From a53d67ceac301cbd27c4f0f716d4fbcdb7db3407 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Fri, 11 Dec 2020 16:47:42 +0100 Subject: Fix #77322: PharData::addEmptyDir('/') Possible integer overflow `phar_path_check()` already strips a leading slash, so we must not attempt to strip the trailing slash from an now empty directory name. Closes GH-6508. --- NEWS | 4 +++- ext/phar/tests/bug77322.phpt | 24 ++++++++++++++++++++++++ ext/phar/util.c | 2 +- 3 files changed, 28 insertions(+), 2 deletions(-) create mode 100644 ext/phar/tests/bug77322.phpt diff --git a/NEWS b/NEWS index 80c3cdd9c7..06781af7db 100644 --- a/NEWS +++ b/NEWS @@ -31,7 +31,9 @@ PHP NEWS - Phar: . Fixed bug #73809 (Phar Zip parse crash - mmap fail). (cmb) - . Fixed #75102 (`PharData` says invalid checksum for valid tar). (cmb) + . Fixed bug #75102 (`PharData` says invalid checksum for valid tar). (cmb) + . Fixed bug #77322 (PharData::addEmptyDir('/') Possible integer overflow). + (cmb) - PDO MySQL: . Fixed bug #80458 (PDOStatement::fetchAll() throws for upsert queries). diff --git a/ext/phar/tests/bug77322.phpt b/ext/phar/tests/bug77322.phpt new file mode 100644 index 0000000000..b9e5ce4dba --- /dev/null +++ b/ext/phar/tests/bug77322.phpt @@ -0,0 +1,24 @@ +--TEST-- +Bug #77322 (PharData::addEmptyDir('/') Possible integer overflow) +--SKIPIF-- + +--FILE-- +addEmptyDir('/'); +var_dump($zip->count()); + +$tar = new PharData(__DIR__ . '/bug77322.tar'); +$tar->addEmptyDir('/'); +var_dump($tar->count()); +?> +--EXPECT-- +int(1) +int(1) +--CLEAN-- + diff --git a/ext/phar/util.c b/ext/phar/util.c index 53982b0f85..354f0dbaac 100644 --- a/ext/phar/util.c +++ b/ext/phar/util.c @@ -567,7 +567,7 @@ phar_entry_data *phar_get_or_create_entry_data(char *fname, size_t fname_len, ch } else { etemp.flags = etemp.old_flags = PHAR_ENT_PERM_DEF_FILE; } - if (is_dir) { + if (is_dir && path_len) { etemp.filename_len--; /* strip trailing / */ path_len--; } -- cgit v1.2.1