Skip to content

Instantly share code, notes, and snippets.

@smalyshev

smalyshev/71354.diff Secret

Created Jan 14, 2016
Embed
What would you like to do?
commit 13ad4d3e971807f9a58ab5933182907dc2958539
Author: Stanislav Malyshev <stas@php.net>
Date: Wed Jan 13 16:32:29 2016 -0800
Fix bug #71354 - remove UMR when size is 0
diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
index 6d25509..e21a982 100644
--- a/ext/phar/phar_object.c
+++ b/ext/phar/phar_object.c
@@ -4884,6 +4884,7 @@ PHP_METHOD(PharFileInfo, getContent)
phar_seek_efp(link, 0, SEEK_SET, 0, 0 TSRMLS_CC);
Z_TYPE_P(return_value) = IS_STRING;
+ Z_STRVAL_P(return_value) = NULL;
Z_STRLEN_P(return_value) = php_stream_copy_to_mem(fp, &(Z_STRVAL_P(return_value)), link->uncompressed_filesize, 0);
if (!Z_STRVAL_P(return_value)) {
diff --git a/ext/phar/tests/bug71354.phpt b/ext/phar/tests/bug71354.phpt
new file mode 100644
index 0000000..43230f1
--- /dev/null
+++ b/ext/phar/tests/bug71354.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Phar: bug #71354: Heap corruption in tar/zip/phar parser.
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+$p = new PharData(__DIR__."/bug71354.tar");
+var_dump($p['aaaa']->getContent());
+?>
+DONE
+--EXPECT--
+string(0) ""
+DONE
\ No newline at end of file
diff --git a/ext/phar/tests/bug71354.tar b/ext/phar/tests/bug71354.tar
new file mode 100644
index 0000000..b0bd992
Binary files /dev/null and b/ext/phar/tests/bug71354.tar differ
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.