From: Stanislav Malyshev Date: Fri, 30 Dec 2016 23:57:24 +0000 (-0800) Subject: Fix bug #73768 - Memory corruption when loading hostile phar X-Git-Tag: php-5.6.30RC1~5^2~3 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b28b8b2fee6dfa6fcd13305c581bb835689ac3be;p=php Fix bug #73768 - Memory corruption when loading hostile phar --- diff --git a/ext/phar/phar.c b/ext/phar/phar.c index 532b4c3169..158f41739d 100644 --- a/ext/phar/phar.c +++ b/ext/phar/phar.c @@ -981,7 +981,6 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char /* if the alias is stored we enforce it (implicit overrides explicit) */ if (alias && alias_len && (alias_len != (int)tmp_len || strncmp(alias, buffer, tmp_len))) { - buffer[tmp_len] = '\0'; php_stream_close(fp); if (signature) { @@ -989,7 +988,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char } if (error) { - spprintf(error, 0, "cannot load phar \"%s\" with implicit alias \"%s\" under different alias \"%s\"", fname, buffer, alias); + spprintf(error, 0, "cannot load phar \"%s\" with implicit alias \"%.*s\" under different alias \"%s\"", fname, tmp_len, buffer, alias); } efree(savebuf); diff --git a/ext/phar/tests/bug73768.phar b/ext/phar/tests/bug73768.phar new file mode 100644 index 0000000000..3f429c2365 Binary files /dev/null and b/ext/phar/tests/bug73768.phar differ diff --git a/ext/phar/tests/bug73768.phpt b/ext/phar/tests/bug73768.phpt new file mode 100644 index 0000000000..37a4da0253 --- /dev/null +++ b/ext/phar/tests/bug73768.phpt @@ -0,0 +1,16 @@ +--TEST-- +Phar: PHP bug #73768: Memory corruption when loading hostile phar +--SKIPIF-- + +--FILE-- +getMessage(); +} +?> +--EXPECTF-- +cannot load phar "%sbug73768.phar" with implicit alias "" under different alias "alias.phar"