diff --git a/NEWS b/NEWS index 6943db07f6a..56eed2700a7 100644 --- a/NEWS +++ b/NEWS @@ -24,6 +24,9 @@ PHP NEWS . Fixed bug #80368 (OpenSSL extension fails to build against LibreSSL due to lack of OCB support). (Nikita) +- Phar: + . Fixed bug #73809 (Phar Zip parse crash - mmap fail). (cmb) + - Phpdbg: . Fixed bug #76813 (Access violation near NULL on source operand). (cmb) diff --git a/ext/phar/tests/bug73809.phpt b/ext/phar/tests/bug73809.phpt new file mode 100644 index 00000000000..5356db8aaa0 --- /dev/null +++ b/ext/phar/tests/bug73809.phpt @@ -0,0 +1,30 @@ +--TEST-- +Bug #73809 (Phar Zip parse crash - mmap fail) +--SKIPIF-- + +--FILE-- +open(__DIR__ . '/73809.zip', ZipArchive::CREATE); +$zip->addFromString('73809.txt', 'yada yada'); +$zip->addFromString('.phar/signature.bin', str_repeat('*', 64 * 1024 + 1)); +$zip->setCompressionName('.phar/signature.bin', ZipArchive::CM_STORE); +var_dump($zip->close()); + +try { + $phar = new PharData(__DIR__ . '/73809.zip'); +} catch (Exception $ex) { + echo $ex->getMessage(), PHP_EOL; +} +?> +--CLEAN-- + +--EXPECTF-- +bool(true) +phar error: signatures larger than 64 KiB are not supported in zip-based phar "%s" diff --git a/ext/phar/zip.c b/ext/phar/zip.c index b241c0589b4..0bf873aff16 100644 --- a/ext/phar/zip.c +++ b/ext/phar/zip.c @@ -405,8 +405,13 @@ foundit: char *sig; size_t sig_len; - php_stream_tell(fp); pefree(entry.filename, entry.is_persistent); + + if (entry.uncompressed_filesize > 0x10000) { + PHAR_ZIP_FAIL("signatures larger than 64 KiB are not supported"); + } + + php_stream_tell(fp); sigfile = php_stream_fopen_tmpfile(); if (!sigfile) { PHAR_ZIP_FAIL("couldn't open temporary file");