Fix bug #69923 - Buffer overflow and stack smashing error in phar_fix_filepath

author Stanislav Malyshev <stas@php.net>

Sun, 5 Jul 2015 06:47:48 +0000 (23:47 -0700)

committer Stanislav Malyshev <stas@php.net>

Tue, 7 Jul 2015 16:38:31 +0000 (09:38 -0700)
author Stanislav Malyshev <stas@php.net>
Sun, 5 Jul 2015 06:47:48 +0000 (23:47 -0700)
committer Stanislav Malyshev <stas@php.net>
Tue, 7 Jul 2015 16:38:31 +0000 (09:38 -0700)
diff --git a/ext/phar/phar.c b/ext/phar/phar.c

index 223bfe84c633117896adf55fb080c62e72480175..ba734629367f9671b25202408d13914fa63d8396 100644 (file)
--- a/ext/phar/phar.c
+++ b/ext/phar/phar.c
@@ -2142,7 +2142,7 @@ char *tsrm_strtok_r(char *s, const char *delim, char **last) /* {{{ */
   */
  char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{ */
  {
-       char newpath[MAXPATHLEN];
+       char *newpath;
         int newpath_len;
         char *ptr;
         char *tok;
@@ -2150,8 +2150,10 @@ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{
  
         if (PHAR_G(cwd_len) && use_cwd && path_length > 2 && path[0] == '.' && path[1] == '/') {
                 newpath_len = PHAR_G(cwd_len);
+               newpath = emalloc(strlen(path) + newpath_len + 1);
                 memcpy(newpath, PHAR_G(cwd), newpath_len);
         } else {
+               newpath = emalloc(strlen(path) + 2);
                 newpath[0] = '/';
                 newpath_len = 1;
         }
@@ -2174,6 +2176,7 @@ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{
                                 if (*tok == '.') {
                                         efree(path);
                                         *new_len = 1;
+                                       efree(newpath);
                                         return estrndup("/", 1);
                                 }
                                 break;
@@ -2181,9 +2184,11 @@ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{
                                 if (tok[0] == '.' && tok[1] == '.') {
                                         efree(path);
                                         *new_len = 1;
+                                       efree(newpath);
                                         return estrndup("/", 1);
                                 }
                 }
+               efree(newpath);
                 return path;
         }
  
@@ -2232,7 +2237,8 @@ last_time:
  
         efree(path);
         *new_len = newpath_len;
-       return estrndup(newpath, newpath_len);
+       newpath[newpath_len] = '\0';
+       return erealloc(newpath, newpath_len + 1);
  }
  /* }}} */
author	Stanislav Malyshev <stas@php.net>
	Sun, 5 Jul 2015 06:47:48 +0000 (23:47 -0700)
committer	Stanislav Malyshev <stas@php.net>
	Tue, 7 Jul 2015 16:38:31 +0000 (09:38 -0700)