-
-
Save smalyshev/853621a4627e19e57f2c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| commit 4c2424eb24b0178456acc404dbfff528cdc44197 | |
| Author: Stanislav Malyshev <stas@php.net> | |
| Date: Thu Jan 14 22:58:40 2016 -0800 | |
| Fixed bug #71331 - Uninitialized pointer in phar_make_dirstream() | |
| diff --git a/ext/phar/dirstream.c b/ext/phar/dirstream.c | |
| index 05f37e6..f843501 100644 | |
| --- a/ext/phar/dirstream.c | |
| +++ b/ext/phar/dirstream.c | |
| @@ -198,12 +198,13 @@ static php_stream *phar_make_dirstream(char *dir, HashTable *manifest TSRMLS_DC) | |
| zend_hash_internal_pointer_reset(manifest); | |
| while (FAILURE != zend_hash_has_more_elements(manifest)) { | |
| + keylen = 0; | |
| if (HASH_KEY_NON_EXISTENT == zend_hash_get_current_key_ex(manifest, &str_key, &keylen, &unused, 0, NULL)) { | |
| break; | |
| } | |
| if (keylen <= (uint)dirlen) { | |
| - if (keylen < (uint)dirlen || !strncmp(str_key, dir, dirlen)) { | |
| + if (keylen == 0 || keylen < (uint)dirlen || !strncmp(str_key, dir, dirlen)) { | |
| if (SUCCESS != zend_hash_move_forward(manifest)) { | |
| break; | |
| } | |
| diff --git a/ext/phar/tar.c b/ext/phar/tar.c | |
| index 2eb1a23..5d121cb 100644 | |
| --- a/ext/phar/tar.c | |
| +++ b/ext/phar/tar.c | |
| @@ -348,7 +348,7 @@ bail: | |
| entry.filename_len = entry.uncompressed_filesize; | |
| /* Check for overflow - bug 61065 */ | |
| - if (entry.filename_len == UINT_MAX) { | |
| + if (entry.filename_len == UINT_MAX || entry.filename_len == 0) { | |
| if (error) { | |
| spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file (invalid entry size)", fname); | |
| } | |
| diff --git a/ext/phar/tests/bug71331.phpt b/ext/phar/tests/bug71331.phpt | |
| new file mode 100644 | |
| index 0000000..106fd54 | |
| --- /dev/null | |
| +++ b/ext/phar/tests/bug71331.phpt | |
| @@ -0,0 +1,15 @@ | |
| +--TEST-- | |
| +Bug #71331 (Uninitialized pointer in phar_make_dirstream()) | |
| +--SKIPIF-- | |
| +<?php if (!extension_loaded("phar")) die("skip"); ?> | |
| +--FILE-- | |
| +<?php | |
| +$p = new PharData(__DIR__."/bug71331.tar"); | |
| +?> | |
| +DONE | |
| +--EXPECTF-- | |
| +Fatal error: Uncaught exception 'UnexpectedValueException' with message 'phar error: "%s/bug71331.tar" is a corrupted tar file (invalid entry size)' in %s/bug71331.php:2 | |
| +Stack trace: | |
| +#0 %s/bug71331.php(2): PharData->__construct('%s') | |
| +#1 {main} | |
| + thrown in %s/bug71331.php on line 2 | |
| \ No newline at end of file | |
| diff --git a/ext/phar/tests/bug71331.tar b/ext/phar/tests/bug71331.tar | |
| new file mode 100644 | |
| index 0000000..14eec28 | |
| Binary files /dev/null and b/ext/phar/tests/bug71331.tar differ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment