php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Return to Bug #69324
Patch phar69324.diff revision 2015-04-05 22:11 UTC by stas@php.net
revision 2015-04-05 20:55 UTC by stas@php.net

Patch phar69324.diff for PHAR related Bug #69324

Patch version 2015-04-05 22:11 UTC

Return to Bug #69324 | Download this patch
This patch renders other patches obsolete

Obsolete patches:

Patch Revisions: 2015-04-05 22:11 UTC | 2015-04-05 20:55 UTC

Developer: stas@php.net


 commit 48661e053aabef27b12759dd1cd8cdbe29b7fc9d
 Author: Stanislav Malyshev <stas@php.net>
 Date:   Sun Apr 5 15:07:36 2015 -0700
 
     Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar)
 
 diff --git a/NEWS b/NEWS
 index da926d5..fff4d61 100644
 --- a/NEWS
 +++ b/NEWS
 @@ -12,7 +12,11 @@ PHP                                                                        NEWS
  
  - Fileinfo:
    . Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or 
 -    segfault). (Anatol Belski))
 +    segfault). (Anatol Belski)
 +
 +- Phar:
 +  . Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar).
 +    (Stas)
  
  - SOAP:
    . Fixed bug #69152 (Type Confusion Infoleak Vulnerability in unserialize()
  diff --git a/ext/phar/phar.c b/ext/phar/phar.c
 index ec82351..907da4f 100644
 index ec82351..ec4579a 100644
  --- a/ext/phar/phar.c
  +++ b/ext/phar/phar.c
  @@ -603,25 +603,18 @@ int phar_open_parsed_phar(char *fname, int fname_len, char *alias, int alias_len
    * 


   		}
   	}
  +	if(len > endbuffer - buffer) {
  +		MAPPHAR_FAIL("internal corruption of phar \"%s\" (trying to read past buffer end)");
 +	}	
 +	}
  +	if (phar_parse_metadata(&buffer, &mydata->metadata, len TSRMLS_CC) == FAILURE) {
  +		MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\"");
  +	}
  +	buffer += len;
Line 98 (now 121), was 14 lines, now 12 lines

  +		if (entry.filename_len + 20 > endbuffer - buffer) {
   			MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)");
   		}
   
 @@ -1110,20 +1104,21 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
  			entry.filename_len--;
 @@ -1111,19 +1105,20 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
   			entry.flags |= PHAR_ENT_PERM_DEF_DIR;
   		}
 -
 +		
  
  +		PHAR_GET_32(buffer, len);
   		if (entry.is_persistent) {
  -			PHAR_GET_32(buffer, entry.metadata_len);
  -			if (!entry.metadata_len) buffer -= 4;


  +int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC);
   void destroy_phar_manifest_entry(void *pDest);
   int phar_seek_efp(phar_entry_info *entry, off_t offset, int whence, off_t position, int follow_links TSRMLS_DC);
   php_stream *phar_get_efp(phar_entry_info *entry, int follow_links TSRMLS_DC);
 diff --git a/ext/phar/tests/bug69324.phar b/ext/phar/tests/bug69324.phar
 new file mode 100644
 index 0000000..0882d88
 Binary files /dev/null and b/ext/phar/tests/bug69324.phar differ
 diff --git a/ext/phar/tests/bug69324.phpt b/ext/phar/tests/bug69324.phpt
 new file mode 100644
 index 0000000..70e3f97
 --- /dev/null
 +++ b/ext/phar/tests/bug69324.phpt
 @@ -0,0 +1,17 @@
 +--TEST--
 +Bug #69324: Buffer Over-read in unserialize when parsing Phar
 +--SKIPIF--
 +<?php
 +if (!extension_loaded("phar")) die("skip");
 +?>
 +--FILE--
 +<?php
 +try {
 +$p = new Phar(dirname(__FILE__).'/bug69324.phar', 0);
 +$meta=$p->getMetadata();
 +var_dump($meta);
 +} catch(Exception $e) {
 +	echo $e->getMessage();
 +}
 +--EXPECTF--
 +internal corruption of phar "%s" (truncated manifest entry)
 \ No newline at end of file
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 06:01:30 2024 UTC