mirror of
https://github.com/php/php-src.git
synced 2024-09-22 10:27:25 +00:00
Merge branch 'PHP-7.3' into PHP-7.4
* PHP-7.3: Fix bug #77586 - phar_tar_writeheaders_int() buffer overflow
This commit is contained in:
commit
071e18c697
@ -764,7 +764,12 @@ static int phar_tar_writeheaders_int(phar_entry_info *entry, void *argument) /*
|
||||
header.typeflag = entry->tar_type;
|
||||
|
||||
if (entry->link) {
|
||||
strncpy(header.linkname, entry->link, strlen(entry->link));
|
||||
if (strlcpy(header.linkname, entry->link, sizeof(header.linkname)) >= sizeof(header.linkname)) {
|
||||
if (fp->error) {
|
||||
spprintf(fp->error, 4096, "tar-based phar \"%s\" cannot be created, link \"%s\" is too long for format", entry->phar->fname, entry->link);
|
||||
}
|
||||
return ZEND_HASH_APPLY_STOP;
|
||||
}
|
||||
}
|
||||
|
||||
strncpy(header.magic, "ustar", sizeof("ustar")-1);
|
||||
|
@ -13,5 +13,6 @@ DONE
|
||||
<?php
|
||||
@unlink(__DIR__."/bug71488.test");
|
||||
?>
|
||||
--EXPECT--
|
||||
DONE
|
||||
--EXPECTF--
|
||||
Fatal error: Uncaught BadMethodCallException: tar-based phar "%s/bug71488.test" cannot be created, link "%s" is too long for format in %sbug71488.php:%d
|
||||
Stack trace:%A
|
21
ext/phar/tests/bug77586.phpt
Normal file
21
ext/phar/tests/bug77586.phpt
Normal file
@ -0,0 +1,21 @@
|
||||
--TEST--
|
||||
Bug #77586 Symbolic link names in tar-formatted phar must be less than 100 bytes.
|
||||
--SKIPIF--
|
||||
<?php if (!extension_loaded("phar") || true /* blocked by bug 65332 */) die("skip"); ?>
|
||||
--FILE--
|
||||
<?php
|
||||
$dir = __DIR__."/bug77586";
|
||||
$phar = new PharData($dir . "/bug77586.tar");
|
||||
$phar->buildFromDirectory($dir . "/files");
|
||||
?>
|
||||
--CLEAN--
|
||||
<?php
|
||||
$dir = __DIR__."/bug77586";
|
||||
unlink($dir . "/bug77586.tar");
|
||||
?>
|
||||
--EXPECTF--
|
||||
Fatal error: Uncaught PharException: tar-based phar "%s/bug77586.tar" cannot be created, link "%s" is too long for format %s
|
||||
Stack trace:
|
||||
#0 %s/bug77586.php(%d): PharData->buildFromDirectory('%s')
|
||||
#1 {main}
|
||||
thrown in %s/bug77586.php %s on line %d
|
Loading…
Reference in New Issue
Block a user