{
char tmp[MAXPATHLEN];
int tmp_len;
+ size_t len;
- tmp_len = entry->filename_len + entry->phar->fname_len;
- memcpy(tmp, entry->phar->fname, entry->phar->fname_len);
- memcpy(tmp + entry->phar->fname_len, entry->filename, entry->filename_len);
+ tmp_len = MIN(MAXPATHLEN, entry->filename_len + entry->phar->fname_len);
+ len = MIN(entry->phar->fname_len, tmp_len);
+ memcpy(tmp, entry->phar->fname, len);
+ len = MIN(tmp_len - len, entry->filename_len);
+ memcpy(tmp + entry->phar->fname_len, entry->filename, len);
entry->inode = (unsigned short)zend_get_hash_value(tmp, tmp_len);
}
/* }}} */
--- /dev/null
+--TEST--
+Phar: bug #69441: Buffer Overflow when parsing tar/zip/phar in phar_set_inode
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+$fname = dirname(__FILE__) . '/bug69441.phar';
+try {
+$r = new Phar($fname, 0);
+} catch(UnexpectedValueException $e) {
+ echo $e;
+}
+?>
+
+==DONE==
+--EXPECTF--
+exception 'UnexpectedValueException' with message 'phar error: corrupted central directory entry, no magic signature in zip-based phar "%s/bug69441.phar"' in %s/bug69441.php:%d
+Stack trace:
+#0 %s/bug69441.php(%d): Phar->__construct('%s', 0)
+#1 {main}
+==DONE==
\ No newline at end of file
projects / php / commitdiff