php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-04-22 15:38:49 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix int overflows in phar (bug #73764)

Browse Source
This commit is contained in:
Stanislav Malyshev
2016-12-30 15:34:46 -08:00
parent 2ba3b27594
commit ca46d0acbc
3 changed files with 18 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ext/phar/phar.c
+2 -2
View File
@@ -1055,7 +1055,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
entry.is_persistent = mydata->is_persistent;
for (manifest_index = 0; manifest_index < manifest_count; ++manifest_index) {
if (buffer + 4 > endbuffer) {
if (buffer + 24 > endbuffer) {
MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)")
}
@@ -1069,7 +1069,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
entry.manifest_pos = manifest_index;
}
if (entry.filename_len + 20 > endbuffer - buffer) {
if (entry.filename_len > endbuffer - buffer - 20) {
MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)");
}
ext/phar/tests/bug73764.phar
BIN
View File
Binary file not shown.
ext/phar/tests/bug73764.phpt
+16
View File
@@ -0,0 +1,16 @@
--TEST--
Phar: PHP bug #73764: Crash while loading hostile phar archive
--SKIPIF--
<?php if (!extension_loaded("phar")) die("skip"); ?>
--FILE--
<?php
chdir(__DIR__);
try {
$p = Phar::LoadPhar('bug73764.phar', 'alias.phar');
echo "OK\n";
} catch(PharException $e) {
echo $e->getMessage();
}
?>
--EXPECTF--
internal corruption of phar "%sbug73764.phar" (truncated manifest entry)