php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login | |
Patch phar69324.diff for PHAR related Bug #69324Patch version 2015-04-05 22:11 UTC Return to Bug #69324 | Download this patchThis patch renders other patches obsolete Obsolete patches: Patch Revisions: 2015-04-05 22:11 UTC | 2015-04-05 20:55 UTCDeveloper: stas@php.netcommit 48661e053aabef27b12759dd1cd8cdbe29b7fc9d Author: Stanislav Malyshev <stas@php.net> Date: Sun Apr 5 15:07:36 2015 -0700 Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar) diff --git a/NEWS b/NEWS index da926d5..fff4d61 100644 --- a/NEWS +++ b/NEWS @@ -12,7 +12,11 @@ PHP NEWS - Fileinfo: . Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or - segfault). (Anatol Belski)) + segfault). (Anatol Belski) + +- Phar: + . Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). + (Stas) - SOAP: . Fixed bug #69152 (Type Confusion Infoleak Vulnerability in unserialize() diff --git a/ext/phar/phar.c b/ext/phar/phar.c index ec82351..907da4f 100644 index ec82351..ec4579a 100644 --- a/ext/phar/phar.c +++ b/ext/phar/phar.c @@ -603,25 +603,18 @@ int phar_open_parsed_phar(char *fname, int fname_len, char *alias, int alias_len * } } + if(len > endbuffer - buffer) { + MAPPHAR_FAIL("internal corruption of phar \"%s\" (trying to read past buffer end)"); + } + } + if (phar_parse_metadata(&buffer, &mydata->metadata, len TSRMLS_CC) == FAILURE) { + MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\""); + } + buffer += len; Line 98 (now 121), was 14 lines, now 12 lines + if (entry.filename_len + 20 > endbuffer - buffer) { MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)"); } @@ -1110,20 +1104,21 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char entry.filename_len--; @@ -1111,19 +1105,20 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char entry.flags |= PHAR_ENT_PERM_DEF_DIR; } - + + PHAR_GET_32(buffer, len); if (entry.is_persistent) { - PHAR_GET_32(buffer, entry.metadata_len); - if (!entry.metadata_len) buffer -= 4; +int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC); void destroy_phar_manifest_entry(void *pDest); int phar_seek_efp(phar_entry_info *entry, off_t offset, int whence, off_t position, int follow_links TSRMLS_DC); php_stream *phar_get_efp(phar_entry_info *entry, int follow_links TSRMLS_DC); diff --git a/ext/phar/tests/bug69324.phar b/ext/phar/tests/bug69324.phar new file mode 100644 index 0000000..0882d88 Binary files /dev/null and b/ext/phar/tests/bug69324.phar differ diff --git a/ext/phar/tests/bug69324.phpt b/ext/phar/tests/bug69324.phpt new file mode 100644 index 0000000..70e3f97 --- /dev/null +++ b/ext/phar/tests/bug69324.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #69324: Buffer Over-read in unserialize when parsing Phar +--SKIPIF-- +<?php +if (!extension_loaded("phar")) die("skip"); +?> +--FILE-- +<?php +try { +$p = new Phar(dirname(__FILE__).'/bug69324.phar', 0); +$meta=$p->getMetadata(); +var_dump($meta); +} catch(Exception $e) { + echo $e->getMessage(); +} +--EXPECTF-- +internal corruption of phar "%s" (truncated manifest entry) \ No newline at end of file |
Copyright © 2001-2024 The PHP Group All rights reserved. |
Last updated: Tue Mar 19 06:01:30 2024 UTC |