php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75691 off by one overflow
Submitted: 2017-12-15 08:18 UTC Modified: 2017-12-15 18:40 UTC
From: YangX92 at hotmail dot com Assigned:
Status: Not a bug Package: PHAR related
PHP Version: 7.2Git-2017-12-15 (Git) OS: Linux
Private report: No CVE-ID: None
 [2017-12-15 08:18 UTC] YangX92 at hotmail dot com
Description:
------------
There is a off-by-one overflow in phar_is_tar function in ext/phar/tar.c.

>>>
	char save[sizeof(header->checksum)], *bname;

	/* assume that the first filename in a tar won't begin with <?php */
	if (!strncmp(buf, "<?php", sizeof("<?php")-1)) {
		return 0;
	}

	memcpy(save, header->checksum, sizeof(header->checksum));
	memset(header->checksum, ' ', sizeof(header->checksum));
>>>
As code show above, the length of save should be sizeof(header->checksum)+1. Because, the char array should be terminated by the NULL character.

Test script:
---------------
No

Expected result:
----------------
No

Actual result:
--------------
No

Patches

patch_phar_tar_c.txt (last revision 2017-12-15 08:19 UTC by YangX92 at hotmail dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-12-15 08:26 UTC] requinix@php.net
-Status: Open +Status: Feedback
 [2017-12-15 08:26 UTC] requinix@php.net
> the char array should be terminated by the NULL character
Why? It's a temporary array, not a string.
 [2017-12-15 09:14 UTC] Yangx92 at hotmail dot com
I think the size should be len+1. If you think save is just the char array, there is no bug.
 [2017-12-15 18:40 UTC] ab@php.net
-Status: Feedback +Status: Not a bug
 [2017-12-15 18:40 UTC] ab@php.net
@YangX92 at hotmail dot com so is it, it's char[8] and is always used with sizeof.

Thanks.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Sep 24 09:03:36 2021 UTC