diff options
author | Remi Collet <fedora@famillecollet.com> | 2016-05-29 09:34:18 +0200 |
---|---|---|
committer | Remi Collet <fedora@famillecollet.com> | 2016-05-29 09:34:18 +0200 |
commit | d9b67ab38a64fbfc9f4e78c2ac10778a973e6e47 (patch) | |
tree | a80b3783589b6f43074252cdeefe722987d48fda /bug71331.patch | |
parent | 513a4869326566f785a234bf584848af46e663c8 (diff) |
PHP 5.4.45 + security fix from 5.5.36
Diffstat (limited to 'bug71331.patch')
-rw-r--r-- | bug71331.patch | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/bug71331.patch b/bug71331.patch new file mode 100644 index 0000000..0151693 --- /dev/null +++ b/bug71331.patch @@ -0,0 +1,54 @@ +Backported from 5.5 for 5.4 by Remi Collet +binary patch dropped + + +From 9649ca1630433473a307d015ba1a79a4a7a779f5 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Thu, 14 Jan 2016 22:58:40 -0800 +Subject: [PATCH] Fixed bug #71331 - Uninitialized pointer in + phar_make_dirstream() + +--- + ext/phar/dirstream.c | 3 ++- + ext/phar/tar.c | 2 +- + ext/phar/tests/bug71331.phpt | 15 +++++++++++++++ + ext/phar/tests/bug71331.tar | Bin 0 -> 2560 bytes + 4 files changed, 18 insertions(+), 2 deletions(-) + create mode 100644 ext/phar/tests/bug71331.phpt + create mode 100644 ext/phar/tests/bug71331.tar + +diff --git a/ext/phar/dirstream.c b/ext/phar/dirstream.c +index 75cf049..94958a2 100644 +--- a/ext/phar/dirstream.c ++++ b/ext/phar/dirstream.c +@@ -207,6 +207,7 @@ static php_stream *phar_make_dirstream(c + zend_hash_internal_pointer_reset(manifest); + + while (FAILURE != zend_hash_has_more_elements(manifest)) { ++ keylen = 0; + if (HASH_KEY_NON_EXISTANT == zend_hash_get_current_key_ex(manifest, &key, &keylen, &unused, 0, NULL)) { + break; + } +@@ -214,7 +215,7 @@ static php_stream *phar_make_dirstream(c + PHAR_STR(key, str_key); + + if (keylen <= (uint)dirlen) { +- if (keylen < (uint)dirlen || !strncmp(str_key, dir, dirlen)) { ++ if (keylen == 0 || keylen < (uint)dirlen || !strncmp(str_key, dir, dirlen)) { + PHAR_STR_FREE(str_key); + if (SUCCESS != zend_hash_move_forward(manifest)) { + break; +diff --git a/ext/phar/tar.c b/ext/phar/tar.c +index 3a4bd49..bf19e08 100644 +--- a/ext/phar/tar.c ++++ b/ext/phar/tar.c +@@ -347,7 +347,7 @@ bail: + entry.filename_len = entry.uncompressed_filesize; + + /* Check for overflow - bug 61065 */ +- if (entry.filename_len == UINT_MAX) { ++ if (entry.filename_len == UINT_MAX || entry.filename_len == 0) { + if (error) { + spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file (invalid entry size)", fname); + } + |