You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

73 lines
2.0 KiB

Index: php5-5.4.45/ext/phar/util.c
===================================================================
--- php5-5.4.45.orig/ext/phar/util.c 2016-12-09 15:59:08.117343042 +0100
+++ php5-5.4.45/ext/phar/util.c 2016-12-09 15:59:08.109343264 +0100
@@ -1928,6 +1928,13 @@
unsigned char digest[64];
PHP_SHA512_CTX context;
+ if (sig_len < sizeof(digest)) {
+ if (error) {
+ spprintf(error, 0, "broken signature");
+ }
+ return FAILURE;
+ }
+
PHP_SHA512Init(&context);
read_len = end_of_phar;
@@ -1961,6 +1968,13 @@
unsigned char digest[32];
PHP_SHA256_CTX context;
+ if (sig_len < sizeof(digest)) {
+ if (error) {
+ spprintf(error, 0, "broken signature");
+ }
+ return FAILURE;
+ }
+
PHP_SHA256Init(&context);
read_len = end_of_phar;
@@ -2002,6 +2016,13 @@
unsigned char digest[20];
PHP_SHA1_CTX context;
+ if (sig_len < sizeof(digest)) {
+ if (error) {
+ spprintf(error, 0, "broken signature");
+ }
+ return FAILURE;
+ }
+
PHP_SHA1Init(&context);
read_len = end_of_phar;
@@ -2035,6 +2056,13 @@
unsigned char digest[16];
PHP_MD5_CTX context;
+ if (sig_len < sizeof(digest)) {
+ if (error) {
+ spprintf(error, 0, "broken signature");
+ }
+ return FAILURE;
+ }
+
PHP_MD5Init(&context);
read_len = end_of_phar;
Index: php5-5.4.45/ext/phar/zip.c
===================================================================
--- php5-5.4.45.orig/ext/phar/zip.c 2016-12-09 15:59:08.117343042 +0100
+++ php5-5.4.45/ext/phar/zip.c 2016-12-09 15:59:08.109343264 +0100
@@ -430,7 +430,7 @@
php_stream_seek(fp, sizeof(phar_zip_file_header) + entry.header_offset + entry.filename_len + PHAR_GET_16(zipentry.extra_len), SEEK_SET);
sig = (char *) emalloc(entry.uncompressed_filesize);
read = php_stream_read(fp, sig, entry.uncompressed_filesize);
- if (read != entry.uncompressed_filesize) {
+ if (read != entry.uncompressed_filesize || read <= 8) {
php_stream_close(sigfile);
efree(sig);
PHAR_ZIP_FAIL("signature cannot be read");