mirror of
https://github.com/php/php-src.git
synced 2024-09-22 10:27:25 +00:00
Fix bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode)
This commit is contained in:
parent
45facd15fb
commit
f59b67ae50
@ -618,10 +618,13 @@ static inline void phar_set_inode(phar_entry_info *entry TSRMLS_DC) /* {{{ */
|
|||||||
{
|
{
|
||||||
char tmp[MAXPATHLEN];
|
char tmp[MAXPATHLEN];
|
||||||
int tmp_len;
|
int tmp_len;
|
||||||
|
size_t len;
|
||||||
|
|
||||||
tmp_len = entry->filename_len + entry->phar->fname_len;
|
tmp_len = MIN(MAXPATHLEN, entry->filename_len + entry->phar->fname_len);
|
||||||
memcpy(tmp, entry->phar->fname, entry->phar->fname_len);
|
len = MIN(entry->phar->fname_len, tmp_len);
|
||||||
memcpy(tmp + entry->phar->fname_len, entry->filename, entry->filename_len);
|
memcpy(tmp, entry->phar->fname, len);
|
||||||
|
len = MIN(tmp_len - len, entry->filename_len);
|
||||||
|
memcpy(tmp + entry->phar->fname_len, entry->filename, len);
|
||||||
entry->inode = (unsigned short)zend_get_hash_value(tmp, tmp_len);
|
entry->inode = (unsigned short)zend_get_hash_value(tmp, tmp_len);
|
||||||
}
|
}
|
||||||
/* }}} */
|
/* }}} */
|
||||||
|
BIN
ext/phar/tests/bug69441.phar
Normal file
BIN
ext/phar/tests/bug69441.phar
Normal file
Binary file not shown.
21
ext/phar/tests/bug69441.phpt
Normal file
21
ext/phar/tests/bug69441.phpt
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
--TEST--
|
||||||
|
Phar: bug #69441: Buffer Overflow when parsing tar/zip/phar in phar_set_inode
|
||||||
|
--SKIPIF--
|
||||||
|
<?php if (!extension_loaded("phar")) die("skip"); ?>
|
||||||
|
--FILE--
|
||||||
|
<?php
|
||||||
|
$fname = dirname(__FILE__) . '/bug69441.phar';
|
||||||
|
try {
|
||||||
|
$r = new Phar($fname, 0);
|
||||||
|
} catch(UnexpectedValueException $e) {
|
||||||
|
echo $e;
|
||||||
|
}
|
||||||
|
?>
|
||||||
|
|
||||||
|
==DONE==
|
||||||
|
--EXPECTF--
|
||||||
|
exception 'UnexpectedValueException' with message 'phar error: corrupted central directory entry, no magic signature in zip-based phar "%s/bug69441.phar"' in %s/bug69441.php:%d
|
||||||
|
Stack trace:
|
||||||
|
#0 %s/bug69441.php(%d): Phar->__construct('%s', 0)
|
||||||
|
#1 {main}
|
||||||
|
==DONE==
|
Loading…
Reference in New Issue
Block a user