_len) && use_cwd && path_length > 2 && path[0] == '.' && path[1] == '/') { newpath_len = PHAR_G(cwd_len); + newpath = emalloc(strlen(path) + newpath_len + 1); memcpy(newpath, PHAR_G(cwd), newpath_len); } else { + newpath = emalloc(strlen(path) + 2); newpath[0] = '/'; newpath_len = 1; } @@ -2174,6 +2176,7 @@ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{ if (*tok == '.') { efree(path); *new_len = 1; + efree(newpath); return estrndup("/", 1); } break; @@ -2181,9 +2184,11 @@ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{ if (tok[0] == '.' && tok[1] == '.') { efree(path); *new_len = 1; + efree(newpath); return estrndup("/", 1); } } + efree(newpath); return path; } @@ -2232,7 +2237,8 @@ last_time: efree(path); *new_len = newpath_len; - return estrndup(newpath, newpath_len); + newpath[newpath_len] = '\0'; + return erealloc(newpath, newpath_len + 1); } /* }}} */ |