|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2020-03-04 23:14 UTC] cmb@php.net
-Status: Open
+Status: Duplicate
-Assigned To:
+Assigned To: cmb
[2020-03-04 23:14 UTC] cmb@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 20:01:29 2024 UTC |
Description: ------------ phar_parse_pharfile() uses incorrect manifest header size of 10 bytes instead of 14 bytes. This leads to several incorrect checks: 1) The constant should be 14 bytes, instead of 10: if (manifest_len < 10 || manifest_len != php_stream_read(fp, buffer, manifest_len)) { This means that later the alias length (tmp_len) is read without being checked to be present in the buffer. 2) The alias length checks should be updated: if (buffer + tmp_len > endbuffer) { MAPPHAR_FAIL("internal corruption of phar \"%s\" (buffer overrun)"); } if (manifest_len < 10 + tmp_len) { MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest header)") } 1st check is vulnerable to integer-overflow, and the 2nd uses incorrect size and is redundant. Fix should be: if (tmp_len > endbuffer - buffer) { MAPPHAR_FAIL("internal corruption of phar \"%s\" (buffer overrun)"); }