diff --git a/NEWS b/NEWS index aa6f7f81a89d..4eb8b310895a 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,10 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? ????, PHP 8.6.0alpha2 +- Phar: + . Fixed bug GH-22556 (OOM DoS via oversized ././@LongLink entry in TAR phar). + (crystarm) + - DBA: . Fixed OOB read on malformed length field in dba flatfile handler. (alhudz) diff --git a/ext/phar/tar.c b/ext/phar/tar.c index f85241ccc4e5..d898eb0b30a2 100644 --- a/ext/phar/tar.c +++ b/ext/phar/tar.c @@ -18,6 +18,9 @@ #include "phar_internal.h" #include "ext/standard/php_string.h" /* For php_stristr() */ +/* Maximum allowed size for a ././@LongLink filename entry in a TAR phar */ +#define PHAR_TAR_LONGLINK_MAX UINT16_MAX + static uint32_t phar_tar_number(const char *buf, size_t len) /* {{{ */ { uint32_t num = 0; @@ -371,8 +374,9 @@ zend_result phar_parse_tarfile( last_was_longlink = true; /* support the ././@LongLink system for storing long filenames */ - /* Check for overflow - bug 61065 */ - if (entry.uncompressed_filesize == UINT_MAX || entry.uncompressed_filesize == 0) { + /* Check for overflow or unreasonable size - bug 61065 */ + if (entry.uncompressed_filesize == 0 + || entry.uncompressed_filesize > PHAR_TAR_LONGLINK_MAX) { if (error) { spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file (invalid entry size)", fname); }