From 449907fb7633b4db35b9da1795688c597967ba6c Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sat, 19 Nov 2011 04:59:56 +0000 Subject: [PATCH] fix bug #60164 (Stubs of a specific length break phar_open_from_fp scanning for __HALT_COMPILER) --- NEWS | 2 + ext/phar/phar.c | 6 ++- ext/phar/tests/bug60164.phpt | 21 +++++++++ ext/phar/tests/files/stuboflength1041.phar | Bin 0 -> 1168 bytes .../tests/files/stuboflength1041.phar.inc | 42 ++++++++++++++++++ 5 files changed, 69 insertions(+), 2 deletions(-) create mode 100644 ext/phar/tests/bug60164.phpt create mode 100644 ext/phar/tests/files/stuboflength1041.phar create mode 100644 ext/phar/tests/files/stuboflength1041.phar.inc diff --git a/NEWS b/NEWS index ce53b99b6b..2c347f3458 100644 --- a/NEWS +++ b/NEWS @@ -42,6 +42,8 @@ PHP NEWS - Phar: . Fixed bug #60261 (NULL pointer dereference in phar). (Felipe) + . Fixed bug #60164 (Stubs of a specific length break phar_open_from_fp + scanning for __HALT_COMPILER). (Ralph Schindler) - Postgres: . Fixed bug #60244 (pg_fetch_* functions do not validate that row param diff --git a/ext/phar/phar.c b/ext/phar/phar.c index 24d8c428af..e201ca50d0 100644 --- a/ext/phar/phar.c +++ b/ext/phar/phar.c @@ -1569,7 +1569,9 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a const char zip_magic[] = "PK\x03\x04"; const char gz_magic[] = "\x1f\x8b\x08"; const char bz_magic[] = "BZh"; - char *pos, buffer[1024 + sizeof(token)], test = '\0'; + char *pos, test = '\0'; + const int window_size = 1024; + char buffer[window_size + sizeof(token)]; /* a 1024 byte window + the size of the halt_compiler token (moving window) */ const long readsize = sizeof(buffer) - sizeof(token); const long tokenlen = sizeof(token) - 1; long halt_offset; @@ -1717,7 +1719,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a } halt_offset += got; - memmove(buffer, buffer + tokenlen, got + 1); + memmove(buffer, buffer + window_size, tokenlen); /* move the memory buffer by the size of the window */ } MAPPHAR_ALLOC_FAIL("internal corruption of phar \"%s\" (__HALT_COMPILER(); not found)") diff --git a/ext/phar/tests/bug60164.phpt b/ext/phar/tests/bug60164.phpt new file mode 100644 index 0000000000..8fd5de5146 --- /dev/null +++ b/ext/phar/tests/bug60164.phpt @@ -0,0 +1,21 @@ +--TEST-- +Phar: verify stub of specific length does not break __HALT_COMPILER(); scanning in php +--SKIPIF-- + +--INI-- +phar.require_hash=0 +phar.readonly=0 +--FILE-- +getFileName()); +} +?> +===DONE=== +--EXPECT-- +string(5) "a.php" +string(5) "b.php" +===DONE=== \ No newline at end of file diff --git a/ext/phar/tests/files/stuboflength1041.phar b/ext/phar/tests/files/stuboflength1041.phar new file mode 100644 index 0000000000000000000000000000000000000000..d90fb8f10daaed4b1816e32de8da0956d6ba514b GIT binary patch literal 1168 zcmcDqFUTn1($~_`DlREaQpitJ$VtshFUe3aG%zt#$jnR5DNV`DOIIk#NL9#4%qdYw z&d)8#%tL4C)5wDaym7^9A47brB8Vw?}5YXp}kN0r&35j?1_YLs$aShVYv{taU z>;|HSSCa1(~gQ@{3NJ3ZesetStub('setStub('