php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-27 17:52:16 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix stack underflow in phar

Browse Source 
The checks can issue reads below and above the temporary buffer. A read
itself doesn't seem dangerous, but the condition result can be
arbitrary. Such reads have to be avoided. Likely this patch should be
backported.

(cherry picked from commit b053beee7e)
This commit is contained in:
Anatol Belski
2018-08-06 22:35:11 +02:00
parent c1729272b1
commit 7fb7869e13
1 changed files with 7 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
ext/phar/phar.c
View File

@@ -1832,27 +1832,24 @@ static int phar_analyze_path(const char *fname, const char *ext, int ext_len, in
/* check for ".phar" in extension */
static int phar_check_str(const char *fname, const char *ext_str, int ext_len, int executable, int for_create) /* {{{ */
{
char test[51];
const char *pos;
if (ext_len < 0 || ext_len >= 50) {
return FAILURE;
}
if (executable == 1) {
/* copy "." as well */
memcpy(test, ext_str - 1, ext_len + 1);
test[ext_len + 1] = '\0';
/* executable phars must contain ".phar" as a valid extension (phar://.pharmy/oops is invalid) */
/* (phar://hi/there/.phar/oops is also invalid) */
pos = strstr(test, ".phar");
pos = strstr(ext_str, ".phar");
if (pos && (*(pos - 1) != '/')
&& (pos += 5) && (*pos == '\0' || *pos == '/' || *pos == '.')) {
return phar_analyze_path(fname, ext_str, ext_len, for_create);
} else {
if (!pos
|| pos != ext_str && (*(pos - 1) == '/')
|| (ext_len - (pos - ext_str)) < 5
|| !(pos += 5)
|| !(*pos == '\0' || *pos == '/' || *pos == '.')) {
return FAILURE;
}
return phar_analyze_path(fname, ext_str, ext_len, for_create);
}
/* data phars need only contain a single non-"." to be valid */