1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
From 6dedeb40db13971af45276f80b5375030aa7e76f Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sat, 4 Jul 2015 23:47:48 -0700
Subject: [PATCH] Fix bug #69923 - Buffer overflow and stack smashing error in
phar_fix_filepath
---
ext/phar/phar.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
Index: php5-5.3.3.1/ext/phar/phar.c
===================================================================
--- php5-5.3.3.1.orig/ext/phar/phar.c 2015-07-20 16:07:15.000000000 +0200
+++ php5-5.3.3.1/ext/phar/phar.c 2015-07-20 16:07:15.000000000 +0200
@@ -2140,7 +2140,7 @@
*/
char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{ */
{
- char newpath[MAXPATHLEN];
+ char *newpath;
int newpath_len;
char *ptr;
char *tok;
@@ -2148,8 +2148,10 @@
if (PHAR_G(cwd_len) && use_cwd && path_length > 2 && path[0] == '.' && path[1] == '/') {
newpath_len = PHAR_G(cwd_len);
+ newpath = emalloc(strlen(path) + newpath_len + 1);
memcpy(newpath, PHAR_G(cwd), newpath_len);
} else {
+ newpath = emalloc(strlen(path) + 2);
newpath[0] = '/';
newpath_len = 1;
}
@@ -2172,6 +2174,7 @@
if (*tok == '.') {
efree(path);
*new_len = 1;
+ efree(newpath);
return estrndup("/", 1);
}
break;
@@ -2179,9 +2182,11 @@
if (tok[0] == '.' && tok[1] == '.') {
efree(path);
*new_len = 1;
+ efree(newpath);
return estrndup("/", 1);
}
}
+ efree(newpath);
return path;
}
@@ -2230,7 +2235,8 @@
efree(path);
*new_len = newpath_len;
- return estrndup(newpath, newpath_len);
+ newpath[newpath_len] = '\0';
+ return erealloc(newpath, newpath_len + 1);
}
/* }}} */
|
