diff options
author | Christoph M. Becker <cmbecker69@gmx.de> | 2020-12-01 14:20:39 +0100 |
---|---|---|
committer | Christoph M. Becker <cmbecker69@gmx.de> | 2020-12-01 16:58:19 +0100 |
commit | c283f53b24b84e0571ca2b29df05247a7344392c (patch) | |
tree | 33b27e2b7b7d52729771aae7d4b15bd267ffd25a | |
parent | ecee3f1209a7c0ac9f99c7f640b2f5df56656e58 (diff) | |
download | php-git-c283f53b24b84e0571ca2b29df05247a7344392c.tar.gz |
Fix #73809: Phar Zip parse crash - mmap fail
Phar signatures practically are of limited size; for the MD5 and SHA
hashes the size is fixed (at most 64 bytes for SHA512); for OpenSSL
public keys there is no size limit in theory, but "64 KiB ought to be
good enough for anybody". So we check for that limit, to avoid fatal
errors due to out of memory conditions.
Since it is neither possible to have the signature compressed in the
ZIP archive, nor is it possible to manually add a signature via Phar,
we use ZipArchive to create a suitable archive for the test on the fly.
Closes GH-6474.
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | ext/phar/tests/bug73809.phpt | 30 | ||||
-rw-r--r-- | ext/phar/zip.c | 7 |
3 files changed, 39 insertions, 1 deletions
@@ -24,6 +24,9 @@ PHP NEWS . Fixed bug #80368 (OpenSSL extension fails to build against LibreSSL due to lack of OCB support). (Nikita) +- Phar: + . Fixed bug #73809 (Phar Zip parse crash - mmap fail). (cmb) + - Phpdbg: . Fixed bug #76813 (Access violation near NULL on source operand). (cmb) diff --git a/ext/phar/tests/bug73809.phpt b/ext/phar/tests/bug73809.phpt new file mode 100644 index 0000000000..5356db8aaa --- /dev/null +++ b/ext/phar/tests/bug73809.phpt @@ -0,0 +1,30 @@ +--TEST-- +Bug #73809 (Phar Zip parse crash - mmap fail) +--SKIPIF-- +<?php +if (!extension_loaded('phar')) die('skip phar extension not available'); +if (!extension_loaded('zip')) die('skip zip extension not available'); +?> +--FILE-- +<?php +// create the ZIP to be tested +$zip = new ZipArchive; +$zip->open(__DIR__ . '/73809.zip', ZipArchive::CREATE); +$zip->addFromString('73809.txt', 'yada yada'); +$zip->addFromString('.phar/signature.bin', str_repeat('*', 64 * 1024 + 1)); +$zip->setCompressionName('.phar/signature.bin', ZipArchive::CM_STORE); +var_dump($zip->close()); + +try { + $phar = new PharData(__DIR__ . '/73809.zip'); +} catch (Exception $ex) { + echo $ex->getMessage(), PHP_EOL; +} +?> +--CLEAN-- +<?php +@unlink(__DIR__ . '/73809.zip'); +?> +--EXPECTF-- +bool(true) +phar error: signatures larger than 64 KiB are not supported in zip-based phar "%s" diff --git a/ext/phar/zip.c b/ext/phar/zip.c index b241c0589b..0bf873aff1 100644 --- a/ext/phar/zip.c +++ b/ext/phar/zip.c @@ -405,8 +405,13 @@ foundit: char *sig; size_t sig_len; - php_stream_tell(fp); pefree(entry.filename, entry.is_persistent); + + if (entry.uncompressed_filesize > 0x10000) { + PHAR_ZIP_FAIL("signatures larger than 64 KiB are not supported"); + } + + php_stream_tell(fp); sigfile = php_stream_fopen_tmpfile(); if (!sigfile) { PHAR_ZIP_FAIL("couldn't open temporary file"); |