File: CVE-2012-2386.patch

package info (click to toggle)

php5 5.3.3.1-7%2Bsqueeze29

links: PTS, VCS
area: main
in suites: squeeze-lts
size: 123,520 kB
ctags: 55,742
sloc: ansic: 633,963; php: 19,620; sh: 11,344; xml: 5,816; cpp: 2,400; yacc: 1,745; exp: 1,514; makefile: 1,019; pascal: 623; awk: 537; sql: 22

file content (33 lines) | stat: -rw-r--r-- 1,038 bytes

parent folder | download | duplicates (3)

From a10e778bfb7ce9caa1f91666ddf2705db7982d68 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Tue, 15 May 2012 22:34:34 -0700
Subject: [PATCH] fix bug #61065

---
 ext/phar/tar.c |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/ext/phar/tar.c b/ext/phar/tar.c
index 9d1e5bc..b914db1 100644
--- a/ext/phar/tar.c
+++ b/ext/phar/tar.c
@@ -337,6 +337,16 @@ bail:
 			last_was_longlink = 1;
 			/* support the ././@LongLink system for storing long filenames */
 			entry.filename_len = entry.uncompressed_filesize;
+
+			/* Check for overflow - bug 61065 */
+			if (entry.filename_len == UINT_MAX) {
+				if (error) {
+					spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file (invalid entry size)", fname);
+				}
+				php_stream_close(fp);
+				phar_destroy_phar_data(myphar TSRMLS_CC);
+				return FAILURE;
+			}
 			entry.filename = pemalloc(entry.filename_len+1, myphar->is_persistent);
 
 			read = php_stream_read(fp, entry.filename, entry.filename_len);
-- 
1.7.8