Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions NEWS
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@ PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? ????, PHP 8.6.0alpha2

- Phar:
. Fixed bug GH-22556 (OOM DoS via oversized ././@LongLink entry in TAR phar).
(crystarm)

- DBA:
. Fixed OOB read on malformed length field in dba flatfile handler. (alhudz)

Expand Down
8 changes: 6 additions & 2 deletions ext/phar/tar.c
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@
#include "phar_internal.h"
#include "ext/standard/php_string.h" /* For php_stristr() */

/* Maximum allowed size for a ././@LongLink filename entry in a TAR phar */
#define PHAR_TAR_LONGLINK_MAX UINT16_MAX

static uint32_t phar_tar_number(const char *buf, size_t len) /* {{{ */
{
uint32_t num = 0;
Expand Down Expand Up @@ -371,8 +374,9 @@ zend_result phar_parse_tarfile(
last_was_longlink = true;
/* support the ././@LongLink system for storing long filenames */

/* Check for overflow - bug 61065 */
if (entry.uncompressed_filesize == UINT_MAX || entry.uncompressed_filesize == 0) {
/* Check for overflow or unreasonable size - bug 61065 */
if (entry.uncompressed_filesize == 0
|| entry.uncompressed_filesize > PHAR_TAR_LONGLINK_MAX) {
if (error) {
spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file (invalid entry size)", fname);
}
Expand Down
Loading