You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

59 lines
1.8 KiB

From ca46d0acbce55019b970fcd4c1e8a10edfdded93 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Fri, 30 Dec 2016 15:34:46 -0800
Subject: [PATCH] CVE-2016-10159
Fix int overflows in phar (bug #73764)
[roberto@debian.org: backported to 5.4.45]
Bug: https://bugs.php.net/bug.php?id=73764
Origin: backport, http://git.php.net/?p=php-src.git;a=commitdiff;h=ca46d0acbce55019b970fcd4c1e8a10edfdded93
---
ext/phar/phar.c | 4 ++--
ext/phar/tests/bug73764.phar | Bin 0 -> 138 bytes
ext/phar/tests/bug73764.phpt | 16 ++++++++++++++++
3 files changed, 18 insertions(+), 2 deletions(-)
create mode 100644 ext/phar/tests/bug73764.phar
create mode 100644 ext/phar/tests/bug73764.phpt
--- php5.git.orig/ext/phar/phar.c
+++ php5.git/ext/phar/phar.c
@@ -1056,7 +1056,7 @@
entry.is_persistent = mydata->is_persistent;
for (manifest_index = 0; manifest_index < manifest_count; ++manifest_index) {
- if (buffer + 4 > endbuffer) {
+ if (buffer + 24 > endbuffer) {
MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)")
}
@@ -1070,7 +1070,7 @@
entry.manifest_pos = manifest_index;
}
- if (entry.filename_len + 20 > endbuffer - buffer) {
+ if (entry.filename_len > endbuffer - buffer - 20) {
MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)");
}
--- /dev/null
+++ php5.git/ext/phar/tests/bug73764.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Phar: PHP bug #73764: Crash while loading hostile phar archive
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+chdir(__DIR__);
+try {
+$p = Phar::LoadPhar('bug73764.phar', 'alias.phar');
+echo "OK\n";
+} catch(PharException $e) {
+ echo $e->getMessage();
+}
+?>
+--EXPECTF--
+internal corruption of phar "%sbug73764.phar" (truncated manifest entry)
\ No newline at end of file