From: Greg Beaver <cellog@php.net>
Date: Fri, 25 Apr 2008 04:35:10 +0000 (+0000)
Subject: fix potentially serious security issue: buffer overrun if the tar filename > 101... 
X-Git-Tag: RELEASE_2_0_0b1~212
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7c7b387cc323bc372fe15f62fb1efdfb705e02a3;p=php

fix potentially serious security issue: buffer overrun if the tar filename > 101 characters in length.  This fixes tests/tar/bignames.phpt
---

diff --git a/ext/phar/tar.c b/ext/phar/tar.c
index 7c804d5d62..fccc33c5a7 100644
--- a/ext/phar/tar.c
+++ b/ext/phar/tar.c
@@ -208,7 +208,12 @@ int phar_open_tarfile(php_stream* fp, char *fname, int fname_len, char *alias, i
 			char name[256];
 
 			strcpy(name, hdr->prefix);
-			strcat(name, hdr->name);
+			/* remove potential buffer overflow */
+			if (hdr->name[99]) {
+				strncat(name, hdr->name, 100);
+			} else {
+				strcat(name, hdr->name);
+			}
 			entry.filename_len = strlen(hdr->prefix) + 100;
 			if (name[entry.filename_len - 1] == '/') {
 				/* some tar programs store directories with trailing slash */