From 0e26c7b3a2d48b2fe256b8b7074b02218cfd46c1 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Sat, 18 Feb 2017 08:58:42 +0100 Subject: PHP 5.6.38-7 (security fix from 5.6.30) --- bug73764.patch | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 bug73764.patch (limited to 'bug73764.patch') diff --git a/bug73764.patch b/bug73764.patch new file mode 100644 index 0000000..540c588 --- /dev/null +++ b/bug73764.patch @@ -0,0 +1,42 @@ +Backported from 5.6.30 by Remi. +Binary parts dropped + + +From ca46d0acbce55019b970fcd4c1e8a10edfdded93 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Fri, 30 Dec 2016 15:34:46 -0800 +Subject: [PATCH] Fix int overflows in phar (bug #73764) + +--- + ext/phar/phar.c | 4 ++-- + ext/phar/tests/bug73764.phar | Bin 0 -> 138 bytes + ext/phar/tests/bug73764.phpt | 16 ++++++++++++++++ + 3 files changed, 18 insertions(+), 2 deletions(-) + create mode 100644 ext/phar/tests/bug73764.phar + create mode 100644 ext/phar/tests/bug73764.phpt + +diff --git a/ext/phar/phar.c b/ext/phar/phar.c +index 14b80e1..532b4c3 100644 +--- a/ext/phar/phar.c ++++ b/ext/phar/phar.c +@@ -1055,7 +1055,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char + entry.is_persistent = mydata->is_persistent; + + for (manifest_index = 0; manifest_index < manifest_count; ++manifest_index) { +- if (buffer + 4 > endbuffer) { ++ if (buffer + 24 > endbuffer) { + MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)") + } + +@@ -1069,7 +1069,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char + entry.manifest_pos = manifest_index; + } + +- if (entry.filename_len + 20 > endbuffer - buffer) { ++ if (entry.filename_len > endbuffer - buffer - 20) { + MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)"); + } + +-- +2.1.4 + -- cgit