From 48050ca09d9dce6bc1a7f3e5ab74e1f010a8a0ff Mon Sep 17 00:00:00 2001
From: Greg Beaver <cellog@php.net>
Date: Fri, 9 Dec 2005 19:55:29 +0000
Subject: [PATCH] add constraint check for number of manifest entries, and test

---
 ext/phar/phar.c         |  5 +++++
 ext/phar/tests/008.phpt |  4 +---
 ext/phar/tests/009.phpt | 17 +++++++++++++++++
 3 files changed, 23 insertions(+), 3 deletions(-)
 create mode 100644 ext/phar/tests/009.phpt

diff --git a/ext/phar/phar.c b/ext/phar/phar.c
index a414742c8e..d3b763aff4 100644
--- a/ext/phar/phar.c
+++ b/ext/phar/phar.c
@@ -237,6 +237,11 @@ PHP_METHOD(PHP_Archive, mapPhar)
 	}
 	/* extract the number of entries */
 	PHAR_GET_VAL(manifest_count)
+	/* we have 4 32-bit items and each must contain a file name at least 1 byte in length */
+	if (manifest_count > (manifest_len / (4 * 5 + 1))) {
+		/* prevent serious memory issues */
+		MAPPHAR_FAIL("too many manifest entries for size of manifest in phar \"%s\"")
+	}
 	/* set up our manifest */
 	ALLOC_HASHTABLE(manifest);
 	zend_hash_init(manifest, sizeof(phar_manifest_entry),
diff --git a/ext/phar/tests/008.phpt b/ext/phar/tests/008.phpt
index d101ba3cd1..9038512112 100644
--- a/ext/phar/tests/008.phpt
+++ b/ext/phar/tests/008.phpt
@@ -12,8 +12,6 @@ __HALT_COMPILER(); ?>";
 $file .= pack('V', 500) . 'notenough';
 file_put_contents(dirname(__FILE__) . '/008_phar.php', $file);
 include dirname(__FILE__) . '/008_phar.php';
-exit;
-PHP_Archive::mapPhar(5, 'hio', false);
-__HALT_COMPILER(); ?>
+?>
 --EXPECTF--
 Fatal error: PHP_Archive::mapPhar(): internal corruption of phar "%s" (truncated manifest) in %s on line %d
\ No newline at end of file
diff --git a/ext/phar/tests/009.phpt b/ext/phar/tests/009.phpt
new file mode 100644
index 0000000000..d2de92dbb1
--- /dev/null
+++ b/ext/phar/tests/009.phpt
@@ -0,0 +1,17 @@
+--TEST--
+PHP_Archive::mapPhar improper parameters
+--SKIPIF--
+<?php if (!extension_loaded("phar")) print "skip";?>
+--FILE--
+<?php
+function cleanup() { unlink(dirname(__FILE__) . '/008_phar.php'); }
+register_shutdown_function('cleanup');
+$file = "<?php
+PHP_Archive::mapPhar(5, 'hio', false);
+__HALT_COMPILER(); ?>";
+$file .= pack('VV', 500, 500) . str_repeat('A', 500);
+file_put_contents(dirname(__FILE__) . '/008_phar.php', $file);
+include dirname(__FILE__) . '/008_phar.php';
+?>
+--EXPECTF--
+Fatal error: PHP_Archive::mapPhar(): too many manifest entries for size of manifest in phar "%s" in %s on line %d
\ No newline at end of file
-- 
2.40.0