diff options
| author | Stanislav Malyshev <stas@php.net> | 2016-12-31 18:47:50 -0800 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2016-12-31 18:47:50 -0800 |
| commit | e5246580a85f031e1a3b8064edbaa55c1643a451 (patch) | |
| tree | efb6d247ea653fb6e7625a87d326efbd2c017380 | |
| parent | 16b3003ffc6393e250f069aa28a78dc5a2c064b2 (diff) | |
| download | php-git-e5246580a85f031e1a3b8064edbaa55c1643a451.tar.gz | |
Fix bug #73773 - Seg fault when loading hostile phar
| -rw-r--r-- | ext/phar/phar.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/ext/phar/phar.c b/ext/phar/phar.c index 158f41739d..780be43257 100644 --- a/ext/phar/phar.c +++ b/ext/phar/phar.c @@ -1054,7 +1054,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char entry.is_persistent = mydata->is_persistent; for (manifest_index = 0; manifest_index < manifest_count; ++manifest_index) { - if (buffer + 24 > endbuffer) { + if (buffer + 28 > endbuffer) { MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)") } @@ -1068,7 +1068,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char entry.manifest_pos = manifest_index; } - if (entry.filename_len > endbuffer - buffer - 20) { + if (entry.filename_len > endbuffer - buffer - 24) { MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)"); } |