php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73763 phar header miscalculation
Submitted: 2016-12-16 21:04 UTC Modified: 2020-03-04 23:14 UTC
From: eyal dot itkin at gmail dot com Assigned: cmb (profile)
Status: Duplicate Package: PHAR related
PHP Version: 7.1.0 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: eyal dot itkin at gmail dot com
New email:
PHP Version: OS:

 

 [2016-12-16 21:04 UTC] eyal dot itkin at gmail dot com
Description:
------------
phar_parse_pharfile() uses incorrect manifest header size of 10 bytes instead of 14 bytes. This leads to several incorrect checks:

1) The constant should be 14 bytes, instead of 10:

if (manifest_len < 10 || manifest_len != php_stream_read(fp, buffer, manifest_len)) {

This means that later the alias length (tmp_len) is read without being checked to be present in the buffer.

2) The alias length checks should be updated:

if (buffer + tmp_len > endbuffer) {
	MAPPHAR_FAIL("internal corruption of phar \"%s\" (buffer overrun)");
}
if (manifest_len < 10 + tmp_len) {
	MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest header)")
}

1st check is vulnerable to integer-overflow, and the 2nd uses incorrect size and is redundant. Fix should be:
if (tmp_len > endbuffer - buffer) {
	MAPPHAR_FAIL("internal corruption of phar \"%s\" (buffer overrun)");
}


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-03-04 23:14 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2020-03-04 23:14 UTC] cmb@php.net
This issue seems to have been fixed in the meantime[1], so I'm
closing as duplicate of bug #77143.

[1] <http://git.php.net/?p=php-src.git;a=commit;h=54212674b924aab506471060ff64986cda375f71>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 05:01:28 2024 UTC