1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
|
From 17cbd0b5b78a7500f185b3781a2149881bfff8ae Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 5 Apr 2015 15:07:36 -0700
Subject: [PATCH] Fixed bug #69324 (Buffer Over-read in unserialize when
parsing Phar)
---
ext/phar/phar.c | 65 ++++++++++++++++++++-----------------------
ext/phar/phar_internal.h | 2 +-
ext/phar/tests/bug69324.phar | Bin 0 -> 269 bytes
ext/phar/tests/bug69324.phpt | 17 +++++++++++
4 files changed, 48 insertions(+), 36 deletions(-)
create mode 100644 ext/phar/tests/bug69324.phar
create mode 100644 ext/phar/tests/bug69324.phpt
diff --git a/ext/phar/phar.c b/ext/phar/phar.c
index d3b52a3..8bc7b61 100644
--- a/ext/phar/phar.c
+++ b/ext/phar/phar.c
@@ -601,25 +601,18 @@ int phar_open_parsed_phar(char *fname, int fname_len, char *alias, int alias_len
*
* data is the serialized zval
*/
-int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSRMLS_DC) /* {{{ */
+int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC) /* {{{ */
{
const unsigned char *p;
- php_uint32 buf_len;
php_unserialize_data_t var_hash;
- if (!zip_metadata_len) {
- PHAR_GET_32(*buffer, buf_len);
- } else {
- buf_len = zip_metadata_len;
- }
-
- if (buf_len) {
+ if (zip_metadata_len) {
ALLOC_ZVAL(*metadata);
INIT_ZVAL(**metadata);
p = (const unsigned char*) *buffer;
PHP_VAR_UNSERIALIZE_INIT(var_hash);
- if (!php_var_unserialize(metadata, &p, p + buf_len, &var_hash TSRMLS_CC)) {
+ if (!php_var_unserialize(metadata, &p, p + zip_metadata_len, &var_hash TSRMLS_CC)) {
PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
zval_ptr_dtor(metadata);
*metadata = NULL;
@@ -631,19 +624,14 @@ int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSR
if (PHAR_G(persist)) {
/* lazy init metadata */
zval_ptr_dtor(metadata);
- *metadata = (zval *) pemalloc(buf_len, 1);
- memcpy(*metadata, *buffer, buf_len);
- *buffer += buf_len;
+ *metadata = (zval *) pemalloc(zip_metadata_len, 1);
+ memcpy(*metadata, *buffer, zip_metadata_len);
return SUCCESS;
}
} else {
*metadata = NULL;
}
- if (!zip_metadata_len) {
- *buffer += buf_len;
- }
-
return SUCCESS;
}
/* }}}*/
@@ -664,6 +652,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
phar_entry_info entry;
php_uint32 manifest_len, manifest_count, manifest_flags, manifest_index, tmp_len, sig_flags;
php_uint16 manifest_ver;
+ php_uint32 len;
long offset;
int sig_len, register_alias = 0, temp_alias = 0;
char *signature = NULL;
@@ -1029,16 +1018,21 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
mydata->is_persistent = PHAR_G(persist);
/* check whether we have meta data, zero check works regardless of byte order */
+ PHAR_GET_32(buffer, len);
if (mydata->is_persistent) {
- PHAR_GET_32(buffer, mydata->metadata_len);
- if (phar_parse_metadata(&buffer, &mydata->metadata, mydata->metadata_len TSRMLS_CC) == FAILURE) {
- MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\"");
- }
- } else {
- if (phar_parse_metadata(&buffer, &mydata->metadata, 0 TSRMLS_CC) == FAILURE) {
- MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\"");
+ mydata->metadata_len = len;
+ if(!len) {
+ /* FIXME: not sure why this is needed but removing it breaks tests */
+ PHAR_GET_32(buffer, len);
}
}
+ if(len > endbuffer - buffer) {
+ MAPPHAR_FAIL("internal corruption of phar \"%s\" (trying to read past buffer end)");
+ }
+ if (phar_parse_metadata(&buffer, &mydata->metadata, len TSRMLS_CC) == FAILURE) {
+ MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\"");
+ }
+ buffer += len;
/* set up our manifest */
zend_hash_init(&mydata->manifest, manifest_count,
@@ -1073,7 +1067,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
entry.manifest_pos = manifest_index;
}
- if (buffer + entry.filename_len + 20 > endbuffer) {
+ if (entry.filename_len + 20 > endbuffer - buffer) {
MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)");
}
@@ -1109,19 +1103,20 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
entry.flags |= PHAR_ENT_PERM_DEF_DIR;
}
+ PHAR_GET_32(buffer, len);
if (entry.is_persistent) {
- PHAR_GET_32(buffer, entry.metadata_len);
- if (!entry.metadata_len) buffer -= 4;
- if (phar_parse_metadata(&buffer, &entry.metadata, entry.metadata_len TSRMLS_CC) == FAILURE) {
- pefree(entry.filename, entry.is_persistent);
- MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\"");
- }
+ entry.metadata_len = len;
} else {
- if (phar_parse_metadata(&buffer, &entry.metadata, 0 TSRMLS_CC) == FAILURE) {
- pefree(entry.filename, entry.is_persistent);
- MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\"");
- }
+ entry.metadata_len = 0;
+ }
+ if (len > endbuffer - buffer) {
+ MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)");
+ }
+ if (phar_parse_metadata(&buffer, &entry.metadata, len TSRMLS_CC) == FAILURE) {
+ pefree(entry.filename, entry.is_persistent);
+ MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\"");
}
+ buffer += len;
entry.offset = entry.offset_abs = offset;
offset += entry.compressed_filesize;
diff --git a/ext/phar/phar_internal.h b/ext/phar/phar_internal.h
index c862c49..9b18e9e 100644
--- a/ext/phar/phar_internal.h
+++ b/ext/phar/phar_internal.h
@@ -597,7 +597,7 @@ int phar_mount_entry(phar_archive_data *phar, char *filename, int filename_len,
char *phar_find_in_include_path(char *file, int file_len, phar_archive_data **pphar TSRMLS_DC);
char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC);
phar_entry_info * phar_open_jit(phar_archive_data *phar, phar_entry_info *entry, char **error TSRMLS_DC);
-int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSRMLS_DC);
+int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC);
void destroy_phar_manifest_entry(void *pDest);
int phar_seek_efp(phar_entry_info *entry, off_t offset, int whence, off_t position, int follow_links TSRMLS_DC);
php_stream *phar_get_efp(phar_entry_info *entry, int follow_links TSRMLS_DC);
diff --git a/ext/phar/tests/bug69324.phar b/ext/phar/tests/bug69324.phar
new file mode 100644
index 0000000000000000000000000000000000000000..0882d88c224216896e5923705374e985efb6e603
GIT binary patch
literal 269
zcmcDqFUTlRh>!Ph^a+V~_V*3&^l=T+(6m;tw|m9Fz`zK^0$`dMNM>Z_14*!85=iDi
z5337^{`r1i;Wi-SKagE)Wo~Gtl#!`Wl95`Js$>n4PexXpe}5+%NU<_dBGJmosyfrk
zz`7X70BTaQ&a^TFa!jq1pxSFeT2qkqpYggo1EgOcrXQ{sSzoc0v6WI<e!ddWG$1P}
pu}I0fHZdtVC0ge2z08XT8~3f*W4QC7t7V7vtNBboquiZ*od9q8MauvH
literal 0
HcmV?d00001
diff --git a/ext/phar/tests/bug69324.phpt b/ext/phar/tests/bug69324.phpt
new file mode 100644
index 0000000..70e3f97
--- /dev/null
+++ b/ext/phar/tests/bug69324.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #69324: Buffer Over-read in unserialize when parsing Phar
+--SKIPIF--
+<?php
+if (!extension_loaded("phar")) die("skip");
+?>
+--FILE--
+<?php
+try {
+$p = new Phar(dirname(__FILE__).'/bug69324.phar', 0);
+$meta=$p->getMetadata();
+var_dump($meta);
+} catch(Exception $e) {
+ echo $e->getMessage();
+}
+--EXPECTF--
+internal corruption of phar "%s" (truncated manifest entry)
\ No newline at end of file
--
2.1.4
|
