Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix bug #72928 - Out of bound when verify signature of zip phar in ph…
…ar_parse_zipfile

(cherry picked from commit 19484ab)
  • Loading branch information
smalyshev authored and weltling committed Sep 12, 2016
1 parent 1b2007d commit 0bfb970
Show file tree
Hide file tree
Showing 4 changed files with 47 additions and 1 deletion.
18 changes: 18 additions & 0 deletions ext/phar/tests/bug72928.phpt
@@ -0,0 +1,18 @@
--TEST--
Phar: #72928 (Out of bound when verify signature of zip phar in phar_parse_zipfile)
--SKIPIF--
<?php if (!extension_loaded("phar")) die("skip"); ?>
--FILE--
<?php
chdir(__DIR__);
try {
$phar = new PharData('bug72928.zip');
var_dump($phar);
} catch(UnexpectedValueException $e) {
print $e->getMessage()."\n";
}
?>
DONE
--EXPECTF--
phar error: signature cannot be read in zip-based phar "%sbug72928.zip"
DONE
Binary file added ext/phar/tests/bug72928.zip
Binary file not shown.
28 changes: 28 additions & 0 deletions ext/phar/util.c
Expand Up @@ -1609,6 +1609,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ
unsigned char digest[64];
PHP_SHA512_CTX context;

if (sig_len < sizeof(digest)) {
if (error) {
spprintf(error, 0, "broken signature");
}
return FAILURE;
}

PHP_SHA512Init(&context);
read_len = end_of_phar;

Expand Down Expand Up @@ -1642,6 +1649,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ
unsigned char digest[32];
PHP_SHA256_CTX context;

if (sig_len < sizeof(digest)) {
if (error) {
spprintf(error, 0, "broken signature");
}
return FAILURE;
}

PHP_SHA256Init(&context);
read_len = end_of_phar;

Expand Down Expand Up @@ -1683,6 +1697,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ
unsigned char digest[20];
PHP_SHA1_CTX context;

if (sig_len < sizeof(digest)) {
if (error) {
spprintf(error, 0, "broken signature");
}
return FAILURE;
}

PHP_SHA1Init(&context);
read_len = end_of_phar;

Expand Down Expand Up @@ -1716,6 +1737,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ
unsigned char digest[16];
PHP_MD5_CTX context;

if (sig_len < sizeof(digest)) {
if (error) {
spprintf(error, 0, "broken signature");
}
return FAILURE;
}

PHP_MD5Init(&context);
read_len = end_of_phar;

Expand Down
2 changes: 1 addition & 1 deletion ext/phar/zip.c
Expand Up @@ -418,7 +418,7 @@ int phar_parse_zipfile(php_stream *fp, char *fname, int fname_len, char *alias,
php_stream_seek(fp, sizeof(phar_zip_file_header) + entry.header_offset + entry.filename_len + PHAR_GET_16(zipentry.extra_len), SEEK_SET);
sig = (char *) emalloc(entry.uncompressed_filesize);
read = php_stream_read(fp, sig, entry.uncompressed_filesize);
if (read != entry.uncompressed_filesize) {
if (read != entry.uncompressed_filesize || read <= 8) {
php_stream_close(sigfile);
efree(sig);
PHAR_ZIP_FAIL("signature cannot be read");
Expand Down

0 comments on commit 0bfb970

Please sign in to comment.