fix bug #61065

diff --git a/ext/phar/tar.c b/ext/phar/tar.c
index 9d1e5bcb1d2f0b271deb4688615112641f5e7312..b914db129eca4ee96c62bb3715cd92dcbbb3b5f4 100644 (file)
--- a/ext/phar/tar.c
+++ b/ext/phar/tar.c
@@ -337,6 +337,16 @@ bail:
                        last_was_longlink = 1;
                        /* support the ././@LongLink system for storing long filenames */
                        entry.filename_len = entry.uncompressed_filesize;
+
+                       /* Check for overflow - bug 61065 */
+                       if (entry.filename_len == UINT_MAX) {
+                               if (error) {
+                                       spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file (invalid entry size)", fname);
+                               }
+                               php_stream_close(fp);
+                               phar_destroy_phar_data(myphar TSRMLS_CC);
+                               return FAILURE;
+                       }
                        entry.filename = pemalloc(entry.filename_len+1, myphar->is_persistent);
 
                        read = php_stream_read(fp, entry.filename, entry.filename_len);