diff options
author | Remi Collet <remi@remirepo.net> | 2019-03-12 11:05:11 +0100 |
---|---|---|
committer | Remi Collet <remi@remirepo.net> | 2019-03-12 11:05:11 +0100 |
commit | 54c47c5cbf037ce982bf1868f79051c8af88bad3 (patch) | |
tree | 298507977d94b6b6fe84abc80c662e3dc2f73b7c /php-bug77396.patch | |
parent | c2b0e5687f6de20065ad435a37e060f87d03604a (diff) |
Fix #77396 Null Pointer Dereference in phar_create_or_parse_filename
Fix #77586 - phar_tar_writeheaders_int() buffer overflow
- spl:
Fix #77431 openFile() silently truncates after a null byte
- security fix synced with https://github.com/Microsoft/php-src/
Diffstat (limited to 'php-bug77396.patch')
-rw-r--r-- | php-bug77396.patch | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/php-bug77396.patch b/php-bug77396.patch new file mode 100644 index 0000000..4a37472 --- /dev/null +++ b/php-bug77396.patch @@ -0,0 +1,76 @@ +From 0bfb626af1429dbd51b9f860bc54027d4e94b754 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 3 Mar 2019 18:22:32 -0800 +Subject: [PATCH] Fix bug #77396 - Null Pointer Dereference in + phar_create_or_parse_filename + +(cherry picked from commit 7f0ab7c20c83a52862ad7c8acf31c3fa739f1274) +--- + ext/phar/phar.c | 3 +++ + ext/phar/tests/bug77396.phpt | 15 +++++++++++++++ + 2 files changed, 18 insertions(+) + create mode 100644 ext/phar/tests/bug77396.phpt + +diff --git a/ext/phar/phar.c b/ext/phar/phar.c +index 6e5cec2462..850a6e6c46 100644 +--- a/ext/phar/phar.c ++++ b/ext/phar/phar.c +@@ -1385,6 +1385,9 @@ int phar_create_or_parse_filename(char *fname, int fname_len, char *alias, int a + /* set up our manifest */ + mydata = ecalloc(1, sizeof(phar_archive_data)); + mydata->fname = expand_filepath(fname, NULL TSRMLS_CC); ++ if (mydata->fname == NULL) { ++ return FAILURE; ++ } + fname_len = strlen(mydata->fname); + #ifdef PHP_WIN32 + phar_unixify_path_separators(mydata->fname, fname_len); +diff --git a/ext/phar/tests/bug77396.phpt b/ext/phar/tests/bug77396.phpt +new file mode 100644 +index 0000000000..f7a2a2f026 +--- /dev/null ++++ b/ext/phar/tests/bug77396.phpt +@@ -0,0 +1,15 @@ ++--TEST-- ++Bug #77396 Relative filename exceeding maximum path length causes null pointer dereference. ++--SKIPIF-- ++<?php if (!extension_loaded("phar")) die("skip"); ?> ++--FILE-- ++<?php ++$path = '../' . str_repeat("x", PHP_MAXPATHLEN) . '.tar'; ++$phar = new PharData($path); ++?> ++--EXPECTF-- ++Fatal error: Uncaught UnexpectedValueException: Phar creation or opening failed in %s/bug77396.php:%d ++Stack trace: ++#0 %s/bug77396.php(%d): PharData->__construct(%s) ++#1 {main} ++ thrown in %s/bug77396.php on line %d + +From e03269512a8c092f1b1d2320b9f993795cf0fb76 Mon Sep 17 00:00:00 2001 +From: Anatol Belski <ab@php.net> +Date: Mon, 4 Mar 2019 14:28:47 +0100 +Subject: [PATCH] Fix test portability + +(cherry picked from commit 040196972c7a757200c2e1aa88f360322c38ffde) +--- + ext/exif/tests/bug77563.phpt | 8 ++++---- + ext/phar/tests/bug77396.phpt | 6 +++--- + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/ext/phar/tests/bug77396.phpt b/ext/phar/tests/bug77396.phpt +index f7a2a2f026..ede25ff81f 100644 +--- a/ext/phar/tests/bug77396.phpt ++++ b/ext/phar/tests/bug77396.phpt +@@ -8,8 +8,8 @@ $path = '../' . str_repeat("x", PHP_MAXPATHLEN) . '.tar'; + $phar = new PharData($path); + ?> + --EXPECTF-- +-Fatal error: Uncaught UnexpectedValueException: Phar creation or opening failed in %s/bug77396.php:%d ++Fatal error: Uncaught UnexpectedValueException: Phar creation or opening failed in %s%ebug77396.php:%d + Stack trace: +-#0 %s/bug77396.php(%d): PharData->__construct(%s) ++#0 %s%ebug77396.php(%d): PharData->__construct(%s) + #1 {main} +- thrown in %s/bug77396.php on line %d ++ thrown in %s%ebug77396.php on line %d |