Fix # 79171: heap-buffer-overflow in phar_extract_file

cmb69 · cmb69 · commit 254a7c245773 · 2020-02-18T09:13:40.000+01:00
We must not access memory outside of the allocated buffer. (cherry picked from commit 7df594b)
diff --git a/NEWS b/NEWS
@@ -34,6 +34,8 @@ PHP                                                                        NEWS
 - Phar:
   . Fixed bug #79082 (Files added to tar with Phar::buildFromIterator have
     all-access permissions). (CVE-2020-7063) (stas)
+  . Fixed bug #79171 (heap-buffer-overflow in phar_extract_file).
+    (CVE-	2020-7061) (cmb)
   . Fixed bug #76584 (PharFileInfo::decompress not working). (cmb)
 
 - Reflection:
diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
@@ -4153,7 +4153,7 @@ static int phar_extract_file(zend_bool overwrite, phar_entry_info *entry, char *
 			if ('\\' == filename[cnt]) {
 				filename[cnt] = '/';
 			}
-		} while (cnt++ <= filename_len);
+		} while (cnt++ < filename_len);
 	}
 #endif
 

Original file line number	Diff line number	Diff line change
`@@ -4153,7 +4153,7 @@ static int phar_extract_file(zend_bool overwrite, phar_entry_info entry, char `
`4153`	`4153`	`if ('\\' == filename[cnt]) {`
`4154`	`4154`	`filename[cnt] = '/';`
`4155`	`4155`	`}`
`4156`		`- } while (cnt++ <= filename_len);`
	`4156`	`+ } while (cnt++ < filename_len);`
`4157`	`4157`	`}`
`4158`	`4158`	`#endif`
`4159`	`4159`