Patch for 73764

73764.diff

commit ca46d0acbce55019b970fcd4c1e8a10edfdded93
Author: Stanislav Malyshev <stas@php.net>
Date:   Fri Dec 30 15:34:46 2016 -0800

    Fix int overflows in phar (bug #73764)

diff --git a/ext/phar/phar.c b/ext/phar/phar.c
index 14b80e1..532b4c3 100644
--- a/ext/phar/phar.c
+++ b/ext/phar/phar.c
@@ -1055,7 +1055,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
 	entry.is_persistent = mydata->is_persistent;
 
 	for (manifest_index = 0; manifest_index < manifest_count; ++manifest_index) {
-		if (buffer + 4 > endbuffer) {
+		if (buffer + 24 > endbuffer) {
 			MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)")
 		}
 
@@ -1069,7 +1069,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
 			entry.manifest_pos = manifest_index;
 		}
 
-		if (entry.filename_len + 20 > endbuffer - buffer) {
+		if (entry.filename_len > endbuffer - buffer - 20) {
 			MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)");
 		}
 
diff --git a/ext/phar/tests/bug73764.phar b/ext/phar/tests/bug73764.phar
new file mode 100644
index 0000000..89a5ff6
Binary files /dev/null and b/ext/phar/tests/bug73764.phar differ
diff --git a/ext/phar/tests/bug73764.phpt b/ext/phar/tests/bug73764.phpt
new file mode 100644
index 0000000..cab314a
--- /dev/null
+++ b/ext/phar/tests/bug73764.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Phar: PHP bug #73764: Crash while loading hostile phar archive
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+chdir(__DIR__);
+try {
+$p = Phar::LoadPhar('bug73764.phar', 'alias.phar');
+echo "OK\n";
+} catch(PharException $e) {
+	echo $e->getMessage();
+}
+?>
+--EXPECTF--
+internal corruption of phar "%sbug73764.phar" (truncated manifest entry)
\ No newline at end of file