diff options
author | Stanislav Malyshev <stas@php.net> | 2012-05-15 22:34:34 -0700 |
---|---|---|
committer | Johannes Schlüter <johannes@php.net> | 2012-05-16 16:30:29 +0200 |
commit | 4eb802bb14b05b82573457bc0f528e61ca7ddc45 (patch) | |
tree | 04101d8737db6f5e24ad8c177f8096aa662bf49f | |
parent | 93c91c733cf2259263e4d8c0f3ccc254246d404d (diff) | |
download | php-git-4eb802bb14b05b82573457bc0f528e61ca7ddc45.tar.gz |
fix bug #61065
(cherry picked from commit a10e778bfb7ce9caa1f91666ddf2705db7982d68)
-rw-r--r-- | ext/phar/tar.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/ext/phar/tar.c b/ext/phar/tar.c index 9d1e5bcb1d..b914db129e 100644 --- a/ext/phar/tar.c +++ b/ext/phar/tar.c @@ -337,6 +337,16 @@ bail: last_was_longlink = 1; /* support the ././@LongLink system for storing long filenames */ entry.filename_len = entry.uncompressed_filesize; + + /* Check for overflow - bug 61065 */ + if (entry.filename_len == UINT_MAX) { + if (error) { + spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file (invalid entry size)", fname); + } + php_stream_close(fp); + phar_destroy_phar_data(myphar TSRMLS_CC); + return FAILURE; + } entry.filename = pemalloc(entry.filename_len+1, myphar->is_persistent); read = php_stream_read(fp, entry.filename, entry.filename_len); |