diff options
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | ext/phar/tests/bug73809.phpt | 30 | ||||
| -rw-r--r-- | ext/phar/zip.c | 7 |
3 files changed, 39 insertions, 1 deletions
@@ -24,6 +24,9 @@ PHP NEWS . Fixed bug #80368 (OpenSSL extension fails to build against LibreSSL due to lack of OCB support). (Nikita) +- Phar: + . Fixed bug #73809 (Phar Zip parse crash - mmap fail). (cmb) + - Phpdbg: . Fixed bug #76813 (Access violation near NULL on source operand). (cmb) diff --git a/ext/phar/tests/bug73809.phpt b/ext/phar/tests/bug73809.phpt new file mode 100644 index 0000000000..5356db8aaa --- /dev/null +++ b/ext/phar/tests/bug73809.phpt @@ -0,0 +1,30 @@ +--TEST-- +Bug #73809 (Phar Zip parse crash - mmap fail) +--SKIPIF-- +<?php +if (!extension_loaded('phar')) die('skip phar extension not available'); +if (!extension_loaded('zip')) die('skip zip extension not available'); +?> +--FILE-- +<?php +// create the ZIP to be tested +$zip = new ZipArchive; +$zip->open(__DIR__ . '/73809.zip', ZipArchive::CREATE); +$zip->addFromString('73809.txt', 'yada yada'); +$zip->addFromString('.phar/signature.bin', str_repeat('*', 64 * 1024 + 1)); +$zip->setCompressionName('.phar/signature.bin', ZipArchive::CM_STORE); +var_dump($zip->close()); + +try { + $phar = new PharData(__DIR__ . '/73809.zip'); +} catch (Exception $ex) { + echo $ex->getMessage(), PHP_EOL; +} +?> +--CLEAN-- +<?php +@unlink(__DIR__ . '/73809.zip'); +?> +--EXPECTF-- +bool(true) +phar error: signatures larger than 64 KiB are not supported in zip-based phar "%s" diff --git a/ext/phar/zip.c b/ext/phar/zip.c index b241c0589b..0bf873aff1 100644 --- a/ext/phar/zip.c +++ b/ext/phar/zip.c @@ -405,8 +405,13 @@ foundit: char *sig; size_t sig_len; - php_stream_tell(fp); pefree(entry.filename, entry.is_persistent); + + if (entry.uncompressed_filesize > 0x10000) { + PHAR_ZIP_FAIL("signatures larger than 64 KiB are not supported"); + } + + php_stream_tell(fp); sigfile = php_stream_fopen_tmpfile(); if (!sigfile) { PHAR_ZIP_FAIL("couldn't open temporary file"); |