diff options
author | Stanislav Malyshev <stas@php.net> | 2016-09-04 22:07:35 -0700 |
---|---|---|
committer | Anatol Belski <ab@php.net> | 2016-09-12 17:04:19 +0200 |
commit | 0bfb970f43acd1e81d11be1154805f86655f15d5 (patch) | |
tree | 0c99668596d765424334fc1b471b55dd7de24449 /ext/phar/util.c | |
parent | 1b2007dadac169409ce81eec355826749b9d80e9 (diff) | |
download | php-git-0bfb970f43acd1e81d11be1154805f86655f15d5.tar.gz |
Fix bug #72928 - Out of bound when verify signature of zip phar in phar_parse_zipfile
(cherry picked from commit 19484ab77466f99c78fc0e677f7e03da0584d6a2)
Diffstat (limited to 'ext/phar/util.c')
-rw-r--r-- | ext/phar/util.c | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/ext/phar/util.c b/ext/phar/util.c index eca33efc38..08d58b9301 100644 --- a/ext/phar/util.c +++ b/ext/phar/util.c @@ -1609,6 +1609,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ unsigned char digest[64]; PHP_SHA512_CTX context; + if (sig_len < sizeof(digest)) { + if (error) { + spprintf(error, 0, "broken signature"); + } + return FAILURE; + } + PHP_SHA512Init(&context); read_len = end_of_phar; @@ -1642,6 +1649,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ unsigned char digest[32]; PHP_SHA256_CTX context; + if (sig_len < sizeof(digest)) { + if (error) { + spprintf(error, 0, "broken signature"); + } + return FAILURE; + } + PHP_SHA256Init(&context); read_len = end_of_phar; @@ -1683,6 +1697,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ unsigned char digest[20]; PHP_SHA1_CTX context; + if (sig_len < sizeof(digest)) { + if (error) { + spprintf(error, 0, "broken signature"); + } + return FAILURE; + } + PHP_SHA1Init(&context); read_len = end_of_phar; @@ -1716,6 +1737,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ unsigned char digest[16]; PHP_MD5_CTX context; + if (sig_len < sizeof(digest)) { + if (error) { + spprintf(error, 0, "broken signature"); + } + return FAILURE; + } + PHP_MD5Init(&context); read_len = end_of_phar; |