php5.4: add debian u9 patchset

3.15-stable
parent 6ed03ce2b1
commit 8ba726da20
  1. 10
      testing/php5.4/APKBUILD
  2. 243
      testing/php5.4/d09-u001-CVE-2016-10397.patch
  3. 84
      testing/php5.4/d09-u002-CVE-2017-11143.patch
  4. 94
      testing/php5.4/d09-u003-CVE-2017-11144.patch
  5. 58507
      testing/php5.4/d09-u004-CVE-2017-11145.patch
  6. 32
      testing/php5.4/d09-u005-CVE-2017-11147.patch

@ -212,6 +212,11 @@ source="https://www.php.net/distributions/$_pkgreal-$pkgver.tar.bz2
d08-u001-CVE-2016-7478-bcmath-shared.patch
d08-u002-CVE-2016-7479.patch
d08-u003-CVE-2017-7272.patch
d09-u001-CVE-2016-10397.patch
d09-u002-CVE-2017-11143.patch
d09-u003-CVE-2017-11144.patch
d09-u004-CVE-2017-11145.patch
d09-u005-CVE-2017-11147.patch
"
builddir="$srcdir/$_pkgreal-$pkgver"
@ -860,4 +865,9 @@ bd2f319a19266f03b0e7e1e25277e9b1a0a320c3eea35acc4f62b3da2c64a6441dff1ea679fbabc7
4fea975c071a392e6a762e3943e6808e2eb5f00f8756ea3cf04c70d0deb80bc028bcc37a9bce0e8919275757e66a18acae48012a700b675a2eb35314c6a5e4d7 d08-u001-CVE-2016-7478-bcmath-shared.patch
5c1251f8131fcd5595d3470e63ba2ad826f672b9eb416dd244379a7a579a4832f4c37fa174eb1fb1e610c12f01cefdc90ecc1eb45d6b58ea5687ceab0038da84 d08-u002-CVE-2016-7479.patch
fdd23eaec41e4a425affa18a06ad07058023524348813701c4656884041761d7c9ec44c0725064e29002de1f168e5fdf88383bf07d42d8e805f8226ca58b6413 d08-u003-CVE-2017-7272.patch
a6c146309c5403b4ea02b9e5ed5458fadfd61600088cd71184300f9367177ff7d56b2c982be776e09d25bf3631524fbde0d6df8b94b0c593a30cff1d45cb8acc d09-u001-CVE-2016-10397.patch
b94b9ad6af473fac409b3b91510142a6e8a3d866ce28456693c3c8ef6e706c7617f1254e045c83d05448ae709fe7024a7e7e03555f5b76e6c9698965fb044515 d09-u002-CVE-2017-11143.patch
ac65be6646776ffb94b015f877b3851c420ea08a068635cf34bd2eca14a9011b07e07f01b978ab6277dd8e59a7c37a79008352ec5fb4eb5cf4fbc47ec3e03f61 d09-u003-CVE-2017-11144.patch
5ed8ec98fc2d0e9ebd0d59c62130c3d93d41452a7bd67fa60125ef889139925cff03a9a6a460ccab8d9bc12e826e8d6039ae2257e22a4aaa48c33955366b79e9 d09-u004-CVE-2017-11145.patch
8041acbd1cd28421850492f7cecc4b16016fe996d3baefb25932374e84c8ca088e69636032a735d7e1a9949ff89326b241c0a25013df5bb1bfedf5bd9e72b29c d09-u005-CVE-2017-11147.patch
"

@ -0,0 +1,243 @@
From: Markus Koschany <apo@debian.org>
Date: Sun, 16 Jul 2017 17:48:35 +0200
Subject: CVE-2016-10397
Bug-Upstream: https://bugs.php.net/bug.php?id=73192
Origin: https://git.php.net/?p=php-src.git;a=commitdiff;h=b061fa909de77085d3822a89ab901b934d0362c4
---
ext/standard/tests/url/bug73192.phpt | 30 +++++++++++++++++++++++++
ext/standard/tests/url/parse_url_basic_001.phpt | 20 ++---------------
ext/standard/tests/url/parse_url_basic_002.phpt | 4 ++--
ext/standard/tests/url/parse_url_basic_003.phpt | 4 ++--
ext/standard/tests/url/parse_url_basic_004.phpt | 4 ++--
ext/standard/tests/url/parse_url_basic_005.phpt | 4 ++--
ext/standard/tests/url/parse_url_basic_006.phpt | 4 ++--
ext/standard/tests/url/parse_url_basic_007.phpt | 4 ++--
ext/standard/tests/url/parse_url_basic_008.phpt | 4 ++--
ext/standard/tests/url/parse_url_basic_009.phpt | 4 ++--
ext/standard/url.c | 23 +------------------
11 files changed, 49 insertions(+), 56 deletions(-)
create mode 100644 ext/standard/tests/url/bug73192.phpt
diff --git a/ext/standard/tests/url/bug73192.phpt b/ext/standard/tests/url/bug73192.phpt
new file mode 100644
index 0000000..6ecb477
--- /dev/null
+++ b/ext/standard/tests/url/bug73192.phpt
@@ -0,0 +1,30 @@
+--TEST--
+Bug #73192: parse_url return wrong hostname
+--FILE--
+<?php
+
+var_dump(parse_url("http://example.com:80#@google.com/"));
+var_dump(parse_url("http://example.com:80?@google.com/"));
+
+?>
+--EXPECT--
+array(4) {
+ ["scheme"]=>
+ string(4) "http"
+ ["host"]=>
+ string(11) "example.com"
+ ["port"]=>
+ int(80)
+ ["fragment"]=>
+ string(12) "@google.com/"
+}
+array(4) {
+ ["scheme"]=>
+ string(4) "http"
+ ["host"]=>
+ string(11) "example.com"
+ ["port"]=>
+ int(80)
+ ["query"]=>
+ string(12) "@google.com/"
+}
diff --git a/ext/standard/tests/url/parse_url_basic_001.phpt b/ext/standard/tests/url/parse_url_basic_001.phpt
index a6f4f7a..282f80a 100644
--- a/ext/standard/tests/url/parse_url_basic_001.phpt
+++ b/ext/standard/tests/url/parse_url_basic_001.phpt
@@ -759,25 +759,9 @@ echo "Done";
int(6)
}
---> http://?:/: array(3) {
- ["scheme"]=>
- string(4) "http"
- ["host"]=>
- string(1) "?"
- ["path"]=>
- string(1) "/"
-}
+--> http://?:/: bool(false)
---> http://@?:/: array(4) {
- ["scheme"]=>
- string(4) "http"
- ["host"]=>
- string(1) "?"
- ["user"]=>
- string(0) ""
- ["path"]=>
- string(1) "/"
-}
+--> http://@?:/: bool(false)
--> file:///:: array(2) {
["scheme"]=>
diff --git a/ext/standard/tests/url/parse_url_basic_002.phpt b/ext/standard/tests/url/parse_url_basic_002.phpt
index c05d1f4..f222ffc 100644
--- a/ext/standard/tests/url/parse_url_basic_002.phpt
+++ b/ext/standard/tests/url/parse_url_basic_002.phpt
@@ -98,8 +98,8 @@ echo "Done";
--> http://::? : string(4) "http"
--> http://::# : string(4) "http"
--> x://::6.5 : string(1) "x"
---> http://?:/ : string(4) "http"
---> http://@?:/ : string(4) "http"
+--> http://?:/ : bool(false)
+--> http://@?:/ : bool(false)
--> file:///: : string(4) "file"
--> file:///a:/ : string(4) "file"
--> file:///ab:/ : string(4) "file"
diff --git a/ext/standard/tests/url/parse_url_basic_003.phpt b/ext/standard/tests/url/parse_url_basic_003.phpt
index 88eda50..70dc4bb 100644
--- a/ext/standard/tests/url/parse_url_basic_003.phpt
+++ b/ext/standard/tests/url/parse_url_basic_003.phpt
@@ -97,8 +97,8 @@ echo "Done";
--> http://::? : string(1) ":"
--> http://::# : string(1) ":"
--> x://::6.5 : string(1) ":"
---> http://?:/ : string(1) "?"
---> http://@?:/ : string(1) "?"
+--> http://?:/ : bool(false)
+--> http://@?:/ : bool(false)
--> file:///: : NULL
--> file:///a:/ : NULL
--> file:///ab:/ : NULL
diff --git a/ext/standard/tests/url/parse_url_basic_004.phpt b/ext/standard/tests/url/parse_url_basic_004.phpt
index e3b9abd..7ddddaf 100644
--- a/ext/standard/tests/url/parse_url_basic_004.phpt
+++ b/ext/standard/tests/url/parse_url_basic_004.phpt
@@ -97,8 +97,8 @@ echo "Done";
--> http://::? : NULL
--> http://::# : NULL
--> x://::6.5 : int(6)
---> http://?:/ : NULL
---> http://@?:/ : NULL
+--> http://?:/ : bool(false)
+--> http://@?:/ : bool(false)
--> file:///: : NULL
--> file:///a:/ : NULL
--> file:///ab:/ : NULL
diff --git a/ext/standard/tests/url/parse_url_basic_005.phpt b/ext/standard/tests/url/parse_url_basic_005.phpt
index 1fc946e..788ed00 100644
--- a/ext/standard/tests/url/parse_url_basic_005.phpt
+++ b/ext/standard/tests/url/parse_url_basic_005.phpt
@@ -97,8 +97,8 @@ echo "Done";
--> http://::? : NULL
--> http://::# : NULL
--> x://::6.5 : NULL
---> http://?:/ : NULL
---> http://@?:/ : string(0) ""
+--> http://?:/ : bool(false)
+--> http://@?:/ : bool(false)
--> file:///: : NULL
--> file:///a:/ : NULL
--> file:///ab:/ : NULL
diff --git a/ext/standard/tests/url/parse_url_basic_006.phpt b/ext/standard/tests/url/parse_url_basic_006.phpt
index 5104326..3e410d9 100644
--- a/ext/standard/tests/url/parse_url_basic_006.phpt
+++ b/ext/standard/tests/url/parse_url_basic_006.phpt
@@ -97,8 +97,8 @@ echo "Done";
--> http://::? : NULL
--> http://::# : NULL
--> x://::6.5 : NULL
---> http://?:/ : NULL
---> http://@?:/ : NULL
+--> http://?:/ : bool(false)
+--> http://@?:/ : bool(false)
--> file:///: : NULL
--> file:///a:/ : NULL
--> file:///ab:/ : NULL
diff --git a/ext/standard/tests/url/parse_url_basic_007.phpt b/ext/standard/tests/url/parse_url_basic_007.phpt
index 8e04553..1b362bb 100644
--- a/ext/standard/tests/url/parse_url_basic_007.phpt
+++ b/ext/standard/tests/url/parse_url_basic_007.phpt
@@ -97,8 +97,8 @@ echo "Done";
--> http://::? : NULL
--> http://::# : NULL
--> x://::6.5 : NULL
---> http://?:/ : string(1) "/"
---> http://@?:/ : string(1) "/"
+--> http://?:/ : bool(false)
+--> http://@?:/ : bool(false)
--> file:///: : string(2) "/:"
--> file:///a:/ : string(3) "a:/"
--> file:///ab:/ : string(5) "/ab:/"
diff --git a/ext/standard/tests/url/parse_url_basic_008.phpt b/ext/standard/tests/url/parse_url_basic_008.phpt
index 0c77221..1271f38 100644
--- a/ext/standard/tests/url/parse_url_basic_008.phpt
+++ b/ext/standard/tests/url/parse_url_basic_008.phpt
@@ -97,8 +97,8 @@ echo "Done";
--> http://::? : NULL
--> http://::# : NULL
--> x://::6.5 : NULL
---> http://?:/ : NULL
---> http://@?:/ : NULL
+--> http://?:/ : bool(false)
+--> http://@?:/ : bool(false)
--> file:///: : NULL
--> file:///a:/ : NULL
--> file:///ab:/ : NULL
diff --git a/ext/standard/tests/url/parse_url_basic_009.phpt b/ext/standard/tests/url/parse_url_basic_009.phpt
index 487b271..72f172a 100644
--- a/ext/standard/tests/url/parse_url_basic_009.phpt
+++ b/ext/standard/tests/url/parse_url_basic_009.phpt
@@ -97,8 +97,8 @@ echo "Done";
--> http://::? : NULL
--> http://::# : NULL
--> x://::6.5 : NULL
---> http://?:/ : NULL
---> http://@?:/ : NULL
+--> http://?:/ : bool(false)
+--> http://@?:/ : bool(false)
--> file:///: : NULL
--> file:///a:/ : NULL
--> file:///ab:/ : NULL
diff --git a/ext/standard/url.c b/ext/standard/url.c
index 5c926bf..f0e2790 100644
--- a/ext/standard/url.c
+++ b/ext/standard/url.c
@@ -214,28 +214,7 @@ PHPAPI php_url *php_url_parse_ex(char const *str, int length)
goto nohost;
}
- e = ue;
-
- if (!(p = memchr(s, '/', (ue - s)))) {
- char *query, *fragment;
-
- query = memchr(s, '?', (ue - s));
- fragment = memchr(s, '#', (ue - s));
-
- if (query && fragment) {
- if (query > fragment) {
- e = fragment;
- } else {
- e = query;
- }
- } else if (query) {
- e = query;
- } else if (fragment) {
- e = fragment;
- }
- } else {
- e = p;
- }
+ e = s + strcspn(s, "/?#");
/* check for login and password */
if ((p = zend_memrchr(s, '@', (e-s)))) {

@ -0,0 +1,84 @@
From: Markus Koschany <apo@debian.org>
Date: Sun, 16 Jul 2017 18:15:19 +0200
Subject: CVE-2017-11143
Bug-Upstream: https://bugs.php.net/bug.php?id=74145
Origin: https://git.php.net/?p=php-src.git;a=commitdiff;h=2aae60461c2ff7b7fbcdd194c789ac841d0747d7
Origin: http://git.php.net/?p=php-src.git;a=commitdiff;h=f269cdcd4f76accbecd03884f327cffb9a7f1ca9
---
ext/wddx/tests/bug74145.phpt | 16 ++++++++++++++++
ext/wddx/tests/bug74145.xml | 9 +++++++++
ext/wddx/wddx.c | 10 ++++++----
3 files changed, 31 insertions(+), 4 deletions(-)
create mode 100644 ext/wddx/tests/bug74145.phpt
create mode 100644 ext/wddx/tests/bug74145.xml
diff --git a/ext/wddx/tests/bug74145.phpt b/ext/wddx/tests/bug74145.phpt
new file mode 100644
index 0000000..a99a117
--- /dev/null
+++ b/ext/wddx/tests/bug74145.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug #74145 (wddx parsing empty boolean tag leads to SIGSEGV)
+--SKIPIF--
+<?php
+if (!extension_loaded("wddx")) print "skip";
+?>
+--FILE--
+<?php
+$data = file_get_contents(__DIR__ . '/bug74145.xml');
+$wddx = wddx_deserialize($data);
+var_dump($wddx);
+?>
+DONE
+--EXPECTF--
+NULL
+DONE
\ No newline at end of file
diff --git a/ext/wddx/tests/bug74145.xml b/ext/wddx/tests/bug74145.xml
new file mode 100644
index 0000000..e5d35fb
--- /dev/null
+++ b/ext/wddx/tests/bug74145.xml
@@ -0,0 +1,9 @@
+<?xml version='1.0' ?>
+ <!DOCTYPE et SYSTEM 'w'>
+ <wddxPacket ven='1.0'>
+ <array>
+ <var Name="name">
+ <boolean ></boolean>
+ </var>
+ </array>
+ </wddxPacket>
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index d401b62..3293d62 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -795,20 +795,22 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X
if (atts) for (i = 0; atts[i]; i++) {
if (!strcmp(atts[i], EL_VALUE) && atts[i+1] && atts[i+1][0]) {
- ent.type = ST_BOOLEAN;
- SET_STACK_VARNAME;
-
ALLOC_ZVAL(ent.data);
INIT_PZVAL(ent.data);
Z_TYPE_P(ent.data) = IS_BOOL;
+ ent.type = ST_BOOLEAN;
+ SET_STACK_VARNAME;
wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
php_wddx_process_data(user_data, atts[i+1], strlen(atts[i+1]));
break;
}
} else {
+ ALLOC_ZVAL(ent.data);
+ INIT_PZVAL(ent.data);
+ Z_TYPE_P(ent.data) = IS_BOOL;
ent.type = ST_BOOLEAN;
SET_STACK_VARNAME;
- ZVAL_FALSE(&ent.data);
+ ZVAL_FALSE(ent.data);
wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
}
} else if (!strcmp(name, EL_NULL)) {

@ -0,0 +1,94 @@
From: Markus Koschany <apo@debian.org>
Date: Sun, 16 Jul 2017 18:42:56 +0200
Subject: CVE-2017-11144
Bug-Upstream: https://bugs.php.net/bug.php?id=74651
Origin: https://git.php.net/?p=php-src.git;a=commitdiff;h=89637c6b41b510c20d262c17483f582f115c66d6
---
ext/openssl/openssl.c | 6 +++---
ext/openssl/tests/74651.pem | 27 +++++++++++++++++++++++++++
ext/openssl/tests/bug74651.phpt | 17 +++++++++++++++++
3 files changed, 47 insertions(+), 3 deletions(-)
create mode 100644 ext/openssl/tests/74651.pem
create mode 100644 ext/openssl/tests/bug74651.phpt
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index c0e3d8a..6cd4754 100755
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -4347,15 +4347,15 @@ PHP_FUNCTION(openssl_seal)
buf = emalloc(data_len + EVP_CIPHER_CTX_block_size(&ctx));
EVP_CIPHER_CTX_cleanup(&ctx);
- if (!EVP_SealInit(&ctx, cipher, eks, eksl, NULL, pkeys, nkeys) || !EVP_SealUpdate(&ctx, buf, &len1, (unsigned char *)data, data_len)) {
+ if (EVP_SealInit(&ctx, cipher, eks, eksl, NULL, pkeys, nkeys) <= 0 ||
+ !EVP_SealUpdate(&ctx, buf, &len1, (unsigned char *)data, data_len) ||
+ !EVP_SealFinal(&ctx, buf + len1, &len2)) {
RETVAL_FALSE;
efree(buf);
EVP_CIPHER_CTX_cleanup(&ctx);
goto clean_exit;
}
- EVP_SealFinal(&ctx, buf + len1, &len2);
-
if (len1 + len2 > 0) {
zval_dtor(sealdata);
buf[len1 + len2] = '\0';
diff --git a/ext/openssl/tests/74651.pem b/ext/openssl/tests/74651.pem
new file mode 100644
index 0000000..4ed5905
--- /dev/null
+++ b/ext/openssl/tests/74651.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEoDCCBAmgAwIBAgIBJzANBgkqhkiG9w0BAQQFADCBkDELMAkGA1UEFhMCUk8x
+EDAOBgNVBAgTB1JvbWFuaWExEDAOBgNVBAcTB0NyYWlvdmExDzANBgNVBAoTBlNl
+cmdpdTETMBEGA1UECxMKU2VyZ2l1IFNSTDESMBAGA1UEAxMJU2VyZ2l1IENBMSMw
+IQYJKoZIhvcNAQkBFhRuX3NlcmdpdUBob3RtYWlsLmNvbTAeFw0wNDA1MTQxMzM0
+NTZaFw0wNTA1MTQxMzM0NTZaMIGaMQswCQYDVQQGEwJSTzEQMA4GA1UECBMHUm9t
+YW5pYTEQMA4GA1UEBxMHQ3JhaW92YTETMBEGA1UEChMKU2VyZ2l1IFNSTDETMBEG
+A1UECxMKU2VyZ2l1IFNSTDEYMBYGA1UEAxMPU2VyZ2l1IHBlcnNvbmFsMSMwIQYJ
+KoZIhvcNAQkBFhRuX3NlcmdpdUBob3RtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEF
+AAOBjQAwgYkCgYEApNj7XXz8T8FcLIWpBniPYom3QcT6T7u0xRPHqtqzj5oboBYp
+DJe5d354/y0gJTpiLt8+fTrPgWXnbHm3pOHgXzTcX6Arani0GDU0/xDi4VkCRGcS
+YqX2sJpcDzAbmK9UDMt3xf/O1B8AJan3RfO0Bm3ozTEPziLMkmsiYr5b/L4CAwEA
+AaOCAfwwggH4MAkGA1UdEwQCMAAwNQYJYIZIAYb4QgENBCgWJkZvciBHcmlkIHVz
+ZSBvbmx5OyByZXF1ZXN0IHRhZyB1c2VyVGFnMBEGCWCGSAGG+EIBAQQEAwIF4DA/
+BgNVHR8EODA2MDSgMqAwhi5odHRwOi8vbW9iaWxlLmJsdWUtc29mdHdhcmUucm86
+OTAvY2EvY3JsLnNodG1sMDUGCWCGSAGG+EIBCAQoFiZodHRwOi8vbW9iaWxlLmJs
+dWUtc29mdHdhcmUucm86OTAvcHViLzAhBgNVHREEGjAYgRZzZXJnaXVAYmx1ZXNv
+ZnR3YXJlLnJvMB0GA1UdDgQWBBSwp//5QRXeIzm93TEPl6CyonTg/DCBpwYDVR0j
+BIGfMIGcoYGWpIGTMIGQMQswCQYDVQQGEwJSTzEQMA4GA1UECBMHUm9tYW5pYTEQ
+MA4GA1UEBxMHQ3JhaW92YTEPMA0GA1UEChMGU2VyZ2l1MRMwEQYDVQQLEwpTZXJn
+aXUgU1JMMRIwEAYDVQQDEwlTZXJnaXUgQ0ExIzAhBgkqhkiG9w0BCQEWFG5fc2Vy
+Z2l1QGhvdG1haWwuY29tggEAMAsGA1UdDwQEAwIE8DAjBglghkgBhvhCAQIEFhYU
+aHR0cDovLzYyLjIzMS45OC41Mi8wCwYDKgMEBAQ+52I0MA0GCSqGSIb3DQEBBAUA
+A4GBAIBIOJ+iiLyQfNJEY+IMefayQea0nmuXYY+F+L1DFjSC7xChytgYoPNnKkhh
+3dWPtxbswiqKYUnGi6y3Hi4UhDsOaDW29t2S305hSc2qgjOiNtRYQIVYQ8EHG1k7
+Fl63S7uCOhnVJt+4MnUK1N6/pwgsp+Z2GvEsDG1qCKnvNpf6
+-----END CERTIFICATE-----
diff --git a/ext/openssl/tests/bug74651.phpt b/ext/openssl/tests/bug74651.phpt
new file mode 100644
index 0000000..f86394b
--- /dev/null
+++ b/ext/openssl/tests/bug74651.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #74651: negative-size-param (-1) in memcpy in zif_openssl_seal()
+--SKIPIF--
+<?php
+if (!extension_loaded("openssl")) die("skip openssl not loaded");
+?>
+--FILE--
+<?php
+
+$inputstr = file_get_contents(__DIR__ . "/74651.pem");
+$pub_key_id = openssl_get_publickey($inputstr);
+var_dump($pub_key_id);
+var_dump(openssl_seal($inputstr, $sealed, $ekeys, array($pub_key_id, $pub_key_id), 'AES-128-ECB'));
+?>
+--EXPECTF--
+resource(%d) of type (OpenSSL key)
+bool(false)
\ No newline at end of file

File diff suppressed because it is too large Load Diff

@ -0,0 +1,32 @@
From: Markus Koschany <apo@debian.org>
Date: Sun, 16 Jul 2017 19:28:03 +0200
Subject: CVE-2017-11147
Bug-Upstream: https://bugs.php.net/bug.php?id=73773
Origin: http://git.php.net/?p=php-src.git;a=commitdiff;h=e5246580a85f031e1a3b8064edbaa55c1643a451
---
ext/phar/phar.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ext/phar/phar.c b/ext/phar/phar.c
index b235cc0..2bc4300 100644
--- a/ext/phar/phar.c
+++ b/ext/phar/phar.c
@@ -1055,7 +1055,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
entry.is_persistent = mydata->is_persistent;
for (manifest_index = 0; manifest_index < manifest_count; ++manifest_index) {
- if (buffer + 24 > endbuffer) {
+ if (buffer + 28 > endbuffer) {
MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)")
}
@@ -1069,7 +1069,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
entry.manifest_pos = manifest_index;
}
- if (entry.filename_len > endbuffer - buffer - 20) {
+ if (entry.filename_len > endbuffer - buffer - 24) {
MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)");
}
Loading…
Cancel
Save