]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0a3fc4f)
fix possible read past end of buffer by ridiculously stupid convoluted logic (I wrote...
authorGreg Beaver <cellog@php.net>
Wed, 30 Apr 2008 23:49:09 +0000 (23:49 +0000)
committerGreg Beaver <cellog@php.net>
Wed, 30 Apr 2008 23:49:09 +0000 (23:49 +0000)
ext/phar/zip.c patch | blob | history

diff --git a/ext/phar/zip.c b/ext/phar/zip.c
index a436b8836cb7ee08b8ab7abdcfb41dbaa6fc20f6..633f59c0cc91eff5fda9681e82f390a1fcabe86b 100644 (file)
--- a/ext/phar/zip.c
+++ b/ext/phar/zip.c
@@ -175,7 +175,7 @@ int phar_open_zipfile(php_stream *fp, char *fname, int fname_len, char *alias, i
                }
                return FAILURE;
        }
-       while ((p=(char *) memchr(p + 1, 'P', (size_t)(buf - (p+1) + sizeof(locator) + 65536 - 4 + 1))) != NULL) {
+       while ((p=(char *) memchr(p + 1, 'P', (size_t) (size - (p + 1 - buf)))) != NULL) {
                if (!memcmp(p + 1, "K\5\6", 3)) {
                        memcpy((void *)&locator, (void *) p, sizeof(locator));
                        if (locator.centraldisk != 0 || locator.disknumber != 0) {
Unnamed repository; edit this file 'description' to name the repository.