You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

55 lines
2.2 KiB

Index: php5-5.4.45/ext/phar/dirstream.c
===================================================================
--- php5-5.4.45.orig/ext/phar/dirstream.c 2016-05-17 13:03:45.000000000 +0200
+++ php5-5.4.45/ext/phar/dirstream.c 2016-05-17 13:03:45.000000000 +0200
@@ -207,6 +207,7 @@
zend_hash_internal_pointer_reset(manifest);
while (FAILURE != zend_hash_has_more_elements(manifest)) {
+ keylen = 0;
if (HASH_KEY_NON_EXISTANT == zend_hash_get_current_key_ex(manifest, &key, &keylen, &unused, 0, NULL)) {
break;
}
@@ -214,7 +215,7 @@
PHAR_STR(key, str_key);
if (keylen <= (uint)dirlen) {
- if (keylen < (uint)dirlen || !strncmp(str_key, dir, dirlen)) {
+ if (keylen == 0 || keylen < (uint)dirlen || !strncmp(str_key, dir, dirlen)) {
PHAR_STR_FREE(str_key);
if (SUCCESS != zend_hash_move_forward(manifest)) {
break;
Index: php5-5.4.45/ext/phar/tar.c
===================================================================
--- php5-5.4.45.orig/ext/phar/tar.c 2016-05-17 13:03:45.000000000 +0200
+++ php5-5.4.45/ext/phar/tar.c 2016-05-17 13:03:45.000000000 +0200
@@ -339,7 +339,7 @@
entry.filename_len = entry.uncompressed_filesize;
/* Check for overflow - bug 61065 */
- if (entry.filename_len == UINT_MAX) {
+ if (entry.filename_len == UINT_MAX || entry.filename_len == 0) {
if (error) {
spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file (invalid entry size)", fname);
}
Index: php5-5.4.45/ext/phar/tests/bug71331.phpt
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ php5-5.4.45/ext/phar/tests/bug71331.phpt 2016-05-17 13:03:45.000000000 +0200
@@ -0,0 +1,15 @@
+--TEST--
+Bug #71331 (Uninitialized pointer in phar_make_dirstream())
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+$p = new PharData(__DIR__."/bug71331.tar");
+?>
+DONE
+--EXPECTF--
+Fatal error: Uncaught exception 'UnexpectedValueException' with message 'phar error: "%s/bug71331.tar" is a corrupted tar file (invalid entry size)' in %s/bug71331.php:2
+Stack trace:
+#0 %s/bug71331.php(2): PharData->__construct('%s')
+#1 {main}
+ thrown in %s/bug71331.php on line 2
\ No newline at end of file