php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #69958 Segfault in Phar::convertToData on invalid file
Submitted: 2015-06-29 01:47 UTC Modified: 2015-08-09 08:51 UTC
From: stas@php.net Assigned: kaplan (profile)
Status: Closed Package: Reproducible crash
PHP Version: master-Git-2015-06-29 (Git) OS:
Private report: No CVE-ID: 2015-5589
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: stas@php.net
New email:
PHP Version: OS:

 

 [2015-06-29 01:47 UTC] stas@php.net
Description:
------------
Email by kwrnel at hotmail dot com:

char buf [512] in phar_parse_tarfile appears to be more than 512 bytes if
the file is not a valid tar. If inform a 512-byte file (dd if = / dev / zero of = exploit.tar bs = 512 count = 1) does not the segmentation fault, only error indicating that the file is not valid, but increase a byte, segmentation fault.



Test script:
---------------
<?php
/* If exploit.tar not is a valid tar file, segmentation fault occurs. */
$tarphar = new PharData('exploit.tar');
$phar = $tarphar->convertToData(Phar::TAR); 

Expected result:
----------------
No segfault

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x00000001006b42a4 in _php_stream_free (stream=0x0, close_options=3) at /Users/smalyshev/phpGit/main/streams/streams.c:371
371                     context = PHP_STREAM_CONTEXT(stream);
(gdb) bt
#0  0x00000001006b42a4 in _php_stream_free (stream=0x0, close_options=3) at /Users/smalyshev/phpGit/main/streams/streams.c:371
#1  0x00000001003bd5e7 in phar_convert_to_other (source=0x10327a000, convert=2, ext=0x0, flags=0) at /Users/smalyshev/phpGit/ext/phar/phar_object.c:2301
#2  0x00000001003bdb25 in zim_Phar_convertToData (execute_data=0x103215100, return_value=0x1032150e0) at /Users/smalyshev/phpGit/ext/phar/phar_object.c:2505
#3  0x000000010085cdad in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x103215030) at /Users/smalyshev/phpGit/Zend/zend_vm_execute.h:834
#4  0x0000000100811d54 in execute_ex (ex=0x103215030) at /Users/smalyshev/phpGit/Zend/zend_vm_execute.h:406
#5  0x0000000100812791 in zend_execute (op_array=0x1032742a0, return_value=0x0) at /Users/smalyshev/phpGit/Zend/zend_vm_execute.h:447
#6  0x000000010076c1d0 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /Users/smalyshev/phpGit/Zend/zend.c:1389
#7  0x000000010068cdd3 in php_execute_script (primary_file=0x7fff5fbfed60) at /Users/smalyshev/phpGit/main/main.c:2475
#8  0x0000000100948b2b in do_cli (argc=2, argv=0x10300a8f0) at /Users/smalyshev/phpGit/sapi/cli/php_cli.c:967
#9  0x0000000100947613 in main (argc=2, argv=0x10300a8f0) at /Users/smalyshev/phpGit/sapi/cli/php_cli.c:1334


Patches

phar-69958 (last revision 2015-07-05 04:04 UTC by stas@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-07-05 04:04 UTC] stas@php.net
The following patch has been added/updated:

Patch Name: phar-69958
Revision:   1436069055
URL:        https://bugs.php.net/patch-display.php?bug=69958&patch=phar-69958&revision=1436069055
 [2015-07-07 16:38 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bf58162ddf970f63502837f366930e44d6a992cf
Log: Fix bug #69958 - Segfault in Phar::convertToData on invalid file
 [2015-07-07 16:38 UTC] stas@php.net
-Status: Open +Status: Closed
 [2015-07-07 17:10 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bf58162ddf970f63502837f366930e44d6a992cf
Log: Fix bug #69958 - Segfault in Phar::convertToData on invalid file
 [2015-07-07 17:10 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=452d30cf7d1ba36d7f8bb8aeff5fb3134376f873
Log: Fix bug #69958 - Segfault in Phar::convertToData on invalid file
 [2015-07-07 17:13 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bf58162ddf970f63502837f366930e44d6a992cf
Log: Fix bug #69958 - Segfault in Phar::convertToData on invalid file
 [2015-07-07 17:13 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=452d30cf7d1ba36d7f8bb8aeff5fb3134376f873
Log: Fix bug #69958 - Segfault in Phar::convertToData on invalid file
 [2015-07-07 17:45 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=00f177a5edb7f2578f75091fdf6fb1a1c8d994a2
Log: Fix bug #69958 - Segfault in Phar::convertToData on invalid file
 [2015-07-07 17:45 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bf58162ddf970f63502837f366930e44d6a992cf
Log: Fix bug #69958 - Segfault in Phar::convertToData on invalid file
 [2015-07-07 17:45 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=452d30cf7d1ba36d7f8bb8aeff5fb3134376f873
Log: Fix bug #69958 - Segfault in Phar::convertToData on invalid file
 [2015-07-07 23:36 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=00f177a5edb7f2578f75091fdf6fb1a1c8d994a2
Log: Fix bug #69958 - Segfault in Phar::convertToData on invalid file
 [2015-07-07 23:36 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bf58162ddf970f63502837f366930e44d6a992cf
Log: Fix bug #69958 - Segfault in Phar::convertToData on invalid file
 [2015-07-07 23:36 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=452d30cf7d1ba36d7f8bb8aeff5fb3134376f873
Log: Fix bug #69958 - Segfault in Phar::convertToData on invalid file
 [2015-07-08 14:56 UTC] jpauli@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bf58162ddf970f63502837f366930e44d6a992cf
Log: Fix bug #69958 - Segfault in Phar::convertToData on invalid file
 [2015-07-08 14:56 UTC] jpauli@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=452d30cf7d1ba36d7f8bb8aeff5fb3134376f873
Log: Fix bug #69958 - Segfault in Phar::convertToData on invalid file
 [2015-08-09 08:51 UTC] kaplan@php.net
-Assigned To: +Assigned To: kaplan -CVE-ID: +CVE-ID: 2015-5589
 [2016-07-20 11:38 UTC] davey@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=00f177a5edb7f2578f75091fdf6fb1a1c8d994a2
Log: Fix bug #69958 - Segfault in Phar::convertToData on invalid file
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved.
Last updated: Wed Jan 29 18:02:37 2025 UTC