diff options
| author | Christoph M. Becker <cmbecker69@gmx.de> | 2020-12-01 16:59:47 +0100 |
|---|---|---|
| committer | Christoph M. Becker <cmbecker69@gmx.de> | 2020-12-01 17:00:27 +0100 |
| commit | 83cf4aa13a9e5c59a6baf60d293bd2e38ab9d59d (patch) | |
| tree | e81d4607dfb3cbe55797dd3081f3dc2656c00525 | |
| parent | 44475e70e2d29c862c58827ae72975205123b4a2 (diff) | |
| parent | c283f53b24b84e0571ca2b29df05247a7344392c (diff) | |
| download | php-git-83cf4aa13a9e5c59a6baf60d293bd2e38ab9d59d.tar.gz | |
Merge branch 'PHP-7.4' into PHP-8.0
* PHP-7.4:
Fix #73809: Phar Zip parse crash - mmap fail
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | ext/phar/tests/bug73809.phpt | 30 | ||||
| -rw-r--r-- | ext/phar/zip.c | 7 |
3 files changed, 39 insertions, 1 deletions
@@ -32,6 +32,9 @@ PHP NEWS . Fixed bug #80368 (OpenSSL extension fails to build against LibreSSL due to lack of OCB support). (Nikita) +- Phar: + . Fixed bug #73809 (Phar Zip parse crash - mmap fail). (cmb) + - Phpdbg: . Fixed bug #76813 (Access violation near NULL on source operand). (cmb) diff --git a/ext/phar/tests/bug73809.phpt b/ext/phar/tests/bug73809.phpt new file mode 100644 index 0000000000..5356db8aaa --- /dev/null +++ b/ext/phar/tests/bug73809.phpt @@ -0,0 +1,30 @@ +--TEST-- +Bug #73809 (Phar Zip parse crash - mmap fail) +--SKIPIF-- +<?php +if (!extension_loaded('phar')) die('skip phar extension not available'); +if (!extension_loaded('zip')) die('skip zip extension not available'); +?> +--FILE-- +<?php +// create the ZIP to be tested +$zip = new ZipArchive; +$zip->open(__DIR__ . '/73809.zip', ZipArchive::CREATE); +$zip->addFromString('73809.txt', 'yada yada'); +$zip->addFromString('.phar/signature.bin', str_repeat('*', 64 * 1024 + 1)); +$zip->setCompressionName('.phar/signature.bin', ZipArchive::CM_STORE); +var_dump($zip->close()); + +try { + $phar = new PharData(__DIR__ . '/73809.zip'); +} catch (Exception $ex) { + echo $ex->getMessage(), PHP_EOL; +} +?> +--CLEAN-- +<?php +@unlink(__DIR__ . '/73809.zip'); +?> +--EXPECTF-- +bool(true) +phar error: signatures larger than 64 KiB are not supported in zip-based phar "%s" diff --git a/ext/phar/zip.c b/ext/phar/zip.c index 52a387bdbc..1d7c5b2217 100644 --- a/ext/phar/zip.c +++ b/ext/phar/zip.c @@ -401,8 +401,13 @@ foundit: char *sig; size_t sig_len; - php_stream_tell(fp); pefree(entry.filename, entry.is_persistent); + + if (entry.uncompressed_filesize > 0x10000) { + PHAR_ZIP_FAIL("signatures larger than 64 KiB are not supported"); + } + + php_stream_tell(fp); sigfile = php_stream_fopen_tmpfile(); if (!sigfile) { PHAR_ZIP_FAIL("couldn't open temporary file"); |