|
 |
30ceb2 |
From f59b67ae50064560d7bfcdb0d6a8ab284179053c Mon Sep 17 00:00:00 2001
|
|
|
30ceb2 |
From: Stanislav Malyshev <stas@php.net>
|
|
|
30ceb2 |
Date: Tue, 14 Apr 2015 00:03:50 -0700
|
|
|
30ceb2 |
Subject: [PATCH] Fix bug #69441 (Buffer Overflow when parsing tar/zip/phar in
|
|
|
30ceb2 |
phar_set_inode)
|
|
|
30ceb2 |
|
|
|
30ceb2 |
---
|
|
|
30ceb2 |
ext/phar/phar_internal.h | 9 ++++++---
|
|
|
30ceb2 |
ext/phar/tests/bug69441.phar | Bin 0 -> 5780 bytes
|
|
|
30ceb2 |
ext/phar/tests/bug69441.phpt | 21 +++++++++++++++++++++
|
|
|
30ceb2 |
3 files changed, 27 insertions(+), 3 deletions(-)
|
|
|
30ceb2 |
create mode 100644 ext/phar/tests/bug69441.phar
|
|
|
30ceb2 |
create mode 100644 ext/phar/tests/bug69441.phpt
|
|
|
30ceb2 |
|
|
|
30ceb2 |
diff --git a/ext/phar/phar_internal.h b/ext/phar/phar_internal.h
|
|
|
30ceb2 |
index fcfc864..84282d2 100644
|
|
|
30ceb2 |
--- a/ext/phar/phar_internal.h
|
|
|
30ceb2 |
+++ b/ext/phar/phar_internal.h
|
|
|
30ceb2 |
@@ -559,10 +559,13 @@ static inline void phar_set_inode(phar_entry_info *entry TSRMLS_DC) /* {{{ */
|
|
|
30ceb2 |
{
|
|
|
30ceb2 |
char tmp[MAXPATHLEN];
|
|
|
30ceb2 |
int tmp_len;
|
|
|
30ceb2 |
+ size_t len;
|
|
|
30ceb2 |
|
|
|
30ceb2 |
- tmp_len = entry->filename_len + entry->phar->fname_len;
|
|
|
30ceb2 |
- memcpy(tmp, entry->phar->fname, entry->phar->fname_len);
|
|
|
30ceb2 |
- memcpy(tmp + entry->phar->fname_len, entry->filename, entry->filename_len);
|
|
|
30ceb2 |
+ tmp_len = MIN(MAXPATHLEN, entry->filename_len + entry->phar->fname_len);
|
|
|
30ceb2 |
+ len = MIN(entry->phar->fname_len, tmp_len);
|
|
|
30ceb2 |
+ memcpy(tmp, entry->phar->fname, len);
|
|
|
30ceb2 |
+ len = MIN(tmp_len - len, entry->filename_len);
|
|
|
30ceb2 |
+ memcpy(tmp + entry->phar->fname_len, entry->filename, len);
|
|
|
30ceb2 |
entry->inode = (unsigned short)zend_get_hash_value(tmp, tmp_len);
|
|
|
30ceb2 |
}
|
|
|
30ceb2 |
/* }}} */
|
|
|
30ceb2 |
--
|
|
|
30ceb2 |
2.1.4
|
|
|
30ceb2 |
|