diff options
| author | Stanislav Malyshev <stas@php.net> | 2016-01-14 22:58:40 -0800 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2016-01-14 22:58:40 -0800 |
| commit | 4c2424eb24b0178456acc404dbfff528cdc44197 (patch) | |
| tree | 83d7d11c38562074be21b83251b0f3cb48c9ff82 | |
| parent | d7f8d9e3a9babf0e4f0c1a5590e1feb5e69bd84a (diff) | |
| download | php-git-4c2424eb24b0178456acc404dbfff528cdc44197.tar.gz | |
Fixed bug #71331 - Uninitialized pointer in phar_make_dirstream()
| -rw-r--r-- | ext/phar/dirstream.c | 3 | ||||
| -rw-r--r-- | ext/phar/tar.c | 2 | ||||
| -rw-r--r-- | ext/phar/tests/bug71331.phpt | 15 | ||||
| -rw-r--r-- | ext/phar/tests/bug71331.tar | bin | 0 -> 2560 bytes |
4 files changed, 18 insertions, 2 deletions
diff --git a/ext/phar/dirstream.c b/ext/phar/dirstream.c index 05f37e695c..f843501b58 100644 --- a/ext/phar/dirstream.c +++ b/ext/phar/dirstream.c @@ -198,12 +198,13 @@ static php_stream *phar_make_dirstream(char *dir, HashTable *manifest TSRMLS_DC) zend_hash_internal_pointer_reset(manifest); while (FAILURE != zend_hash_has_more_elements(manifest)) { + keylen = 0; if (HASH_KEY_NON_EXISTENT == zend_hash_get_current_key_ex(manifest, &str_key, &keylen, &unused, 0, NULL)) { break; } if (keylen <= (uint)dirlen) { - if (keylen < (uint)dirlen || !strncmp(str_key, dir, dirlen)) { + if (keylen == 0 || keylen < (uint)dirlen || !strncmp(str_key, dir, dirlen)) { if (SUCCESS != zend_hash_move_forward(manifest)) { break; } diff --git a/ext/phar/tar.c b/ext/phar/tar.c index 2eb1a23676..5d121cb030 100644 --- a/ext/phar/tar.c +++ b/ext/phar/tar.c @@ -348,7 +348,7 @@ bail: entry.filename_len = entry.uncompressed_filesize; /* Check for overflow - bug 61065 */ - if (entry.filename_len == UINT_MAX) { + if (entry.filename_len == UINT_MAX || entry.filename_len == 0) { if (error) { spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file (invalid entry size)", fname); } diff --git a/ext/phar/tests/bug71331.phpt b/ext/phar/tests/bug71331.phpt new file mode 100644 index 0000000000..106fd540fc --- /dev/null +++ b/ext/phar/tests/bug71331.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #71331 (Uninitialized pointer in phar_make_dirstream()) +--SKIPIF-- +<?php if (!extension_loaded("phar")) die("skip"); ?> +--FILE-- +<?php +$p = new PharData(__DIR__."/bug71331.tar"); +?> +DONE +--EXPECTF-- +Fatal error: Uncaught exception 'UnexpectedValueException' with message 'phar error: "%s/bug71331.tar" is a corrupted tar file (invalid entry size)' in %s/bug71331.php:2 +Stack trace: +#0 %s/bug71331.php(2): PharData->__construct('%s') +#1 {main} + thrown in %s/bug71331.php on line 2
\ No newline at end of file diff --git a/ext/phar/tests/bug71331.tar b/ext/phar/tests/bug71331.tar Binary files differnew file mode 100644 index 0000000000..14eec28781 --- /dev/null +++ b/ext/phar/tests/bug71331.tar |