Patch cleanup for 5.6.5

From 6dedeb40db13971af45276f80b5375030aa7e76f Mon Sep 17 00:00:00 2001

From: Stanislav Malyshev <stas@php.net>

Date: Sat, 4 Jul 2015 23:47:48 -0700

Subject: [PATCH] Fix bug #69923 - Buffer overflow and stack smashing error in

 phar_fix_filepath

---

 ext/phar/phar.c | 10 ++++++++--

 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/ext/phar/phar.c b/ext/phar/phar.c

index 223bfe8..ba73462 100644

--- a/ext/phar/phar.c

+++ b/ext/phar/phar.c

@@ -2118,7 +2118,7 @@ char *tsrm_strtok_r(char *s, const char *delim, char **last) /* {{{ */

  */

 char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{ */

 {

-	char newpath[MAXPATHLEN];

+	char *newpath;

 	int newpath_len;

 	char *ptr;

 	char *tok;

@@ -2126,8 +2126,10 @@ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{

 	if (PHAR_G(cwd_len) && use_cwd && path_length > 2 && path[0] == '.' && path[1] == '/') {

 		newpath_len = PHAR_G(cwd_len);

+		newpath = emalloc(strlen(path) + newpath_len + 1);

 		memcpy(newpath, PHAR_G(cwd), newpath_len);

 	} else {

+		newpath = emalloc(strlen(path) + 2);

 		newpath[0] = '/';

 		newpath_len = 1;

 	}

@@ -2150,6 +2152,7 @@ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{

 				if (*tok == '.') {

 					efree(path);

 					*new_len = 1;

+					efree(newpath);

 					return estrndup("/", 1);

 				}

 				break;

@@ -2157,9 +2160,11 @@ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{

 				if (tok[0] == '.' && tok[1] == '.') {

 					efree(path);

 					*new_len = 1;

+					efree(newpath);

 					return estrndup("/", 1);

 				}

 		}

+		efree(newpath);

 		return path;

 	}

@@ -2208,7 +2213,8 @@ last_time:

 	efree(path);

 	*new_len = newpath_len;

-	return estrndup(newpath, newpath_len);

+	newpath[newpath_len] = '\0';

+	return erealloc(newpath, newpath_len + 1);

 }

 /* }}} */

-- 

2.1.4