diff options
author | Stanislav Malyshev <stas@php.net> | 2012-05-15 22:34:34 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2012-05-15 22:42:03 -0700 |
commit | 1fdece54d9a53660c9bdc1464390fdd8456c0c7a (patch) | |
tree | b4a723eae3bf8f124bb81f7c02dae3c08abd07ab | |
parent | e6dc487a2b9abc22fdfc8113060d087dc75c651c (diff) | |
download | php-git-1fdece54d9a53660c9bdc1464390fdd8456c0c7a.tar.gz |
fix bug #61065
-rw-r--r-- | ext/phar/tar.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/ext/phar/tar.c b/ext/phar/tar.c index 9d1e5bcb1d..b914db129e 100644 --- a/ext/phar/tar.c +++ b/ext/phar/tar.c @@ -337,6 +337,16 @@ bail: last_was_longlink = 1; /* support the ././@LongLink system for storing long filenames */ entry.filename_len = entry.uncompressed_filesize; + + /* Check for overflow - bug 61065 */ + if (entry.filename_len == UINT_MAX) { + if (error) { + spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file (invalid entry size)", fname); + } + php_stream_close(fp); + phar_destroy_phar_data(myphar TSRMLS_CC); + return FAILURE; + } entry.filename = pemalloc(entry.filename_len+1, myphar->is_persistent); read = php_stream_read(fp, entry.filename, entry.filename_len); |