Skip to content

Instantly share code, notes, and snippets.

/73768.diff Secret

Created Dec 30, 2016
Embed
What would you like to do?
Patch for 73768
commit b28b8b2fee6dfa6fcd13305c581bb835689ac3be
Author: Stanislav Malyshev <stas@php.net>
Date: Fri Dec 30 15:57:24 2016 -0800
Fix bug #73768 - Memory corruption when loading hostile phar
diff --git a/ext/phar/phar.c b/ext/phar/phar.c
index 532b4c3..158f417 100644
--- a/ext/phar/phar.c
+++ b/ext/phar/phar.c
@@ -981,7 +981,6 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
/* if the alias is stored we enforce it (implicit overrides explicit) */
if (alias && alias_len && (alias_len != (int)tmp_len || strncmp(alias, buffer, tmp_len)))
{
- buffer[tmp_len] = '\0';
php_stream_close(fp);
if (signature) {
@@ -989,7 +988,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
}
if (error) {
- spprintf(error, 0, "cannot load phar \"%s\" with implicit alias \"%s\" under different alias \"%s\"", fname, buffer, alias);
+ spprintf(error, 0, "cannot load phar \"%s\" with implicit alias \"%.*s\" under different alias \"%s\"", fname, tmp_len, buffer, alias);
}
efree(savebuf);
diff --git a/ext/phar/tests/bug73768.phar b/ext/phar/tests/bug73768.phar
new file mode 100644
index 0000000..3f429c2
Binary files /dev/null and b/ext/phar/tests/bug73768.phar differ
diff --git a/ext/phar/tests/bug73768.phpt b/ext/phar/tests/bug73768.phpt
new file mode 100644
index 0000000..37a4da0
--- /dev/null
+++ b/ext/phar/tests/bug73768.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Phar: PHP bug #73768: Memory corruption when loading hostile phar
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+chdir(__DIR__);
+try {
+$p = Phar::LoadPhar('bug73768.phar', 'alias.phar');
+echo "OK\n";
+} catch(PharException $e) {
+ echo $e->getMessage();
+}
+?>
+--EXPECTF--
+cannot load phar "%sbug73768.phar" with implicit alias "" under different alias "alias.phar"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment