]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 008f983)
Fixed bug #71331 - Uninitialized pointer in phar_make_dirstream()
authorStanislav Malyshev <stas@php.net>
Fri, 15 Jan 2016 06:58:40 +0000 (22:58 -0800)
committerLior Kaplan <kaplanlior@gmail.com>
Thu, 28 Apr 2016 17:57:44 +0000 (20:57 +0300)
ext/phar/dirstream.c patch | blob | history
ext/phar/tar.c patch | blob | history
ext/phar/tests/bug71331.phpt [new file with mode: 0644] patch | blob
ext/phar/tests/bug71331.tar [new file with mode: 0644] patch | blob

diff --git a/ext/phar/dirstream.c b/ext/phar/dirstream.c
index 75cf049adefbd1e723a69e495016b31e20dbcf85..94958a26aafea4751d6be0658f633ede506e51f6 100644 (file)
--- a/ext/phar/dirstream.c
+++ b/ext/phar/dirstream.c
@@ -207,6 +207,7 @@ static php_stream *phar_make_dirstream(char *dir, HashTable *manifest TSRMLS_DC)
        zend_hash_internal_pointer_reset(manifest);
 
        while (FAILURE != zend_hash_has_more_elements(manifest)) {
+               keylen = 0;
                if (HASH_KEY_NON_EXISTENT == zend_hash_get_current_key_ex(manifest, &key, &keylen, &unused, 0, NULL)) {
                        break;
                }
@@ -214,7 +215,7 @@ static php_stream *phar_make_dirstream(char *dir, HashTable *manifest TSRMLS_DC)
                PHAR_STR(key, str_key);
 
                if (keylen <= (uint)dirlen) {
-                       if (keylen < (uint)dirlen || !strncmp(str_key, dir, dirlen)) {
+                       if (keylen == 0 || keylen < (uint)dirlen || !strncmp(str_key, dir, dirlen)) {
                                PHAR_STR_FREE(str_key);
                                if (SUCCESS != zend_hash_move_forward(manifest)) {
                                        break;
diff --git a/ext/phar/tar.c b/ext/phar/tar.c
index 3a4bd491f8c169c2d8d4f2121146fad3b812639f..bf19e08ac0928382b53a5bd29c6c4be4d6134599 100644 (file)
--- a/ext/phar/tar.c
+++ b/ext/phar/tar.c
@@ -356,7 +356,7 @@ bail:
                        entry.filename_len = entry.uncompressed_filesize;
 
                        /* Check for overflow - bug 61065 */
-                       if (entry.filename_len == UINT_MAX) {
+                       if (entry.filename_len == UINT_MAX || entry.filename_len == 0) {
                                if (error) {
                                        spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file (invalid entry size)", fname);
                                }
diff --git a/ext/phar/tests/bug71331.phpt b/ext/phar/tests/bug71331.phpt
new file mode 100644 (file)
index 0000000..106fd54
--- /dev/null
+++ b/ext/phar/tests/bug71331.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #71331 (Uninitialized pointer in phar_make_dirstream())
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+$p = new PharData(__DIR__."/bug71331.tar");
+?>
+DONE
+--EXPECTF--
+Fatal error: Uncaught exception 'UnexpectedValueException' with message 'phar error: "%s/bug71331.tar" is a corrupted tar file (invalid entry size)' in %s/bug71331.php:2
+Stack trace:
+#0 %s/bug71331.php(2): PharData->__construct('%s')
+#1 {main}
+  thrown in %s/bug71331.php on line 2
\ No newline at end of file
diff --git a/ext/phar/tests/bug71331.tar b/ext/phar/tests/bug71331.tar
new file mode 100644 (file)
index 0000000..14eec28
Binary files /dev/null and b/ext/phar/tests/bug71331.tar differ
Unnamed repository; edit this file 'description' to name the repository.