Fix bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)

smalyshev · smalyshev · commit 428d8164ffcf · 2019-01-06T11:33:32.000-08:00
diff --git a/ext/phar/phar.c b/ext/phar/phar.c
@@ -2017,7 +2017,7 @@ int phar_detect_phar_fname_ext(const char *filename, int filename_len, const cha
 	}
 
 	while (pos != filename && (*(pos - 1) == '/' || *(pos - 1) == '\0')) {
-		pos = memchr(pos + 1, '.', filename_len - (pos - filename) + 1);
+		pos = memchr(pos + 1, '.', filename_len - (pos - filename) - 1);
 		if (!pos) {
 			return FAILURE;
 		}
diff --git a/ext/phar/tests/bug77247.phpt b/ext/phar/tests/bug77247.phpt
@@ -0,0 +1,14 @@
+--TEST--
+PHP bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+try {
+var_dump(new Phar('a/.b', 0,'test.phar'));
+} catch(UnexpectedValueException $e) {
+	echo "OK";
+}
+?>
+--EXPECT--
+OK

Original file line number	Diff line number	Diff line change
`@@ -2017,7 +2017,7 @@ int phar_detect_phar_fname_ext(const char *filename, int filename_len, const cha`
`2017`	`2017`	`}`
`2018`	`2018`
`2019`	`2019`	`while (pos != filename && ((pos - 1) == '/' \|\| (pos - 1) == '\0')) {`
`2020`		`- pos = memchr(pos + 1, '.', filename_len - (pos - filename) + 1);`
	`2020`	`+ pos = memchr(pos + 1, '.', filename_len - (pos - filename) - 1);`
`2021`	`2021`	`if (!pos) {`
`2022`	`2022`	`return FAILURE;`
`2023`	`2023`	`}`