Patch phar-69923 for PHAR related Bug #69923
Patch version 2015-07-05 06:49 UTC
Return to Bug #69923 |
Download this patch
Patch Revisions:
Developer: stas@php.net
commit 3e88d610e54dac75a374af9e8501f02da67e4466
Author: Stanislav Malyshev <stas@php.net>
Date: Sat Jul 4 23:47:48 2015 -0700
Fix bug #69923 - Buffer overflow and stack smashing error in phar_fix_filepath
diff --git a/ext/phar/phar.c b/ext/phar/phar.c
index 223bfe8..ba73462 100644
--- a/ext/phar/phar.c
+++ b/ext/phar/phar.c
@@ -2142,7 +2142,7 @@ char *tsrm_strtok_r(char *s, const char *delim, char **last) /* {{{ */
*/
char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{ */
{
- char newpath[MAXPATHLEN];
+ char *newpath;
int newpath_len;
char *ptr;
char *tok;
@@ -2150,8 +2150,10 @@ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{
if (PHAR_G(cwd_len) && use_cwd && path_length > 2 && path[0] == '.' && path[1] == '/') {
newpath_len = PHAR_G(cwd_len);
+ newpath = emalloc(strlen(path) + newpath_len + 1);
memcpy(newpath, PHAR_G(cwd), newpath_len);
} else {
+ newpath = emalloc(strlen(path) + 2);
newpath[0] = '/';
newpath_len = 1;
}
@@ -2174,6 +2176,7 @@ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{
if (*tok == '.') {
efree(path);
*new_len = 1;
+ efree(newpath);
return estrndup("/", 1);
}
break;
@@ -2181,9 +2184,11 @@ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{
if (tok[0] == '.' && tok[1] == '.') {
efree(path);
*new_len = 1;
+ efree(newpath);
return estrndup("/", 1);
}
}
+ efree(newpath);
return path;
}
@@ -2232,7 +2237,8 @@ last_time:
efree(path);
*new_len = newpath_len;
- return estrndup(newpath, newpath_len);
+ newpath[newpath_len] = '\0';
+ return erealloc(newpath, newpath_len + 1);
}
/* }}} */
|