Fix # 79171: heap-buffer-overflow in phar_extract_file

cmb69 · derickr · commit b97a9718c833 · 2020-02-18T09:48:25.000Z
We must not access memory outside of the allocated buffer.
diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
@@ -4184,7 +4184,7 @@ static int phar_extract_file(zend_bool overwrite, phar_entry_info *entry, char *
 			if ('\\' == filename[cnt]) {
 				filename[cnt] = '/';
 			}
-		} while (cnt++ <= filename_len);
+		} while (cnt++ < filename_len);
 	}
 #endif
 

Original file line number	Diff line number	Diff line change
`@@ -4184,7 +4184,7 @@ static int phar_extract_file(zend_bool overwrite, phar_entry_info entry, char `
`4184`	`4184`	`if ('\\' == filename[cnt]) {`
`4185`	`4185`	`filename[cnt] = '/';`
`4186`	`4186`	`}`
`4187`		`- } while (cnt++ <= filename_len);`
	`4187`	`+ } while (cnt++ < filename_len);`
`4188`	`4188`	`}`
`4189`	`4189`	`#endif`
`4190`	`4190`