|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73719 Suspect memory issue with certain tar.gz file / PharData
Submitted: 2016-12-11 22:29 UTC Modified: 2016-12-27 07:01 UTC
Avg. Score:4.0 ± 0.8
Reproduced:3 of 3 (100.0%)
Same Version:1 (33.3%)
Same OS:1 (33.3%)
From: tklingenberg at lastflood dot net Assigned:
Status: Open Package: PHAR related
PHP Version: 7.0.14 OS: Tested on Ubuntu 16.04
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-12-11 22:29 UTC] tklingenberg at lastflood dot net
One user reported an issue that a tar-gz data-file for the Magento application didn't run with Magerun that uses Composer which then uses the PharData class under the hood.

File in question is:


SHASUM: `5ad29dc3df38d21b2407c49f66d5308b01961d60

Creating the instance based on that file:

    php -r '$p = new PharData($argv[1]);' -- magento-sample-data- 

Creates the always reproduceable error:

PHP Fatal error:  Allowed memory size of -1 bytes exhausted (tried to allocate 18446744073709543424 bytes) in Command line code on line 1

This large number looked suspicious to me so I reported this under security. I have not further looked into it.

The tar-file itself is somewhat broken, if I verify it on my system I get some errors:

$ tar -tzf magento-sample-data- >/dev/null

gzip: stdin: decompression OK, trailing garbage ignored
tar: Child returned status 2
tar: Error is not recoverable: exiting now

I hope the information provided is useful.



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-12-27 07:01 UTC]
-Type: Security +Type: Bug
 [2016-12-27 07:01 UTC]
Don't see security problem here.
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Sep 30 22:01:24 2020 UTC