Mercurial Mercurial > upstream > oracle > userland-gate / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/php-5_3/php-sapi/patches/262_php_20936509.patch
branchs11-update
changeset 4499 4e8085696007
equal deleted inserted replaced
4497:7665830787a5 4499:4e8085696007 
       
     1 CVE-2015-3329
 
       
     2 Community BUG:
 
       
     3 https://bugs.php.net/bug.php?id=69441
 
       
     4 Community CODE:
 
       
     5 http://git.php.net/?p=php-src.git;a=commit;h=f59b67ae50064560d7bfcdb0d6a8ab284179053c
 
       
     6 Below is the community patch.
 
       
     7 
       
     8 Not including the test files at the moment:
 
       
     9 ext/phar/tests/bug69441.phar
 
       
    10 ext/phar/tests/bug69441.phpt
 
       
    11 because our version of gpatch doesn't understand the git binary data file.
 
       
    12 
       
    13 
       
    14 From f59b67ae50064560d7bfcdb0d6a8ab284179053c Mon Sep 17 00:00:00 2001
 
       
    15 From: Stanislav Malyshev <[email protected]>
 
       
    16 Date: Tue, 14 Apr 2015 00:03:50 -0700
 
       
    17 Subject: [PATCH] Fix bug #69441 (Buffer Overflow when parsing tar/zip/phar in
 
       
    18  phar_set_inode)
 
       
    19 
       
    20 ---
 
       
    21  ext/phar/phar_internal.h     |   9 ++++++---
 
       
    22  ext/phar/tests/bug69441.phar | Bin 0 -> 5780 bytes
 
       
    23  ext/phar/tests/bug69441.phpt |  21 +++++++++++++++++++++
 
       
    24  3 files changed, 27 insertions(+), 3 deletions(-)
 
       
    25  create mode 100644 ext/phar/tests/bug69441.phar
 
       
    26  create mode 100644 ext/phar/tests/bug69441.phpt
 
       
    27 
       
    28 diff --git a/ext/phar/phar_internal.h b/ext/phar/phar_internal.h
 
       
    29 index fcfc864..84282d2 100644
 
       
    30 --- a/ext/phar/phar_internal.h
 
       
    31 +++ b/ext/phar/phar_internal.h
 
       
    32 @@ -618,10 +618,13 @@ static inline void phar_set_inode(phar_entry_info *entry TSRMLS_DC) /* {{{ */
 
       
    33  {
 
       
    34  	char tmp[MAXPATHLEN];
 
       
    35  	int tmp_len;
 
       
    36 +	size_t len;
 
       
    37  
       
    38 -	tmp_len = entry->filename_len + entry->phar->fname_len;
 
       
    39 -	memcpy(tmp, entry->phar->fname, entry->phar->fname_len);
 
       
    40 -	memcpy(tmp + entry->phar->fname_len, entry->filename, entry->filename_len);
 
       
    41 +	tmp_len = MIN(MAXPATHLEN, entry->filename_len + entry->phar->fname_len);
 
       
    42 +	len = MIN(entry->phar->fname_len, tmp_len);
 
       
    43 +	memcpy(tmp, entry->phar->fname, len);
 
       
    44 +	len = MIN(tmp_len - len, entry->filename_len);
 
       
    45 +	memcpy(tmp + entry->phar->fname_len, entry->filename, len);
 
       
    46  	entry->inode = (unsigned short)zend_get_hash_value(tmp, tmp_len);
 
       
    47  }
 
       
    48  /* }}} */
upstream/oracle/userland-gate