Fix bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)

php · Jan 6, 2019 · 428d816 · 428d816
1 parent 4fc0bce
commit 428d816
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/ext/phar/phar.c b/ext/phar/phar.c
@@ -2017,7 +2017,7 @@ int phar_detect_phar_fname_ext(const char *filename, int filename_len, const cha
 	}
 
 	while (pos != filename && (*(pos - 1) == '/' || *(pos - 1) == '\0')) {
-		pos = memchr(pos + 1, '.', filename_len - (pos - filename) + 1);
+		pos = memchr(pos + 1, '.', filename_len - (pos - filename) - 1);
 		if (!pos) {
 			return FAILURE;
 		}

diff --git a/ext/phar/tests/bug77247.phpt b/ext/phar/tests/bug77247.phpt
@@ -0,0 +1,14 @@
+--TEST--
+PHP bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+try {
+var_dump(new Phar('a/.b', 0,'test.phar'));
+} catch(UnexpectedValueException $e) {
+	echo "OK";
+}
+?>
+--EXPECT--
+OK