fix potentially serious security issue: buffer overrun if the tar filename > 101...

author Greg Beaver <cellog@php.net>

Fri, 25 Apr 2008 04:35:10 +0000 (04:35 +0000)

committer Greg Beaver <cellog@php.net>

Fri, 25 Apr 2008 04:35:10 +0000 (04:35 +0000)
author Greg Beaver <cellog@php.net>
Fri, 25 Apr 2008 04:35:10 +0000 (04:35 +0000)
committer Greg Beaver <cellog@php.net>
Fri, 25 Apr 2008 04:35:10 +0000 (04:35 +0000)
diff --git a/ext/phar/tar.c b/ext/phar/tar.c

index 7c804d5d627d81123707e69d3b782421d54cad70..fccc33c5a780a0671b8a00ab3e806f1ffb2b201f 100644 (file)
--- a/ext/phar/tar.c
+++ b/ext/phar/tar.c
@@ -208,7 +208,12 @@ int phar_open_tarfile(php_stream* fp, char *fname, int fname_len, char *alias, i
                         char name[256];
  
                         strcpy(name, hdr->prefix);
-                       strcat(name, hdr->name);
+                       /* remove potential buffer overflow */
+                       if (hdr->name[99]) {
+                               strncat(name, hdr->name, 100);
+                       } else {
+                               strcat(name, hdr->name);
+                       }
                         entry.filename_len = strlen(hdr->prefix) + 100;
                         if (name[entry.filename_len - 1] == '/') {
                                 /* some tar programs store directories with trailing slash */
author	Greg Beaver <cellog@php.net>
	Fri, 25 Apr 2008 04:35:10 +0000 (04:35 +0000)
committer	Greg Beaver <cellog@php.net>
	Fri, 25 Apr 2008 04:35:10 +0000 (04:35 +0000)