summaryrefslogtreecommitdiffstats
path: root/bug71331.patch
diff options
context:
space:
mode:
authorRemi Collet <fedora@famillecollet.com>2016-05-29 09:34:18 +0200
committerRemi Collet <fedora@famillecollet.com>2016-05-29 09:34:18 +0200
commitd9b67ab38a64fbfc9f4e78c2ac10778a973e6e47 (patch)
treea80b3783589b6f43074252cdeefe722987d48fda /bug71331.patch
parent513a4869326566f785a234bf584848af46e663c8 (diff)
PHP 5.4.45 + security fix from 5.5.36
Diffstat (limited to 'bug71331.patch')
-rw-r--r--bug71331.patch54
1 files changed, 54 insertions, 0 deletions
diff --git a/bug71331.patch b/bug71331.patch
new file mode 100644
index 0000000..0151693
--- /dev/null
+++ b/bug71331.patch
@@ -0,0 +1,54 @@
+Backported from 5.5 for 5.4 by Remi Collet
+binary patch dropped
+
+
+From 9649ca1630433473a307d015ba1a79a4a7a779f5 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Thu, 14 Jan 2016 22:58:40 -0800
+Subject: [PATCH] Fixed bug #71331 - Uninitialized pointer in
+ phar_make_dirstream()
+
+---
+ ext/phar/dirstream.c | 3 ++-
+ ext/phar/tar.c | 2 +-
+ ext/phar/tests/bug71331.phpt | 15 +++++++++++++++
+ ext/phar/tests/bug71331.tar | Bin 0 -> 2560 bytes
+ 4 files changed, 18 insertions(+), 2 deletions(-)
+ create mode 100644 ext/phar/tests/bug71331.phpt
+ create mode 100644 ext/phar/tests/bug71331.tar
+
+diff --git a/ext/phar/dirstream.c b/ext/phar/dirstream.c
+index 75cf049..94958a2 100644
+--- a/ext/phar/dirstream.c
++++ b/ext/phar/dirstream.c
+@@ -207,6 +207,7 @@ static php_stream *phar_make_dirstream(c
+ zend_hash_internal_pointer_reset(manifest);
+
+ while (FAILURE != zend_hash_has_more_elements(manifest)) {
++ keylen = 0;
+ if (HASH_KEY_NON_EXISTANT == zend_hash_get_current_key_ex(manifest, &key, &keylen, &unused, 0, NULL)) {
+ break;
+ }
+@@ -214,7 +215,7 @@ static php_stream *phar_make_dirstream(c
+ PHAR_STR(key, str_key);
+
+ if (keylen <= (uint)dirlen) {
+- if (keylen < (uint)dirlen || !strncmp(str_key, dir, dirlen)) {
++ if (keylen == 0 || keylen < (uint)dirlen || !strncmp(str_key, dir, dirlen)) {
+ PHAR_STR_FREE(str_key);
+ if (SUCCESS != zend_hash_move_forward(manifest)) {
+ break;
+diff --git a/ext/phar/tar.c b/ext/phar/tar.c
+index 3a4bd49..bf19e08 100644
+--- a/ext/phar/tar.c
++++ b/ext/phar/tar.c
+@@ -347,7 +347,7 @@ bail:
+ entry.filename_len = entry.uncompressed_filesize;
+
+ /* Check for overflow - bug 61065 */
+- if (entry.filename_len == UINT_MAX) {
++ if (entry.filename_len == UINT_MAX || entry.filename_len == 0) {
+ if (error) {
+ spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file (invalid entry size)", fname);
+ }
+