php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60164 Stubs of a specific length break phar_open_from_fp scanning for __HALT_COMPILER
Submitted: 2011-10-28 19:46 UTC Modified: 2011-11-19 04:59 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: ralph at ralphschindler dot com Assigned: stas
Status: Closed Package: PHAR related
PHP Version: 5.3SVN-2011-10-28 (snap) OS: All
Private report: No CVE-ID:
 [2011-10-28 19:46 UTC] ralph at ralphschindler dot com
Description:
------------
Stubs who's content before the __HALT_COMPILER(); registers between 1007 - 1023 
bytes (or an interval thereof) will force the function phar_open_from_fp() to 
incorrectly throw an MAPPHAR_ALLOC_FAIL() or:

Fatal error: Uncaught exception 'UnexpectedValueException' with message 'internal 
corruption of phar "xxx/test.phar" (__HALT_COMPILER(); not found)' in 
xxx/test.php:5

This is due to an incorrect index in the memmove() call inside the function that 
shifts the buffer to inspect the contents for the __HALT_COMPILER() token.

THis bug is exposed when opening a phar and iterating the contents.

Attached is a sample phar, test script, and patch

Test script:
---------------
<?php

$phar = __DIR__ . '/test.phar';

foreach (new RecursiveIteratorIterator(new Phar($phar, null, 'test.phar')) as $item) {
    echo $item . PHP_EOL;
}

?>


Expected result:
----------------
Iterate the results.

Actual result:
--------------
Fatal error: Uncaught exception 'UnexpectedValueException' with message 'internal 
corruption of phar "xxx/test.phar" (__HALT_COMPILER(); not found)' in 
xxx/test.php:5

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-10-28 19:50 UTC] ralph at ralphschindler dot com
This is the fix for the issue:

https://github.com/ralphschindler/php-
src/commit/5bf57e28b7090aaf0428a984b90a11d25c12b22e

I will prepare a patch for trunk/5_3/5_4 along with tests.
 [2011-11-08 04:45 UTC] stas@php.net
I don't see a patch attached to the bug. Could you attach it?
 [2011-11-08 04:45 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2011-11-19 04:59 UTC] stas@php.net
Automatic comment from SVN on behalf of stas
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=319538
Log: fix bug #60164 (Stubs of a specific length break phar_open_from_fp scanning for __HALT_COMPILER)
 [2011-11-19 04:59 UTC] stas@php.net
-Status: Feedback +Status: Closed -Assigned To: +Assigned To: stas
 [2011-11-19 04:59 UTC] stas@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-04-18 09:47 UTC] laruence@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9fe3a605c6ab4867631ba1dc4cb55fdbed14c423
Log: fix bug #60164 (Stubs of a specific length break phar_open_from_fp scanning for __HALT_COMPILER)
 [2012-07-24 23:38 UTC] rasmus@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9fe3a605c6ab4867631ba1dc4cb55fdbed14c423
Log: fix bug #60164 (Stubs of a specific length break phar_open_from_fp scanning for __HALT_COMPILER)
 [2013-11-17 09:35 UTC] laruence@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9fe3a605c6ab4867631ba1dc4cb55fdbed14c423
Log: fix bug #60164 (Stubs of a specific length break phar_open_from_fp scanning for __HALT_COMPILER)
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 15:02:26 2014 UTC