php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #69958 Segfault in Phar::convertToData on invalid file
Submitted: 2015-06-29 01:47 UTC Modified: 2015-08-09 08:51 UTC
From: stas@php.net Assigned: kaplan (profile)
Status: Closed Package: Reproducible crash
PHP Version: master-Git-2015-06-29 (Git) OS:
Private report: No CVE-ID: 2015-5589
 [2015-06-29 01:47 UTC] stas@php.net
Description:
------------
Email by kwrnel at hotmail dot com:

char buf [512] in phar_parse_tarfile appears to be more than 512 bytes if
the file is not a valid tar. If inform a 512-byte file (dd if = / dev / zero of = exploit.tar bs = 512 count = 1) does not the segmentation fault, only error indicating that the file is not valid, but increase a byte, segmentation fault.



Test script:
---------------
<?php
/* If exploit.tar not is a valid tar file, segmentation fault occurs. */
$tarphar = new PharData('exploit.tar');
$phar = $tarphar->convertToData(Phar::TAR); 

Expected result:
----------------
No segfault

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x00000001006b42a4 in _php_stream_free (stream=0x0, close_options=3) at /Users/smalyshev/phpGit/main/streams/streams.c:371
371                     context = PHP_STREAM_CONTEXT(stream);
(gdb) bt
#0  0x00000001006b42a4 in _php_stream_free (stream=0x0, close_options=3) at /Users/smalyshev/phpGit/main/streams/streams.c:371
#1  0x00000001003bd5e7 in phar_convert_to_other (source=0x10327a000, convert=2, ext=0x0, flags=0) at /Users/smalyshev/phpGit/ext/phar/phar_object.c:2301
#2  0x00000001003bdb25 in zim_Phar_convertToData (execute_data=0x103215100, return_value=0x1032150e0) at /Users/smalyshev/phpGit/ext/phar/phar_object.c:2505
#3  0x000000010085cdad in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x103215030) at /Users/smalyshev/phpGit/Zend/zend_vm_execute.h:834
#4  0x0000000100811d54 in execute_ex (ex=0x103215030) at /Users/smalyshev/phpGit/Zend/zend_vm_execute.h:406
#5  0x0000000100812791 in zend_execute (op_array=0x1032742a0, return_value=0x0) at /Users/smalyshev/phpGit/Zend/zend_vm_execute.h:447
#6  0x000000010076c1d0 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /Users/smalyshev/phpGit/Zend/zend.c:1389
#7  0x000000010068cdd3 in php_execute_script (primary_file=0x7fff5fbfed60) at /Users/smalyshev/phpGit/main/main.c:2475
#8  0x0000000100948b2b in do_cli (argc=2, argv=0x10300a8f0) at /Users/smalyshev/phpGit/sapi/cli/php_cli.c:967
#9  0x0000000100947613 in main (argc=2, argv=0x10300a8f0) at /Users/smalyshev/phpGit/sapi/cli/php_cli.c:1334


Patches

phar-69958 (last revision 2015-07-05 04:04 UTC by stas@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-07-05 04:04 UTC] stas@php.net
The following patch has been added/updated:

Patch Name: phar-69958
Revision:   1436069055
URL:        https://bugs.php.net/patch-display.php?bug=69958&patch=phar-69958&revision=1436069055
 [2015-07-07 16:38 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bf58162ddf970f63502837f366930e44d6a992cf
Log: Fix bug #69958 - Segfault in Phar::convertToData on invalid file
 [2015-07-07 16:38 UTC] stas@php.net
-Status: Open +Status: Closed
 [2015-07-07 17:10 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bf58162ddf970f63502837f366930e44d6a992cf
Log: Fix bug #69958 - Segfault in Phar::convertToData on invalid file
 [2015-07-07 17:10 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=452d30cf7d1ba36d7f8bb8aeff5fb3134376f873
Log: Fix bug #69958 - Segfault in Phar::convertToData on invalid file
 [2015-07-07 17:13 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bf58162ddf970f63502837f366930e44d6a992cf
Log: Fix bug #69958 - Segfault in Phar::convertToData on invalid file
 [2015-07-07 17:13 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=452d30cf7d1ba36d7f8bb8aeff5fb3134376f873
Log: Fix bug #69958 - Segfault in Phar::convertToData on invalid file
 [2015-07-07 17:45 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=00f177a5edb7f2578f75091fdf6fb1a1c8d994a2
Log: Fix bug #69958 - Segfault in Phar::convertToData on invalid file
 [2015-07-07 17:45 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bf58162ddf970f63502837f366930e44d6a992cf
Log: Fix bug #69958 - Segfault in Phar::convertToData on invalid file
 [2015-07-07 17:45 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=452d30cf7d1ba36d7f8bb8aeff5fb3134376f873
Log: Fix bug #69958 - Segfault in Phar::convertToData on invalid file
 [2015-07-07 23:36 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=00f177a5edb7f2578f75091fdf6fb1a1c8d994a2
Log: Fix bug #69958 - Segfault in Phar::convertToData on invalid file
 [2015-07-07 23:36 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bf58162ddf970f63502837f366930e44d6a992cf
Log: Fix bug #69958 - Segfault in Phar::convertToData on invalid file
 [2015-07-07 23:36 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=452d30cf7d1ba36d7f8bb8aeff5fb3134376f873
Log: Fix bug #69958 - Segfault in Phar::convertToData on invalid file
 [2015-07-08 14:56 UTC] jpauli@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bf58162ddf970f63502837f366930e44d6a992cf
Log: Fix bug #69958 - Segfault in Phar::convertToData on invalid file
 [2015-07-08 14:56 UTC] jpauli@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=452d30cf7d1ba36d7f8bb8aeff5fb3134376f873
Log: Fix bug #69958 - Segfault in Phar::convertToData on invalid file
 [2015-08-09 08:51 UTC] kaplan@php.net
-Assigned To: +Assigned To: kaplan -CVE-ID: +CVE-ID: 2015-5589
 [2016-07-20 11:38 UTC] davey@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=00f177a5edb7f2578f75091fdf6fb1a1c8d994a2
Log: Fix bug #69958 - Segfault in Phar::convertToData on invalid file
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 09:01:32 2024 UTC