42 lines
1.5 KiB
Diff
42 lines
1.5 KiB
Diff
Backported from 5.6.30 by Remi.
|
|
Binary parts dropped
|
|
|
|
|
|
From b28b8b2fee6dfa6fcd13305c581bb835689ac3be Mon Sep 17 00:00:00 2001
|
|
From: Stanislav Malyshev <stas@php.net>
|
|
Date: Fri, 30 Dec 2016 15:57:24 -0800
|
|
Subject: [PATCH] Fix bug #73768 - Memory corruption when loading hostile phar
|
|
|
|
---
|
|
ext/phar/phar.c | 3 +--
|
|
ext/phar/tests/bug73768.phar | Bin 0 -> 219 bytes
|
|
ext/phar/tests/bug73768.phpt | 16 ++++++++++++++++
|
|
3 files changed, 17 insertions(+), 2 deletions(-)
|
|
create mode 100644 ext/phar/tests/bug73768.phar
|
|
create mode 100644 ext/phar/tests/bug73768.phpt
|
|
|
|
diff --git a/ext/phar/phar.c b/ext/phar/phar.c
|
|
index 532b4c3..158f417 100644
|
|
--- a/ext/phar/phar.c
|
|
+++ b/ext/phar/phar.c
|
|
@@ -982,7 +982,6 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
|
|
/* if the alias is stored we enforce it (implicit overrides explicit) */
|
|
if (alias && alias_len && (alias_len != (int)tmp_len || strncmp(alias, buffer, tmp_len)))
|
|
{
|
|
- buffer[tmp_len] = '\0';
|
|
php_stream_close(fp);
|
|
|
|
if (signature) {
|
|
@@ -990,7 +989,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
|
|
}
|
|
|
|
if (error) {
|
|
- spprintf(error, 0, "cannot load phar \"%s\" with implicit alias \"%s\" under different alias \"%s\"", fname, buffer, alias);
|
|
+ spprintf(error, 0, "cannot load phar \"%s\" with implicit alias \"%.*s\" under different alias \"%s\"", fname, tmp_len, buffer, alias);
|
|
}
|
|
|
|
efree(savebuf);
|
|
--
|
|
2.1.4
|
|
|
