Commit: 4eb802bb14b05b82573457bc0f528e61ca7ddc45 Author: Stanislav Malyshev <s...@php.net> Tue, 15 May 2012 22:34:34 -0700 Committer: Johannes Schlüter <johan...@php.net> Wed, 16 May 2012 16:30:29 +0200 Parents: 93c91c733cf2259263e4d8c0f3ccc254246d404d Branches: PHP-5.3 PHP-5.4 master
Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=4eb802bb14b05b82573457bc0f528e61ca7ddc45 Log: fix bug #61065 (cherry picked from commit a10e778bfb7ce9caa1f91666ddf2705db7982d68) Bugs: https://bugs.php.net/61065 Changed paths: M ext/phar/tar.c Diff: diff --git a/ext/phar/tar.c b/ext/phar/tar.c index 9d1e5bc..b914db1 100644 --- a/ext/phar/tar.c +++ b/ext/phar/tar.c @@ -337,6 +337,16 @@ bail: last_was_longlink = 1; /* support the ././@LongLink system for storing long filenames */ entry.filename_len = entry.uncompressed_filesize; + + /* Check for overflow - bug 61065 */ + if (entry.filename_len == UINT_MAX) { + if (error) { + spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file (invalid entry size)", fname); + } + php_stream_close(fp); + phar_destroy_phar_data(myphar TSRMLS_CC); + return FAILURE; + } entry.filename = pemalloc(entry.filename_len+1, myphar->is_persistent); read = php_stream_read(fp, entry.filename, entry.filename_len); -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php