summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStanislav Malyshev <stas@php.net>2018-12-29 18:25:37 -0800
committerChristoph M. Becker <cmbecker69@gmx.de>2019-01-07 13:22:23 +0100
commit9d388b95c54ea053ce6f194defe1ff6673195747 (patch)
treebf7dc2b8b5062de820ad699e765a8433019fee35
parentba3d1956ebc838a191bdc31ba66a89c94cb98441 (diff)
downloadphp-git-9d388b95c54ea053ce6f194defe1ff6673195747.tar.gz
Fix bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)
(cherry picked from commit 428d8164ffcf6f75a6cc9d4056e54bfd450dac03)
Diffstat
-rw-r--r--NEWS4
-rw-r--r--ext/phar/phar.c2
-rw-r--r--ext/phar/tests/bug77247.phpt14
3 files changed, 19 insertions, 1 deletions
diff --git a/NEWS b/NEWS
index 621fd2f207..cb8cb4d043 100644
--- a/NEWS
+++ b/NEWS
@@ -46,6 +46,10 @@ PHP NEWS
. Handle invalid index passed to PDOStatement::fetchColumn() as error. (Sergei
Morozov)
+- Phar:
+ . Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext).
+ (Stas)
+
- Soap:
. Fixed bug #77088 (Segfault when using SoapClient with null options).
(Laruence)
diff --git a/ext/phar/phar.c b/ext/phar/phar.c
index 4d5988eaa9..812720a011 100644
--- a/ext/phar/phar.c
+++ b/ext/phar/phar.c
@@ -2026,7 +2026,7 @@ next_extension:
}
while (pos != filename && (*(pos - 1) == '/' || *(pos - 1) == '\0')) {
- pos = memchr(pos + 1, '.', filename_len - (pos - filename) + 1);
+ pos = memchr(pos + 1, '.', filename_len - (pos - filename) - 1);
if (!pos) {
return FAILURE;
}
diff --git a/ext/phar/tests/bug77247.phpt b/ext/phar/tests/bug77247.phpt
new file mode 100644
index 0000000000..588975f9f2
--- /dev/null
+++ b/ext/phar/tests/bug77247.phpt
@@ -0,0 +1,14 @@
+--TEST--
+PHP bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+try {
+var_dump(new Phar('a/.b', 0,'test.phar'));
+} catch(UnexpectedValueException $e) {
+ echo "OK";
+}
+?>
+--EXPECT--
+OK \ No newline at end of file
View Lorry Controller Status