php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66960 phar long filename crash
Submitted: 2014-03-26 14:20 UTC Modified: 2018-01-09 03:40 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: twratajczak at gmail dot com Assigned: bishop (profile)
Status: Closed Package: PHAR related
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
 [2014-03-26 14:20 UTC] twratajczak at gmail dot com
Description:
------------
performing file operations through phar:// with filenames over MAXPATHLEN causes crash 

*** stack smashing detected ***: php terminated

Test script:
---------------
<?php
$p = new Phar('/tmp/a.phar');
file_exists('phar:///tmp/a.phar/'. str_repeat("a", 4100));

// only for this test case phar.readonly=Off is required

Expected result:
----------------
file_exists returning false

Actual result:
--------------
Program terminated with signal 6, Aborted.
#0  0x00007f5960d9cf77 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007f5960d9cf77 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007f5960da05e8 in __GI_abort () at abort.c:90
#2  0x00007f5960dda4fb in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7f5960eebf10 "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:199
#3  0x00007f5960e7808c in __GI___fortify_fail (msg=<optimized out>, msg@entry=0x7f5960eebef8 "stack smashing detected") at fortify_fail.c:37
#4  0x00007f5960e78030 in __stack_chk_fail () at stack_chk_fail.c:28
#5  0x00000000004c048f in phar_set_inode (entry=0x7fff95d1c6d0) at /home/tratajczak/Downloads/php-master-201403261230/ext/phar/phar_internal.h:542
#6  0x6161616161616161 in ?? ()
...

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-01-08 01:42 UTC] bishop@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: bishop
 [2018-01-08 01:42 UTC] bishop@php.net
I am not seeing this behavior in the 7.1 series on Centos 7. Can you reproduce it in any current PHP version (as of today, 7.1+)? If so, on what OS and architecture?
 [2018-01-08 20:28 UTC] twratajczak at gmail dot com
I can verify that with PHP 7.1.11-0ubuntu0.17.10.1 this code works as expected. Thanks
 [2018-01-09 03:40 UTC] bishop@php.net
-Status: Feedback +Status: Closed
 [2018-01-09 03:40 UTC] bishop@php.net
Glad it no longer recurs! I've added a test just to be sure it doesn't appear in future versions.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 01:01:28 2024 UTC