File: CVE-2015-3329.patch.bin-included

package info (click to toggle)

php5 5.3.3.1-7%2Bsqueeze29

links: PTS, VCS
area: main
in suites: squeeze-lts
size: 123,520 kB
ctags: 55,742
sloc: ansic: 633,963; php: 19,620; sh: 11,344; xml: 5,816; cpp: 2,400; yacc: 1,745; exp: 1,514; makefile: 1,019; pascal: 623; awk: 537; sql: 22

file content (82 lines) | stat: -rw-r--r-- 2,909 bytes

From f59b67ae50064560d7bfcdb0d6a8ab284179053c Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Tue, 14 Apr 2015 00:03:50 -0700
Subject: [PATCH] Fix bug #69441 (Buffer Overflow when parsing tar/zip/phar in
 phar_set_inode)

---
 ext/phar/phar_internal.h     |   9 ++++++---
 ext/phar/tests/bug69441.phar | Bin 0 -> 5780 bytes
 ext/phar/tests/bug69441.phpt |  21 +++++++++++++++++++++
 3 files changed, 27 insertions(+), 3 deletions(-)
 create mode 100644 ext/phar/tests/bug69441.phar
 create mode 100644 ext/phar/tests/bug69441.phpt

diff --git a/ext/phar/phar_internal.h b/ext/phar/phar_internal.h
index fcfc864..84282d2 100644
--- a/ext/phar/phar_internal.h
+++ b/ext/phar/phar_internal.h
@@ -618,10 +618,13 @@ static inline void phar_set_inode(phar_entry_info *entry TSRMLS_DC) /* {{{ */
 {
 	char tmp[MAXPATHLEN];
 	int tmp_len;
+	size_t len;
 
-	tmp_len = entry->filename_len + entry->phar->fname_len;
-	memcpy(tmp, entry->phar->fname, entry->phar->fname_len);
-	memcpy(tmp + entry->phar->fname_len, entry->filename, entry->filename_len);
+	tmp_len = MIN(MAXPATHLEN, entry->filename_len + entry->phar->fname_len);
+	len = MIN(entry->phar->fname_len, tmp_len);
+	memcpy(tmp, entry->phar->fname, len);
+	len = MIN(tmp_len - len, entry->filename_len);
+	memcpy(tmp + entry->phar->fname_len, entry->filename, len);
 	entry->inode = (unsigned short)zend_get_hash_value(tmp, tmp_len);
 }
 /* }}} */
diff --git a/ext/phar/tests/bug69441.phar b/ext/phar/tests/bug69441.phar
new file mode 100644
index 0000000000000000000000000000000000000000..80956dce7cb4fd78117f415166c3c46f62f9f79d
GIT binary patch
literal 5780
zcmWIWW@cdk1DpItw?}h!tuzMmK$wp~h(WI)Be6)oxTG`z$STMy<zoofc5K<k2+_g7
zU}FyyR!B|G$X8Gg4s~{R4GxYE4heNqRJT@$kN0r&35j?1_YLs$aShVYv{taU<K+rK
zv9S2a%lX_u(?FO5XkkfeaS3*-3V^Z*@P&clIn;5P>3NAIrA4WFNtt;J3<2J(Y#?PU
zK)4&|&S02ZLtKMH;*H{65=#;hPGCq-d?RLEVJHLC0m8xvKO-9p^7wzDn~orZA%F=;
zi2!l6FW(yrv59k63Lg-g5jOGi$0`3-1$Z-pq`?3^P#FYZG9VhnaU2DsAut*OLp=nX
zkN_xaGcqx=u(Gjpyx+I>9*FNe3WyE?P<V}k(GVC7fzc2c4S~@R7!85Z5Eu=C(GVC7
Sfzc2c4S~@R7!85p9RdJiP@V$-

literal 0
HcmV?d00001

diff --git a/ext/phar/tests/bug69441.phpt b/ext/phar/tests/bug69441.phpt
new file mode 100644
index 0000000..ed461cf
--- /dev/null
+++ b/ext/phar/tests/bug69441.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Phar: bug #69441: Buffer Overflow when parsing tar/zip/phar in phar_set_inode
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+$fname = dirname(__FILE__) . '/bug69441.phar';
+try {
+$r = new Phar($fname, 0);
+} catch(UnexpectedValueException $e) {
+	echo $e;
+}
+?>
+
+==DONE==
+--EXPECTF--
+exception 'UnexpectedValueException' with message 'phar error: corrupted central directory entry, no magic signature in zip-based phar "%s/bug69441.phar"' in %s/bug69441.php:%d
+Stack trace:
+#0 %s/bug69441.php(%d): Phar->__construct('%s', 0)
+#1 {main}
+==DONE==
\ No newline at end of file
-- 
2.1.4