-
-
Save smalyshev/b25cec8cc6f724305300 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 3e88d610e54dac75a374af9e8501f02da67e4466 | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Sat Jul 4 23:47:48 2015 -0700 | |
Fix bug #69923 - Buffer overflow and stack smashing error in phar_fix_filepath | |
diff --git a/ext/phar/phar.c b/ext/phar/phar.c | |
index 223bfe8..ba73462 100644 | |
--- a/ext/phar/phar.c | |
+++ b/ext/phar/phar.c | |
@@ -2142,7 +2142,7 @@ char *tsrm_strtok_r(char *s, const char *delim, char **last) /* {{{ */ | |
*/ | |
char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{ */ | |
{ | |
- char newpath[MAXPATHLEN]; | |
+ char *newpath; | |
int newpath_len; | |
char *ptr; | |
char *tok; | |
@@ -2150,8 +2150,10 @@ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{ | |
if (PHAR_G(cwd_len) && use_cwd && path_length > 2 && path[0] == '.' && path[1] == '/') { | |
newpath_len = PHAR_G(cwd_len); | |
+ newpath = emalloc(strlen(path) + newpath_len + 1); | |
memcpy(newpath, PHAR_G(cwd), newpath_len); | |
} else { | |
+ newpath = emalloc(strlen(path) + 2); | |
newpath[0] = '/'; | |
newpath_len = 1; | |
} | |
@@ -2174,6 +2176,7 @@ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{ | |
if (*tok == '.') { | |
efree(path); | |
*new_len = 1; | |
+ efree(newpath); | |
return estrndup("/", 1); | |
} | |
break; | |
@@ -2181,9 +2184,11 @@ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{ | |
if (tok[0] == '.' && tok[1] == '.') { | |
efree(path); | |
*new_len = 1; | |
+ efree(newpath); | |
return estrndup("/", 1); | |
} | |
} | |
+ efree(newpath); | |
return path; | |
} | |
@@ -2232,7 +2237,8 @@ last_time: | |
efree(path); | |
*new_len = newpath_len; | |
- return estrndup(newpath, newpath_len); | |
+ newpath[newpath_len] = '\0'; | |
+ return erealloc(newpath, newpath_len + 1); | |
} | |
/* }}} */ | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment