From 6dedeb40db13971af45276f80b5375030aa7e76f Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sat, 4 Jul 2015 23:47:48 -0700 Subject: [PATCH] Fix bug #69923 - Buffer overflow and stack smashing error in phar_fix_filepath --- ext/phar/phar.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/ext/phar/phar.c b/ext/phar/phar.c index 223bfe84c6..ba73462936 100644 --- a/ext/phar/phar.c +++ b/ext/phar/phar.c @@ -2142,7 +2142,7 @@ char *tsrm_strtok_r(char *s, const char *delim, char **last) /* {{{ */ */ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{ */ { - char newpath[MAXPATHLEN]; + char *newpath; int newpath_len; char *ptr; char *tok; @@ -2150,8 +2150,10 @@ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{ if (PHAR_G(cwd_len) && use_cwd && path_length > 2 && path[0] == '.' && path[1] == '/') { newpath_len = PHAR_G(cwd_len); + newpath = emalloc(strlen(path) + newpath_len + 1); memcpy(newpath, PHAR_G(cwd), newpath_len); } else { + newpath = emalloc(strlen(path) + 2); newpath[0] = '/'; newpath_len = 1; } @@ -2174,6 +2176,7 @@ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{ if (*tok == '.') { efree(path); *new_len = 1; + efree(newpath); return estrndup("/", 1); } break; @@ -2181,9 +2184,11 @@ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{ if (tok[0] == '.' && tok[1] == '.') { efree(path); *new_len = 1; + efree(newpath); return estrndup("/", 1); } } + efree(newpath); return path; } @@ -2232,7 +2237,8 @@ last_time: efree(path); *new_len = newpath_len; - return estrndup(newpath, newpath_len); + newpath[newpath_len] = '\0'; + return erealloc(newpath, newpath_len + 1); } /* }}} */ -- 2.40.0