diff options
| author | Stanislav Malyshev <stas@php.net> | 2011-11-19 04:59:56 +0000 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2011-11-19 04:59:56 +0000 |
| commit | 449907fb7633b4db35b9da1795688c597967ba6c (patch) | |
| tree | e9d6860981f7d22e1be4efed59110482d01eb709 | |
| parent | 1d0d8abc5fd13bb6021de8cf2c5240c55936de6e (diff) | |
| download | php-git-449907fb7633b4db35b9da1795688c597967ba6c.tar.gz | |
fix bug #60164 (Stubs of a specific length break phar_open_from_fp scanning for __HALT_COMPILER)
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | ext/phar/phar.c | 6 | ||||
| -rw-r--r-- | ext/phar/tests/bug60164.phpt | 21 | ||||
| -rw-r--r-- | ext/phar/tests/files/stuboflength1041.phar | bin | 0 -> 1168 bytes | |||
| -rw-r--r-- | ext/phar/tests/files/stuboflength1041.phar.inc | 42 |
5 files changed, 69 insertions, 2 deletions
@@ -42,6 +42,8 @@ PHP NEWS - Phar: . Fixed bug #60261 (NULL pointer dereference in phar). (Felipe) + . Fixed bug #60164 (Stubs of a specific length break phar_open_from_fp + scanning for __HALT_COMPILER). (Ralph Schindler) - Postgres: . Fixed bug #60244 (pg_fetch_* functions do not validate that row param diff --git a/ext/phar/phar.c b/ext/phar/phar.c index 24d8c428af..e201ca50d0 100644 --- a/ext/phar/phar.c +++ b/ext/phar/phar.c @@ -1569,7 +1569,9 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a const char zip_magic[] = "PK\x03\x04"; const char gz_magic[] = "\x1f\x8b\x08"; const char bz_magic[] = "BZh"; - char *pos, buffer[1024 + sizeof(token)], test = '\0'; + char *pos, test = '\0'; + const int window_size = 1024; + char buffer[window_size + sizeof(token)]; /* a 1024 byte window + the size of the halt_compiler token (moving window) */ const long readsize = sizeof(buffer) - sizeof(token); const long tokenlen = sizeof(token) - 1; long halt_offset; @@ -1717,7 +1719,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a } halt_offset += got; - memmove(buffer, buffer + tokenlen, got + 1); + memmove(buffer, buffer + window_size, tokenlen); /* move the memory buffer by the size of the window */ } MAPPHAR_ALLOC_FAIL("internal corruption of phar \"%s\" (__HALT_COMPILER(); not found)") diff --git a/ext/phar/tests/bug60164.phpt b/ext/phar/tests/bug60164.phpt new file mode 100644 index 0000000000..8fd5de5146 --- /dev/null +++ b/ext/phar/tests/bug60164.phpt @@ -0,0 +1,21 @@ +--TEST-- +Phar: verify stub of specific length does not break __HALT_COMPILER(); scanning in php +--SKIPIF-- +<?php +if (!extension_loaded("phar")) die("skip"); +?> +--INI-- +phar.require_hash=0 +phar.readonly=0 +--FILE-- +<?php +$phar = __DIR__ . '/files/stuboflength1041.phar'; +foreach (new RecursiveIteratorIterator(new Phar($phar, null, 'stuboflength1041.phar')) as $item) { + var_dump($item->getFileName()); +} +?> +===DONE=== +--EXPECT-- +string(5) "a.php" +string(5) "b.php" +===DONE===
\ No newline at end of file diff --git a/ext/phar/tests/files/stuboflength1041.phar b/ext/phar/tests/files/stuboflength1041.phar Binary files differnew file mode 100644 index 0000000000..d90fb8f10d --- /dev/null +++ b/ext/phar/tests/files/stuboflength1041.phar diff --git a/ext/phar/tests/files/stuboflength1041.phar.inc b/ext/phar/tests/files/stuboflength1041.phar.inc new file mode 100644 index 0000000000..4a26a41a09 --- /dev/null +++ b/ext/phar/tests/files/stuboflength1041.phar.inc @@ -0,0 +1,42 @@ +<?php + +@unlink(__DIR__ . '/stuboflength1041.phar'); + +$phar = new Phar('./stuboflength1041.phar'); +$phar['a.php'] = 'hi1'; +$phar['b.php'] = 'hi2'; + +$phar->setStub('<?php +/***stub of length 1041 including the halt compiler********************************************* +************************************************************************************************ +************************************************************************************************ +************************************************************************************************ +************************************************************************************************ +************************************************************************************************ +************************************************************************************************ +************************************************************************************************ +************************************************************************************************ +************************************************************************************************ +*********************************************/ +__HALT_COMPILER();'); +<?php + +@unlink(__DIR__ . '/stuboflength1041.phar'); + +$phar = new Phar('./stuboflength1041.phar'); +$phar['a.php'] = 'hi1'; +$phar['b.php'] = 'hi2'; + +$phar->setStub('<?php +/***stub of length 1041 including the halt compiler********************************************* +************************************************************************************************ +************************************************************************************************ +************************************************************************************************ +************************************************************************************************ +************************************************************************************************ +************************************************************************************************ +************************************************************************************************ +************************************************************************************************ +************************************************************************************************ +*********************************************/ +__HALT_COMPILER();');
\ No newline at end of file |