From: Greg Beaver <cellog@php.net>
Date: Wed, 30 Apr 2008 23:49:09 +0000 (+0000)
Subject: fix possible read past end of buffer by ridiculously stupid convoluted logic (I wrote... 
X-Git-Tag: RELEASE_2_0_0b1~126
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=93fd16ef4d00771aa64a46aed5b3a361f9d8a03d;p=php

fix possible read past end of buffer by ridiculously stupid convoluted logic (I wrote it, I can call it that) reported by valgrind
---

diff --git a/ext/phar/zip.c b/ext/phar/zip.c
index a436b8836c..633f59c0cc 100644
--- a/ext/phar/zip.c
+++ b/ext/phar/zip.c
@@ -175,7 +175,7 @@ int phar_open_zipfile(php_stream *fp, char *fname, int fname_len, char *alias, i
 		}
 		return FAILURE;
 	}
-	while ((p=(char *) memchr(p + 1, 'P', (size_t)(buf - (p+1) + sizeof(locator) + 65536 - 4 + 1))) != NULL) {
+	while ((p=(char *) memchr(p + 1, 'P', (size_t) (size - (p + 1 - buf)))) != NULL) {
 		if (!memcmp(p + 1, "K\5\6", 3)) {
 			memcpy((void *)&locator, (void *) p, sizeof(locator));
 			if (locator.centraldisk != 0 || locator.disknumber != 0) {