From: Stanislav Malyshev <stas@php.net>
Date: Sun, 5 Jul 2015 06:47:48 +0000 (-0700)
Subject: Fix bug #69923 - Buffer overflow and stack smashing error in phar_fix_filepath
X-Git-Tag: php-7.0.0beta1~12^2~6
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=12ff95574bb1303fc03695a1721a8b4529d1ed0a;p=php

Fix bug #69923 - Buffer overflow and stack smashing error in phar_fix_filepath
---

diff --git a/ext/phar/phar.c b/ext/phar/phar.c
index 578b0a3a83..1ed4c8034d 100644
--- a/ext/phar/phar.c
+++ b/ext/phar/phar.c
@@ -2073,7 +2073,7 @@ static int php_check_dots(const char *element, int n) /* {{{ */
  */
 char *phar_fix_filepath(char *path, int *new_len, int use_cwd) /* {{{ */
 {
-	char newpath[MAXPATHLEN];
+	char *newpath;
 	int newpath_len;
 	char *ptr;
 	char *tok;
@@ -2081,8 +2081,10 @@ char *phar_fix_filepath(char *path, int *new_len, int use_cwd) /* {{{ */
 
 	if (PHAR_G(cwd_len) && use_cwd && path_length > 2 && path[0] == '.' && path[1] == '/') {
 		newpath_len = PHAR_G(cwd_len);
+		newpath = emalloc(strlen(path) + newpath_len + 1);
 		memcpy(newpath, PHAR_G(cwd), newpath_len);
 	} else {
+		newpath = emalloc(strlen(path) + 2);
 		newpath[0] = '/';
 		newpath_len = 1;
 	}
@@ -2105,6 +2107,7 @@ char *phar_fix_filepath(char *path, int *new_len, int use_cwd) /* {{{ */
 				if (*tok == '.') {
 					efree(path);
 					*new_len = 1;
+					efree(newpath);
 					return estrndup("/", 1);
 				}
 				break;
@@ -2112,9 +2115,11 @@ char *phar_fix_filepath(char *path, int *new_len, int use_cwd) /* {{{ */
 				if (tok[0] == '.' && tok[1] == '.') {
 					efree(path);
 					*new_len = 1;
+					efree(newpath);
 					return estrndup("/", 1);
 				}
 		}
+		efree(newpath);
 		return path;
 	}
 
@@ -2163,7 +2168,8 @@ last_time:
 
 	efree(path);
 	*new_len = newpath_len;
-	return estrndup(newpath, newpath_len);
+	newpath[newpath_len] = '\0';
+	return erealloc(newpath, newpath_len + 1);
 }
 /* }}} */