diff options
| author | Stanislav Malyshev <stas@php.net> | 2015-04-14 00:34:02 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2015-04-14 00:34:02 -0700 |
| commit | e21f87e9578884b8cc7914d1e68aca0a0b54c8b7 (patch) | |
| tree | c69285a8d57f0aa7368036259c3e0f8c80ae9138 /ext/phar | |
| parent | 100614da271f898384cea4b2b1cead39a0dc8ccd (diff) | |
| parent | e10272c628a1163fb493910bdd1bb47b6c730813 (diff) | |
| download | php-git-e21f87e9578884b8cc7914d1e68aca0a0b54c8b7.tar.gz | |
Merge branch 'PHP-5.4' into PHP-5.5
* PHP-5.4:
5.4.41 next
fix CVE num
update NEWS
Fix bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode)
fix type in fix for #69085
fix CVE num
Conflicts:
configure.in
main/php_version.h
Diffstat (limited to 'ext/phar')
| -rw-r--r-- | ext/phar/phar_internal.h | 9 | ||||
| -rw-r--r-- | ext/phar/tests/bug69441.phar | bin | 0 -> 5780 bytes | |||
| -rw-r--r-- | ext/phar/tests/bug69441.phpt | 21 |
3 files changed, 27 insertions, 3 deletions
diff --git a/ext/phar/phar_internal.h b/ext/phar/phar_internal.h index 9b18e9efb7..e97c9b56fc 100644 --- a/ext/phar/phar_internal.h +++ b/ext/phar/phar_internal.h @@ -561,10 +561,13 @@ static inline void phar_set_inode(phar_entry_info *entry TSRMLS_DC) /* {{{ */ { char tmp[MAXPATHLEN]; int tmp_len; + size_t len; - tmp_len = entry->filename_len + entry->phar->fname_len; - memcpy(tmp, entry->phar->fname, entry->phar->fname_len); - memcpy(tmp + entry->phar->fname_len, entry->filename, entry->filename_len); + tmp_len = MIN(MAXPATHLEN, entry->filename_len + entry->phar->fname_len); + len = MIN(entry->phar->fname_len, tmp_len); + memcpy(tmp, entry->phar->fname, len); + len = MIN(tmp_len - len, entry->filename_len); + memcpy(tmp + entry->phar->fname_len, entry->filename, len); entry->inode = (unsigned short)zend_get_hash_value(tmp, tmp_len); } /* }}} */ diff --git a/ext/phar/tests/bug69441.phar b/ext/phar/tests/bug69441.phar Binary files differnew file mode 100644 index 0000000000..80956dce7c --- /dev/null +++ b/ext/phar/tests/bug69441.phar diff --git a/ext/phar/tests/bug69441.phpt b/ext/phar/tests/bug69441.phpt new file mode 100644 index 0000000000..ed461cf1f9 --- /dev/null +++ b/ext/phar/tests/bug69441.phpt @@ -0,0 +1,21 @@ +--TEST-- +Phar: bug #69441: Buffer Overflow when parsing tar/zip/phar in phar_set_inode +--SKIPIF-- +<?php if (!extension_loaded("phar")) die("skip"); ?> +--FILE-- +<?php +$fname = dirname(__FILE__) . '/bug69441.phar'; +try { +$r = new Phar($fname, 0); +} catch(UnexpectedValueException $e) { + echo $e; +} +?> + +==DONE== +--EXPECTF-- +exception 'UnexpectedValueException' with message 'phar error: corrupted central directory entry, no magic signature in zip-based phar "%s/bug69441.phar"' in %s/bug69441.php:%d +Stack trace: +#0 %s/bug69441.php(%d): Phar->__construct('%s', 0) +#1 {main} +==DONE==
\ No newline at end of file |