1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
Backported from 5.5 for 5.4 by Remi Collet
binary patch dropped
From 9649ca1630433473a307d015ba1a79a4a7a779f5 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Thu, 14 Jan 2016 22:58:40 -0800
Subject: [PATCH] Fixed bug #71331 - Uninitialized pointer in
phar_make_dirstream()
---
ext/phar/dirstream.c | 3 ++-
ext/phar/tar.c | 2 +-
ext/phar/tests/bug71331.phpt | 15 +++++++++++++++
ext/phar/tests/bug71331.tar | Bin 0 -> 2560 bytes
4 files changed, 18 insertions(+), 2 deletions(-)
create mode 100644 ext/phar/tests/bug71331.phpt
create mode 100644 ext/phar/tests/bug71331.tar
diff --git a/ext/phar/dirstream.c b/ext/phar/dirstream.c
index 75cf049..94958a2 100644
--- a/ext/phar/dirstream.c
+++ b/ext/phar/dirstream.c
@@ -207,6 +207,7 @@ static php_stream *phar_make_dirstream(c
zend_hash_internal_pointer_reset(manifest);
while (FAILURE != zend_hash_has_more_elements(manifest)) {
+ keylen = 0;
if (HASH_KEY_NON_EXISTANT == zend_hash_get_current_key_ex(manifest, &key, &keylen, &unused, 0, NULL)) {
break;
}
@@ -214,7 +215,7 @@ static php_stream *phar_make_dirstream(c
PHAR_STR(key, str_key);
if (keylen <= (uint)dirlen) {
- if (keylen < (uint)dirlen || !strncmp(str_key, dir, dirlen)) {
+ if (keylen == 0 || keylen < (uint)dirlen || !strncmp(str_key, dir, dirlen)) {
PHAR_STR_FREE(str_key);
if (SUCCESS != zend_hash_move_forward(manifest)) {
break;
diff --git a/ext/phar/tar.c b/ext/phar/tar.c
index 3a4bd49..bf19e08 100644
--- a/ext/phar/tar.c
+++ b/ext/phar/tar.c
@@ -347,7 +347,7 @@ bail:
entry.filename_len = entry.uncompressed_filesize;
/* Check for overflow - bug 61065 */
- if (entry.filename_len == UINT_MAX) {
+ if (entry.filename_len == UINT_MAX || entry.filename_len == 0) {
if (error) {
spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file (invalid entry size)", fname);
}
|
