-
-
Save anonymous/acc83406aada4617a35d to your computer and use it in GitHub Desktop.
Patch for 71498
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit a6fdc5bb27b20d889de0cd29318b3968aabb57bd | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Sun Feb 21 16:51:05 2016 -0800 | |
Fix bug #71498: Out-of-Bound Read in phar_parse_zipfile() | |
diff --git a/ext/phar/tests/bug71488.phpt b/ext/phar/tests/bug71488.phpt | |
index 05fdd8f..22d2bf0 100644 | |
--- a/ext/phar/tests/bug71488.phpt | |
+++ b/ext/phar/tests/bug71488.phpt | |
@@ -7,6 +7,7 @@ Phar: bug #71488: Stack overflow when decompressing tar archives | |
$p = new PharData(__DIR__."/bug71488.tar"); | |
$newp = $p->decompress("test"); | |
?> | |
+ | |
DONE | |
--CLEAN-- | |
<?php | |
diff --git a/ext/phar/tests/bug71498.phpt b/ext/phar/tests/bug71498.phpt | |
new file mode 100644 | |
index 0000000..de6283c | |
--- /dev/null | |
+++ b/ext/phar/tests/bug71498.phpt | |
@@ -0,0 +1,17 @@ | |
+--TEST-- | |
+Phar: bug #71498: Out-of-Bound Read in phar_parse_zipfile() | |
+--SKIPIF-- | |
+<?php if (!extension_loaded("phar")) die("skip"); ?> | |
+--FILE-- | |
+<?php | |
+try { | |
+$p = new PharData(__DIR__."/bug71498.zip"); | |
+} catch(UnexpectedValueException $e) { | |
+ echo $e->getMessage(); | |
+} | |
+?> | |
+ | |
+DONE | |
+--EXPECTF-- | |
+phar error: end of central directory not found in zip-based phar "%s/bug71498.zip" | |
+DONE | |
\ No newline at end of file | |
diff --git a/ext/phar/tests/bug71498.zip b/ext/phar/tests/bug71498.zip | |
new file mode 100644 | |
index 0000000..ae78dd8 | |
Binary files /dev/null and b/ext/phar/tests/bug71498.zip differ | |
diff --git a/ext/phar/zip.c b/ext/phar/zip.c | |
index e4883d3..7f294c2 100644 | |
--- a/ext/phar/zip.c | |
+++ b/ext/phar/zip.c | |
@@ -159,7 +159,7 @@ static void phar_zip_u2d_time(time_t time, char *dtime, char *ddate) /* {{{ */ | |
* | |
* Parse a new one and add it to the cache, returning either SUCCESS or | |
* FAILURE, and setting pphar to the pointer to the manifest entry | |
- * | |
+ * | |
* This is used by phar_open_from_fp to process a zip-based phar, but can be called | |
* directly. | |
*/ | |
@@ -199,7 +199,7 @@ int phar_parse_zipfile(php_stream *fp, char *fname, int fname_len, char *alias, | |
} | |
while ((p=(char *) memchr(p + 1, 'P', (size_t) (size - (p + 1 - buf)))) != NULL) { | |
- if (!memcmp(p + 1, "K\5\6", 3)) { | |
+ if ((p - buf) + sizeof(locator) <= size && !memcmp(p + 1, "K\5\6", 3)) { | |
memcpy((void *)&locator, (void *) p, sizeof(locator)); | |
if (PHAR_GET_16(locator.centraldisk) != 0 || PHAR_GET_16(locator.disknumber) != 0) { | |
/* split archives not handled */ | |
@@ -1161,7 +1161,7 @@ int phar_zip_flush(phar_archive_data *phar, char *user_stub, long len, int defau | |
static const char newstub[] = "<?php // zip-based phar archive stub file\n__HALT_COMPILER();"; | |
char halt_stub[] = "__HALT_COMPILER();"; | |
char *tmp; | |
- | |
+ | |
php_stream *stubfile, *oldfile; | |
php_serialize_data_t metadata_hash; | |
int free_user_stub, closeoldfile = 0; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment