From d2460ef96b6c333aa8d0a11150e8be3323ac9c3e Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Sat, 18 Feb 2017 16:14:07 +0100 Subject: PHP 5.4.45-13 (security fix from 5.6.30) --- bug73773.patch | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 bug73773.patch (limited to 'bug73773.patch') diff --git a/bug73773.patch b/bug73773.patch new file mode 100644 index 0000000..98c4dc6 --- /dev/null +++ b/bug73773.patch @@ -0,0 +1,37 @@ +Backported from 5.6.30 by Remi. + + +From e5246580a85f031e1a3b8064edbaa55c1643a451 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 31 Dec 2016 18:47:50 -0800 +Subject: [PATCH] Fix bug #73773 - Seg fault when loading hostile phar + +--- + ext/phar/phar.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ext/phar/phar.c b/ext/phar/phar.c +index 158f417..780be43 100644 +--- a/ext/phar/phar.c ++++ b/ext/phar/phar.c +@@ -1055,7 +1055,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char + entry.is_persistent = mydata->is_persistent; + + for (manifest_index = 0; manifest_index < manifest_count; ++manifest_index) { +- if (buffer + 24 > endbuffer) { ++ if (buffer + 28 > endbuffer) { + MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)") + } + +@@ -1069,7 +1069,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char + entry.manifest_pos = manifest_index; + } + +- if (entry.filename_len > endbuffer - buffer - 20) { ++ if (entry.filename_len > endbuffer - buffer - 24) { + MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)"); + } + +-- +2.1.4 + -- cgit