diff options
author | Stanislav Malyshev <stas@php.net> | 2018-12-29 18:25:37 -0800 |
---|---|---|
committer | Christoph M. Becker <cmbecker69@gmx.de> | 2019-01-07 13:22:23 +0100 |
commit | 9d388b95c54ea053ce6f194defe1ff6673195747 (patch) | |
tree | bf7dc2b8b5062de820ad699e765a8433019fee35 | |
parent | ba3d1956ebc838a191bdc31ba66a89c94cb98441 (diff) | |
download | php-git-9d388b95c54ea053ce6f194defe1ff6673195747.tar.gz |
Fix bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)
(cherry picked from commit 428d8164ffcf6f75a6cc9d4056e54bfd450dac03)
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | ext/phar/phar.c | 2 | ||||
-rw-r--r-- | ext/phar/tests/bug77247.phpt | 14 |
3 files changed, 19 insertions, 1 deletions
@@ -46,6 +46,10 @@ PHP NEWS . Handle invalid index passed to PDOStatement::fetchColumn() as error. (Sergei Morozov) +- Phar: + . Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext). + (Stas) + - Soap: . Fixed bug #77088 (Segfault when using SoapClient with null options). (Laruence) diff --git a/ext/phar/phar.c b/ext/phar/phar.c index 4d5988eaa9..812720a011 100644 --- a/ext/phar/phar.c +++ b/ext/phar/phar.c @@ -2026,7 +2026,7 @@ next_extension: } while (pos != filename && (*(pos - 1) == '/' || *(pos - 1) == '\0')) { - pos = memchr(pos + 1, '.', filename_len - (pos - filename) + 1); + pos = memchr(pos + 1, '.', filename_len - (pos - filename) - 1); if (!pos) { return FAILURE; } diff --git a/ext/phar/tests/bug77247.phpt b/ext/phar/tests/bug77247.phpt new file mode 100644 index 0000000000..588975f9f2 --- /dev/null +++ b/ext/phar/tests/bug77247.phpt @@ -0,0 +1,14 @@ +--TEST-- +PHP bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext) +--SKIPIF-- +<?php if (!extension_loaded("phar")) die("skip"); ?> +--FILE-- +<?php +try { +var_dump(new Phar('a/.b', 0,'test.phar')); +} catch(UnexpectedValueException $e) { + echo "OK"; +} +?> +--EXPECT-- +OK
\ No newline at end of file |