Skip to content

Instantly share code, notes, and snippets.

/71498.diff Secret
Created Feb 22, 2016

Embed
What would you like to do?
Patch for 71498
commit a6fdc5bb27b20d889de0cd29318b3968aabb57bd
Author: Stanislav Malyshev <stas@php.net>
Date: Sun Feb 21 16:51:05 2016 -0800
Fix bug #71498: Out-of-Bound Read in phar_parse_zipfile()
diff --git a/ext/phar/tests/bug71488.phpt b/ext/phar/tests/bug71488.phpt
index 05fdd8f..22d2bf0 100644
--- a/ext/phar/tests/bug71488.phpt
+++ b/ext/phar/tests/bug71488.phpt
@@ -7,6 +7,7 @@ Phar: bug #71488: Stack overflow when decompressing tar archives
$p = new PharData(__DIR__."/bug71488.tar");
$newp = $p->decompress("test");
?>
+
DONE
--CLEAN--
<?php
diff --git a/ext/phar/tests/bug71498.phpt b/ext/phar/tests/bug71498.phpt
new file mode 100644
index 0000000..de6283c
--- /dev/null
+++ b/ext/phar/tests/bug71498.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Phar: bug #71498: Out-of-Bound Read in phar_parse_zipfile()
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+try {
+$p = new PharData(__DIR__."/bug71498.zip");
+} catch(UnexpectedValueException $e) {
+ echo $e->getMessage();
+}
+?>
+
+DONE
+--EXPECTF--
+phar error: end of central directory not found in zip-based phar "%s/bug71498.zip"
+DONE
\ No newline at end of file
diff --git a/ext/phar/tests/bug71498.zip b/ext/phar/tests/bug71498.zip
new file mode 100644
index 0000000..ae78dd8
Binary files /dev/null and b/ext/phar/tests/bug71498.zip differ
diff --git a/ext/phar/zip.c b/ext/phar/zip.c
index e4883d3..7f294c2 100644
--- a/ext/phar/zip.c
+++ b/ext/phar/zip.c
@@ -159,7 +159,7 @@ static void phar_zip_u2d_time(time_t time, char *dtime, char *ddate) /* {{{ */
*
* Parse a new one and add it to the cache, returning either SUCCESS or
* FAILURE, and setting pphar to the pointer to the manifest entry
- *
+ *
* This is used by phar_open_from_fp to process a zip-based phar, but can be called
* directly.
*/
@@ -199,7 +199,7 @@ int phar_parse_zipfile(php_stream *fp, char *fname, int fname_len, char *alias,
}
while ((p=(char *) memchr(p + 1, 'P', (size_t) (size - (p + 1 - buf)))) != NULL) {
- if (!memcmp(p + 1, "K\5\6", 3)) {
+ if ((p - buf) + sizeof(locator) <= size && !memcmp(p + 1, "K\5\6", 3)) {
memcpy((void *)&locator, (void *) p, sizeof(locator));
if (PHAR_GET_16(locator.centraldisk) != 0 || PHAR_GET_16(locator.disknumber) != 0) {
/* split archives not handled */
@@ -1161,7 +1161,7 @@ int phar_zip_flush(phar_archive_data *phar, char *user_stub, long len, int defau
static const char newstub[] = "<?php // zip-based phar archive stub file\n__HALT_COMPILER();";
char halt_stub[] = "__HALT_COMPILER();";
char *tmp;
-
+
php_stream *stubfile, *oldfile;
php_serialize_data_t metadata_hash;
int free_user_stub, closeoldfile = 0;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.