From: Greg Beaver <cellog@php.net>
Date: Thu, 8 Dec 2005 07:59:18 +0000 (+0000)
Subject: improve error messages to state overrun when it exists.  Also, catch overrun before... 
X-Git-Tag: RELEASE_1_0_4~468
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=755e9c317297858fbd32d4b0f0dc9ef26bd6c7bf;p=php

improve error messages to state overrun when it exists.  Also, catch overrun before we attempt to write beyond the buffer's end
---

diff --git a/ext/phar/phar.c b/ext/phar/phar.c
index 9434111deb..a414742c8e 100644
--- a/ext/phar/phar.c
+++ b/ext/phar/phar.c
@@ -204,18 +204,21 @@ PHP_METHOD(PHP_Archive, mapPhar)
 	i = 0;
 #define PHAR_GET_VAL(var)			\
 	if (buffer > endbuffer) {		\
-		MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest)")\
+		MAPPHAR_FAIL("internal corruption of phar \"%s\" (buffer overrun)")\
 	}					\
 	unpack_var = (char *) &var;		\
 	var = 0;				\
 	for (i = 0; i < 4; i++) {		\
 		unpack_var[little_endian_long_map[i]] = *buffer++;\
+		if (buffer > endbuffer) {	\
+			MAPPHAR_FAIL("internal corruption of phar \"%s\" (buffer overrun)")\
+		}				\
 	}
 
 	if (4 != php_stream_read(fp, buffer, 4)) {
 		MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest)")
 	}
-	endbuffer = buffer;
+	endbuffer = buffer + 5;
 	PHAR_GET_VAL(manifest_len)
 	buffer -= 4;
 	if (manifest_len > 1048576) {