diff options
| author | Stanislav Malyshev <stas@php.net> | 2016-09-12 21:10:34 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2016-09-12 21:10:34 -0700 |
| commit | dad0e9d1a3ad97a9c22201523e703c8741a6b0b2 (patch) | |
| tree | 735a5c95d9936f6ab8bf61d22053de485cdf3364 /ext/phar | |
| parent | caea2c876b4302b9fb1b12bfa755e064ec199e68 (diff) | |
| parent | 07c6bdb85d3efe21598ebb8af6fcebceb9d486e9 (diff) | |
| download | php-git-dad0e9d1a3ad97a9c22201523e703c8741a6b0b2.tar.gz | |
Merge branch 'PHP-7.0' into PHP-7.1
* PHP-7.0: (22 commits)
Fix bug #72293 - Heap overflow in mysqlnd related to BIT fields
I don't think 8cceb012a7aabf3c36ab7c2724a436f976cdd165 is needed
Fix test
Add check in fgetcsv in case sizeof(unit) != sizeof(size_t)
Fix bug #73065: Out-Of-Bounds Read in php_wddx_push_element of wddx.c
Fix bug #73035 (Out of bound when verify signature of tar phar in phar_parse_tarfile)
Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction
Fix bug #73029 - Missing type check when unserializing SplArray
Fix bug #72860: wddx_deserialize use-after-free
Fix bug #73007: add locale length check
Fix bug #72928 - Out of bound when verify signature of zip phar in phar_parse_zipfile
sync NEWS
Revert "Merge branch 'PHP-5.6' into PHP-7.0"
Merge branch 'PHP-5.6' into PHP-7.0
Merge branch 'PHP-5.6' into PHP-7.0
Revert "Revert "Merge branch 'PHP-5.6' into PHP-7.0""
fix version
sync NEWS
Fix bug #72957
set versions
...
Diffstat (limited to 'ext/phar')
| -rw-r--r-- | ext/phar/tar.c | 2 | ||||
| -rw-r--r-- | ext/phar/tests/bug72928.phpt | 18 | ||||
| -rw-r--r-- | ext/phar/tests/bug72928.zip | bin | 0 -> 140 bytes | |||
| -rw-r--r-- | ext/phar/tests/bug73035.phpt | 18 | ||||
| -rw-r--r-- | ext/phar/tests/bug73035.tar | bin | 0 -> 10240 bytes | |||
| -rw-r--r-- | ext/phar/util.c | 28 | ||||
| -rw-r--r-- | ext/phar/zip.c | 2 |
7 files changed, 66 insertions, 2 deletions
diff --git a/ext/phar/tar.c b/ext/phar/tar.c index 8386623b84..b3dfad8be7 100644 --- a/ext/phar/tar.c +++ b/ext/phar/tar.c @@ -286,7 +286,7 @@ bail: } curloc = php_stream_tell(fp); read = php_stream_read(fp, buf, size); - if (read != size) { + if (read != size || read <= 8) { if (error) { spprintf(error, 4096, "phar error: tar-based phar \"%s\" signature cannot be read", fname); } diff --git a/ext/phar/tests/bug72928.phpt b/ext/phar/tests/bug72928.phpt new file mode 100644 index 0000000000..8e6a95418c --- /dev/null +++ b/ext/phar/tests/bug72928.phpt @@ -0,0 +1,18 @@ +--TEST-- +Phar: #72928 (Out of bound when verify signature of zip phar in phar_parse_zipfile) +--SKIPIF-- +<?php if (!extension_loaded("phar")) die("skip"); ?> +--FILE-- +<?php +chdir(__DIR__); +try { +$phar = new PharData('bug72928.zip'); +var_dump($phar); +} catch(UnexpectedValueException $e) { + print $e->getMessage()."\n"; +} +?> +DONE +--EXPECTF-- +phar error: signature cannot be read in zip-based phar "%sbug72928.zip" +DONE
\ No newline at end of file diff --git a/ext/phar/tests/bug72928.zip b/ext/phar/tests/bug72928.zip Binary files differnew file mode 100644 index 0000000000..c480c5f537 --- /dev/null +++ b/ext/phar/tests/bug72928.zip diff --git a/ext/phar/tests/bug73035.phpt b/ext/phar/tests/bug73035.phpt new file mode 100644 index 0000000000..5928428abc --- /dev/null +++ b/ext/phar/tests/bug73035.phpt @@ -0,0 +1,18 @@ +--TEST-- +Phar: #73035 (Out of bound when verify signature of tar phar in phar_parse_tarfile) +--SKIPIF-- +<?php if (!extension_loaded("phar")) die("skip"); ?> +--FILE-- +<?php +chdir(__DIR__); +try { +$phar = new PharData('bug73035.tar'); +var_dump($phar); +} catch(UnexpectedValueException $e) { + print $e->getMessage()."\n"; +} +?> +DONE +--EXPECTF-- +phar error: tar-based phar "%sbug73035.tar" signature cannot be read +DONE
\ No newline at end of file diff --git a/ext/phar/tests/bug73035.tar b/ext/phar/tests/bug73035.tar Binary files differnew file mode 100644 index 0000000000..d8e426866b --- /dev/null +++ b/ext/phar/tests/bug73035.tar diff --git a/ext/phar/util.c b/ext/phar/util.c index e8e2b57b5d..2ab5340ee3 100644 --- a/ext/phar/util.c +++ b/ext/phar/util.c @@ -1603,6 +1603,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, uint32_t sig_type, unsigned char digest[64]; PHP_SHA512_CTX context; + if (sig_len < sizeof(digest)) { + if (error) { + spprintf(error, 0, "broken signature"); + } + return FAILURE; + } + PHP_SHA512Init(&context); read_len = end_of_phar; @@ -1636,6 +1643,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, uint32_t sig_type, unsigned char digest[32]; PHP_SHA256_CTX context; + if (sig_len < sizeof(digest)) { + if (error) { + spprintf(error, 0, "broken signature"); + } + return FAILURE; + } + PHP_SHA256Init(&context); read_len = end_of_phar; @@ -1677,6 +1691,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, uint32_t sig_type, unsigned char digest[20]; PHP_SHA1_CTX context; + if (sig_len < sizeof(digest)) { + if (error) { + spprintf(error, 0, "broken signature"); + } + return FAILURE; + } + PHP_SHA1Init(&context); read_len = end_of_phar; @@ -1710,6 +1731,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, uint32_t sig_type, unsigned char digest[16]; PHP_MD5_CTX context; + if (sig_len < sizeof(digest)) { + if (error) { + spprintf(error, 0, "broken signature"); + } + return FAILURE; + } + PHP_MD5Init(&context); read_len = end_of_phar; diff --git a/ext/phar/zip.c b/ext/phar/zip.c index 18e47aaa16..c841fa1c9c 100644 --- a/ext/phar/zip.c +++ b/ext/phar/zip.c @@ -417,7 +417,7 @@ foundit: php_stream_seek(fp, sizeof(phar_zip_file_header) + entry.header_offset + entry.filename_len + PHAR_GET_16(zipentry.extra_len), SEEK_SET); sig = (char *) emalloc(entry.uncompressed_filesize); read = php_stream_read(fp, sig, entry.uncompressed_filesize); - if (read != entry.uncompressed_filesize) { + if (read != entry.uncompressed_filesize || read <= 8) { php_stream_close(sigfile); efree(sig); PHAR_ZIP_FAIL("signature cannot be read"); |