|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
Patchespatch_phar_tar_c.txt (last revision 2017-12-15 08:19 UTC by YangX92 at hotmail dot com)Pull RequestsHistoryAllCommentsChangesGit/SVN commits
[2017-12-15 08:26 UTC] requinix@php.net
-Status: Open
+Status: Feedback
[2017-12-15 08:26 UTC] requinix@php.net
[2017-12-15 09:14 UTC] Yangx92 at hotmail dot com
[2017-12-15 18:40 UTC] ab@php.net
-Status: Feedback
+Status: Not a bug
[2017-12-15 18:40 UTC] ab@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Tue Jul 01 19:01:37 2025 UTC |
Description: ------------ There is a off-by-one overflow in phar_is_tar function in ext/phar/tar.c. >>> char save[sizeof(header->checksum)], *bname; /* assume that the first filename in a tar won't begin with <?php */ if (!strncmp(buf, "<?php", sizeof("<?php")-1)) { return 0; } memcpy(save, header->checksum, sizeof(header->checksum)); memset(header->checksum, ' ', sizeof(header->checksum)); >>> As code show above, the length of save should be sizeof(header->checksum)+1. Because, the char array should be terminated by the NULL character. Test script: --------------- No Expected result: ---------------- No Actual result: -------------- No