Fix bug #73773 - Seg fault when loading hostile phar

smalyshev · smalyshev · commit e5246580a85f · 2016-12-31T18:47:50.000-08:00
diff --git a/ext/phar/phar.c b/ext/phar/phar.c
@@ -1054,7 +1054,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
 	entry.is_persistent = mydata->is_persistent;
 
 	for (manifest_index = 0; manifest_index < manifest_count; ++manifest_index) {
-		if (buffer + 24 > endbuffer) {
+		if (buffer + 28 > endbuffer) {
 			MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)")
 		}
 
@@ -1068,7 +1068,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
 			entry.manifest_pos = manifest_index;
 		}
 
-		if (entry.filename_len > endbuffer - buffer - 20) {
+		if (entry.filename_len > endbuffer - buffer - 24) {
 			MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)");
 		}
 

Original file line number	Diff line number	Diff line change
`@@ -1054,7 +1054,7 @@ static int phar_parse_pharfile(php_stream fp, char fname, int fname_len, char`
`1054`	`1054`	`entry.is_persistent = mydata->is_persistent;`
`1055`	`1055`
`1056`	`1056`	`for (manifest_index = 0; manifest_index < manifest_count; ++manifest_index) {`
`1057`		`- if (buffer + 24 > endbuffer) {`
	`1057`	`+ if (buffer + 28 > endbuffer) {`
`1058`	`1058`	`MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)")`
`1059`	`1059`	`}`
`1060`	`1060`
`@@ -1068,7 +1068,7 @@ static int phar_parse_pharfile(php_stream fp, char fname, int fname_len, char`
`1068`	`1068`	`entry.manifest_pos = manifest_index;`
`1069`	`1069`	`}`
`1070`	`1070`
`1071`		`- if (entry.filename_len > endbuffer - buffer - 20) {`
	`1071`	`+ if (entry.filename_len > endbuffer - buffer - 24) {`
`1072`	`1072`	`MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)");`
`1073`	`1073`	`}`
`1074`	`1074`