Merge branch 'PHP-5.4' into PHP-5.5

* PHP-5.4: 5.4.41 next fix CVE num update NEWS Fix bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode) fix type in fix for #69085 fix CVE num Conflicts: configure.in main/php_version.h
2024-09-21 18:07:23 +00:00 · 2015-04-14 00:34:02 -07:00 · 2015-04-14 00:34:02 -07:00 · e21f87e957
commit e21f87e957
parent 100614da27 e10272c628
5 changed files with 33 additions and 9 deletions
--- a/configure.in
+++ b/configure.in
@ -119,8 +119,8 @@ int zend_sprintf(char *buffer, const char *format, ...);

 PHP_MAJOR_VERSION=5
 PHP_MINOR_VERSION=5
-PHP_RELEASE_VERSION=24
-PHP_EXTRA_VERSION="RC1"
+PHP_RELEASE_VERSION=25
+PHP_EXTRA_VERSION="-dev"
 PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION"
 PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION`

--- a/ext/phar/phar_internal.h
+++ b/ext/phar/phar_internal.h
@ -561,10 +561,13 @@ static inline void phar_set_inode(phar_entry_info *entry TSRMLS_DC) /* {{{ */
 {
 	char tmp[MAXPATHLEN];
 	int tmp_len;
+	size_t len;

-	tmp_len = entry->filename_len + entry->phar->fname_len;
-	memcpy(tmp, entry->phar->fname, entry->phar->fname_len);
-	memcpy(tmp + entry->phar->fname_len, entry->filename, entry->filename_len);
+	tmp_len = MIN(MAXPATHLEN, entry->filename_len + entry->phar->fname_len);
+	len = MIN(entry->phar->fname_len, tmp_len);
+	memcpy(tmp, entry->phar->fname, len);
+	len = MIN(tmp_len - len, entry->filename_len);
+	memcpy(tmp + entry->phar->fname_len, entry->filename, len);
 	entry->inode = (unsigned short)zend_get_hash_value(tmp, tmp_len);
 }
 /* }}} */
--- a/ext/phar/tests/bug69441.phar
+++ b/ext/phar/tests/bug69441.phar
--- a/ext/phar/tests/bug69441.phpt
+++ b/ext/phar/tests/bug69441.phpt
@ -0,0 +1,21 @@
+--TEST--
+Phar: bug #69441: Buffer Overflow when parsing tar/zip/phar in phar_set_inode
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+$fname = dirname(__FILE__) . '/bug69441.phar';
+try {
+$r = new Phar($fname, 0);
+} catch(UnexpectedValueException $e) {
+	echo $e;
+}
+?>
+
+==DONE==
+--EXPECTF--
+exception 'UnexpectedValueException' with message 'phar error: corrupted central directory entry, no magic signature in zip-based phar "%s/bug69441.phar"' in %s/bug69441.php:%d
+Stack trace:
+#0 %s/bug69441.php(%d): Phar->__construct('%s', 0)
+#1 {main}
+==DONE==
--- a/main/php_version.h
+++ b/main/php_version.h
@ -2,7 +2,7 @@
 /* edit configure.in to change version number */
 #define PHP_MAJOR_VERSION 5
 #define PHP_MINOR_VERSION 5
-#define PHP_RELEASE_VERSION 24
-#define PHP_EXTRA_VERSION "RC1"
-#define PHP_VERSION "5.5.24RC1"
-#define PHP_VERSION_ID 50524
+#define PHP_RELEASE_VERSION 25
+#define PHP_EXTRA_VERSION "-dev"
+#define PHP_VERSION "5.5.25-dev"
+#define PHP_VERSION_ID 50525