Skip to content

Instantly share code, notes, and snippets.

/73764.diff Secret
Created Dec 30, 2016

Embed
What would you like to do?
Patch for 73764
commit ca46d0acbce55019b970fcd4c1e8a10edfdded93
Author: Stanislav Malyshev <stas@php.net>
Date: Fri Dec 30 15:34:46 2016 -0800
Fix int overflows in phar (bug #73764)
diff --git a/ext/phar/phar.c b/ext/phar/phar.c
index 14b80e1..532b4c3 100644
--- a/ext/phar/phar.c
+++ b/ext/phar/phar.c
@@ -1055,7 +1055,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
entry.is_persistent = mydata->is_persistent;
for (manifest_index = 0; manifest_index < manifest_count; ++manifest_index) {
- if (buffer + 4 > endbuffer) {
+ if (buffer + 24 > endbuffer) {
MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)")
}
@@ -1069,7 +1069,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
entry.manifest_pos = manifest_index;
}
- if (entry.filename_len + 20 > endbuffer - buffer) {
+ if (entry.filename_len > endbuffer - buffer - 20) {
MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)");
}
diff --git a/ext/phar/tests/bug73764.phar b/ext/phar/tests/bug73764.phar
new file mode 100644
index 0000000..89a5ff6
Binary files /dev/null and b/ext/phar/tests/bug73764.phar differ
diff --git a/ext/phar/tests/bug73764.phpt b/ext/phar/tests/bug73764.phpt
new file mode 100644
index 0000000..cab314a
--- /dev/null
+++ b/ext/phar/tests/bug73764.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Phar: PHP bug #73764: Crash while loading hostile phar archive
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+chdir(__DIR__);
+try {
+$p = Phar::LoadPhar('bug73764.phar', 'alias.phar');
+echo "OK\n";
+} catch(PharException $e) {
+ echo $e->getMessage();
+}
+?>
+--EXPECTF--
+internal corruption of phar "%sbug73764.phar" (truncated manifest entry)
\ No newline at end of file
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.