PHP :: Bug #75691 :: off by one overflow

Bug #75691	off by one overflow
Submitted:	2017-12-15 08:18 UTC	Modified:	2017-12-15 18:40 UTC
From:	YangX92 at hotmail dot com	Assigned:
Status:	Not a bug	Package:	PHAR related
PHP Version:	7.2Git-2017-12-15 (Git)	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

[2017-12-15 08:18 UTC] YangX92 at hotmail dot com

Description:
------------
There is a off-by-one overflow in phar_is_tar function in ext/phar/tar.c.

>>>
	char save[sizeof(header->checksum)], *bname;

	/* assume that the first filename in a tar won't begin with <?php */
	if (!strncmp(buf, "<?php", sizeof("<?php")-1)) {
		return 0;
	}

	memcpy(save, header->checksum, sizeof(header->checksum));
	memset(header->checksum, ' ', sizeof(header->checksum));
>>>
As code show above, the length of save should be sizeof(header->checksum)+1. Because, the char array should be terminated by the NULL character.

Test script:
---------------
No

Expected result:
----------------
No

Actual result:
--------------
No

Patches

patch_phar_tar_c.txt (last revision 2017-12-15 08:19 UTC by YangX92 at hotmail dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-12-15 08:26 UTC] requinix@php.net

-Status: Open +Status: Feedback

[2017-12-15 08:26 UTC] requinix@php.net

> the char array should be terminated by the NULL character
Why? It's a temporary array, not a string.

[2017-12-15 09:14 UTC] Yangx92 at hotmail dot com

I think the size should be len+1. If you think save is just the char array, there is no bug.

[2017-12-15 18:40 UTC] ab@php.net

-Status: Feedback +Status: Not a bug

[2017-12-15 18:40 UTC] ab@php.net

@YangX92 at hotmail dot com so is it, it's char[8] and is always used with sizeof.

Thanks.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Nov 17 01:00:01 2025 UTC