1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
|
From f41261182dad0f831d8727967c127da1f08c8ce5 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Mon, 10 Jul 2023 13:25:34 +0200
Subject: [PATCH 1/3] Fix buffer mismanagement in phar_dir_read()
Fixes GHSA-jqcx-ccgc-xwhv.
(cherry picked from commit 80316123f3e9dcce8ac419bd9dd43546e2ccb5ef)
(cherry picked from commit c398fe98c044c8e7c23135acdc38d4ef7bedc983)
(cherry picked from commit 3f14261065e4c0552afa9cb16411475050a41c2c)
(cherry picked from commit f8f433d0d8eaac21af4f4532496d33f9c2b381d6)
---
ext/phar/dirstream.c | 15 ++++++++------
ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt | 27 +++++++++++++++++++++++++
2 files changed, 36 insertions(+), 6 deletions(-)
create mode 100644 ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt
diff --git a/ext/phar/dirstream.c b/ext/phar/dirstream.c
index 36c7f9e812..6ced23880b 100644
--- a/ext/phar/dirstream.c
+++ b/ext/phar/dirstream.c
@@ -92,25 +92,28 @@ static int phar_dir_seek(php_stream *stream, zend_off_t offset, int whence, zend
*/
static size_t phar_dir_read(php_stream *stream, char *buf, size_t count) /* {{{ */
{
- size_t to_read;
HashTable *data = (HashTable *)stream->abstract;
zend_string *str_key;
zend_ulong unused;
+ if (count != sizeof(php_stream_dirent)) {
+ return -1;
+ }
+
if (HASH_KEY_NON_EXISTENT == zend_hash_get_current_key(data, &str_key, &unused)) {
return 0;
}
zend_hash_move_forward(data);
- to_read = MIN(ZSTR_LEN(str_key), count);
- if (to_read == 0 || count < ZSTR_LEN(str_key)) {
+ php_stream_dirent *dirent = (php_stream_dirent *) buf;
+
+ if (sizeof(dirent->d_name) <= ZSTR_LEN(str_key)) {
return 0;
}
- memset(buf, 0, sizeof(php_stream_dirent));
- memcpy(((php_stream_dirent *) buf)->d_name, ZSTR_VAL(str_key), to_read);
- ((php_stream_dirent *) buf)->d_name[to_read + 1] = '\0';
+ memset(dirent, 0, sizeof(php_stream_dirent));
+ PHP_STRLCPY(dirent->d_name, ZSTR_VAL(str_key), sizeof(dirent->d_name), ZSTR_LEN(str_key));
return sizeof(php_stream_dirent);
}
diff --git a/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt b/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt
new file mode 100644
index 0000000000..4e12f05fb6
--- /dev/null
+++ b/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt
@@ -0,0 +1,27 @@
+--TEST--
+GHSA-jqcx-ccgc-xwhv (Buffer overflow and overread in phar_dir_read())
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--INI--
+phar.readonly=0
+--FILE--
+<?php
+$phar = new Phar(__DIR__. '/GHSA-jqcx-ccgc-xwhv.phar');
+$phar->startBuffering();
+$phar->addFromString(str_repeat('A', PHP_MAXPATHLEN - 1), 'This is the content of file 1.');
+$phar->addFromString(str_repeat('B', PHP_MAXPATHLEN - 1).'C', 'This is the content of file 2.');
+$phar->stopBuffering();
+
+$handle = opendir('phar://' . __DIR__ . '/GHSA-jqcx-ccgc-xwhv.phar');
+var_dump(strlen(readdir($handle)));
+// Must not be a string of length PHP_MAXPATHLEN+1
+var_dump(readdir($handle));
+closedir($handle);
+?>
+--CLEAN--
+<?php
+unlink(__DIR__. '/GHSA-jqcx-ccgc-xwhv.phar');
+?>
+--EXPECTF--
+int(%d)
+bool(false)
--
2.41.0
|