Skip to content

Commit

Permalink
Add missing error checks on EVP_MD_CTX_create() and EVP_VerifyInit()
Browse files Browse the repository at this point in the history 
The first one returns NULL on error, and the second one returns 0 on
error. These weren't checked.

Closes GH-10762.
  • Loading branch information
@nielsdos
nielsdos committed Mar 5, 2023
1 parent 28ef654 commit 30ebecb
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 1 deletion.
2 changes: 2 additions & 0 deletions NEWS
View file
Expand Up @@ -15,6 +15,8 @@ PHP NEWS
- Phar:
. Fixed bug GH-10766 (PharData archive created with Phar::Zip format does
not keep files metadata (datetime)). (nielsdos)
. Add missing error checks on EVP_MD_CTX_create() and EVP_VerifyInit().
(nielsdos)

16 Mar 2023, PHP 8.1.17

Expand Down
10 changes: 9 additions & 1 deletion ext/phar/util.c
View file
Expand Up @@ -1579,7 +1579,15 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, uint32_t sig_type,
}

md_ctx = EVP_MD_CTX_create();
EVP_VerifyInit(md_ctx, mdtype);
if (!md_ctx || !EVP_VerifyInit(md_ctx, mdtype)) {
if (md_ctx) {
EVP_MD_CTX_destroy(md_ctx);
}
if (error) {
spprintf(error, 0, "openssl signature could not be verified");
}
return FAILURE;
}
read_len = end_of_phar;

if ((size_t)read_len > sizeof(buf)) {
Expand Down

0 comments on commit 30ebecb

Please sign in to comment.