diff options
author | Julien Pauli <jpauli@php.net> | 2016-05-02 16:49:47 +0200 |
---|---|---|
committer | Julien Pauli <jpauli@php.net> | 2016-05-02 16:49:47 +0200 |
commit | a4abd2bed9c0d034e7cd2c88c3a66c4de24188af (patch) | |
tree | 80d039ced78bfe33c03eb5aa0e8effe7a61cccbc | |
parent | 5c571626e3368f8f76b7baff74ca1c1adade9b50 (diff) | |
parent | 9649ca1630433473a307d015ba1a79a4a7a779f5 (diff) | |
download | php-git-a4abd2bed9c0d034e7cd2c88c3a66c4de24188af.tar.gz |
Backport of fixed for bug #71331 - Uninitialized pointer in phar_make_dirstream()
-rw-r--r-- | ext/phar/dirstream.c | 3 | ||||
-rw-r--r-- | ext/phar/tar.c | 2 | ||||
-rw-r--r-- | ext/phar/tests/bug71331.phpt | 15 | ||||
-rw-r--r-- | ext/phar/tests/bug71331.tar | bin | 0 -> 2560 bytes |
4 files changed, 18 insertions, 2 deletions
diff --git a/ext/phar/dirstream.c b/ext/phar/dirstream.c index 75cf049ade..94958a26aa 100644 --- a/ext/phar/dirstream.c +++ b/ext/phar/dirstream.c @@ -207,6 +207,7 @@ static php_stream *phar_make_dirstream(char *dir, HashTable *manifest TSRMLS_DC) zend_hash_internal_pointer_reset(manifest); while (FAILURE != zend_hash_has_more_elements(manifest)) { + keylen = 0; if (HASH_KEY_NON_EXISTENT == zend_hash_get_current_key_ex(manifest, &key, &keylen, &unused, 0, NULL)) { break; } @@ -214,7 +215,7 @@ static php_stream *phar_make_dirstream(char *dir, HashTable *manifest TSRMLS_DC) PHAR_STR(key, str_key); if (keylen <= (uint)dirlen) { - if (keylen < (uint)dirlen || !strncmp(str_key, dir, dirlen)) { + if (keylen == 0 || keylen < (uint)dirlen || !strncmp(str_key, dir, dirlen)) { PHAR_STR_FREE(str_key); if (SUCCESS != zend_hash_move_forward(manifest)) { break; diff --git a/ext/phar/tar.c b/ext/phar/tar.c index 3a4bd491f8..bf19e08ac0 100644 --- a/ext/phar/tar.c +++ b/ext/phar/tar.c @@ -356,7 +356,7 @@ bail: entry.filename_len = entry.uncompressed_filesize; /* Check for overflow - bug 61065 */ - if (entry.filename_len == UINT_MAX) { + if (entry.filename_len == UINT_MAX || entry.filename_len == 0) { if (error) { spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file (invalid entry size)", fname); } diff --git a/ext/phar/tests/bug71331.phpt b/ext/phar/tests/bug71331.phpt new file mode 100644 index 0000000000..106fd540fc --- /dev/null +++ b/ext/phar/tests/bug71331.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #71331 (Uninitialized pointer in phar_make_dirstream()) +--SKIPIF-- +<?php if (!extension_loaded("phar")) die("skip"); ?> +--FILE-- +<?php +$p = new PharData(__DIR__."/bug71331.tar"); +?> +DONE +--EXPECTF-- +Fatal error: Uncaught exception 'UnexpectedValueException' with message 'phar error: "%s/bug71331.tar" is a corrupted tar file (invalid entry size)' in %s/bug71331.php:2 +Stack trace: +#0 %s/bug71331.php(2): PharData->__construct('%s') +#1 {main} + thrown in %s/bug71331.php on line 2
\ No newline at end of file diff --git a/ext/phar/tests/bug71331.tar b/ext/phar/tests/bug71331.tar Binary files differnew file mode 100644 index 0000000000..14eec28781 --- /dev/null +++ b/ext/phar/tests/bug71331.tar |