Blame SOURCES/php-5.6.5-CVE-2015-3329.patch

f90754
From f59b67ae50064560d7bfcdb0d6a8ab284179053c Mon Sep 17 00:00:00 2001
f90754
From: Stanislav Malyshev <stas@php.net>
f90754
Date: Tue, 14 Apr 2015 00:03:50 -0700
f90754
Subject: [PATCH] Fix bug #69441 (Buffer Overflow when parsing tar/zip/phar in
f90754
 phar_set_inode)
f90754
f90754
---
f90754
 ext/phar/phar_internal.h     |   9 ++++++---
f90754
 ext/phar/tests/bug69441.phar | Bin 0 -> 5780 bytes
f90754
 ext/phar/tests/bug69441.phpt |  21 +++++++++++++++++++++
f90754
 3 files changed, 27 insertions(+), 3 deletions(-)
f90754
 create mode 100644 ext/phar/tests/bug69441.phar
f90754
 create mode 100644 ext/phar/tests/bug69441.phpt
f90754
f90754
diff --git a/ext/phar/phar_internal.h b/ext/phar/phar_internal.h
f90754
index fcfc864..84282d2 100644
f90754
--- a/ext/phar/phar_internal.h
f90754
+++ b/ext/phar/phar_internal.h
f90754
@@ -534,10 +534,13 @@ static inline void phar_set_inode(phar_entry_info *entry TSRMLS_DC) /* {{{ */
f90754
 {
f90754
 	char tmp[MAXPATHLEN];
f90754
 	int tmp_len;
f90754
+	size_t len;
f90754
 
f90754
-	tmp_len = entry->filename_len + entry->phar->fname_len;
f90754
-	memcpy(tmp, entry->phar->fname, entry->phar->fname_len);
f90754
-	memcpy(tmp + entry->phar->fname_len, entry->filename, entry->filename_len);
f90754
+	tmp_len = MIN(MAXPATHLEN, entry->filename_len + entry->phar->fname_len);
f90754
+	len = MIN(entry->phar->fname_len, tmp_len);
f90754
+	memcpy(tmp, entry->phar->fname, len);
f90754
+	len = MIN(tmp_len - len, entry->filename_len);
f90754
+	memcpy(tmp + entry->phar->fname_len, entry->filename, len);
f90754
 	entry->inode = (unsigned short)zend_get_hash_value(tmp, tmp_len);
f90754
 }
f90754
 /* }}} */
f90754
-- 
f90754
2.1.4
f90754