fix bug #60164 (Stubs of a specific length break phar_open_from_fp scanning for __HALT_COMPILER)

2024-11-24 18:34:21 +08:00 · 2011-11-19 04:59:56 +00:00 · 2011-11-19 04:59:56 +00:00 · 449907fb76
commit 449907fb76
parent 1d0d8abc5f
5 changed files with 69 additions and 2 deletions
--- a/2
+++ b/2
@ -42,6 +42,8 @@ PHP                                                                        NEWS
    
 - Phar:
  . Fixed bug #60261 (NULL pointer dereference in phar). (Felipe)
+  . Fixed bug #60164 (Stubs of a specific length break phar_open_from_fp
+    scanning for __HALT_COMPILER). (Ralph Schindler)

 - Postgres:
  . Fixed bug #60244 (pg_fetch_* functions do not validate that row param 
--- a/ext/phar/phar.c
+++ b/ext/phar/phar.c
@ -1569,7 +1569,9 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a
 	const char zip_magic[] = "PK\x03\x04";
 	const char gz_magic[] = "\x1f\x8b\x08";
 	const char bz_magic[] = "BZh";
-	char *pos, buffer[1024 + sizeof(token)], test = '\0';
+	char *pos, test = '\0';
+	const int window_size = 1024;
+	char buffer[window_size + sizeof(token)]; /* a 1024 byte window + the size of the halt_compiler token (moving window) */
 	const long readsize = sizeof(buffer) - sizeof(token);
 	const long tokenlen = sizeof(token) - 1;
 	long halt_offset;
@ -1717,7 +1719,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a
 		}

 		halt_offset += got;
-		memmove(buffer, buffer + tokenlen, got + 1);
+		memmove(buffer, buffer + window_size, tokenlen); /* move the memory buffer by the size of the window */
 	}

 	MAPPHAR_ALLOC_FAIL("internal corruption of phar \"%s\" (__HALT_COMPILER(); not found)")
--- a/ext/phar/tests/bug60164.phpt
+++ b/ext/phar/tests/bug60164.phpt
@ -0,0 +1,21 @@
+--TEST--
+Phar: verify stub of specific length does not break __HALT_COMPILER(); scanning in php
+--SKIPIF--
+<?php
+if (!extension_loaded("phar")) die("skip");
+?>
+--INI--
+phar.require_hash=0
+phar.readonly=0
+--FILE--
+<?php
+$phar = __DIR__ . '/files/stuboflength1041.phar';
+foreach (new RecursiveIteratorIterator(new Phar($phar, null, 'stuboflength1041.phar')) as $item) {
+    var_dump($item->getFileName());
+}
+?>
+===DONE===
+--EXPECT--
+string(5) "a.php"
+string(5) "b.php"
+===DONE===
--- a/ext/phar/tests/files/stuboflength1041.phar
+++ b/ext/phar/tests/files/stuboflength1041.phar
--- a/ext/phar/tests/files/stuboflength1041.phar.inc
+++ b/ext/phar/tests/files/stuboflength1041.phar.inc
@ -0,0 +1,42 @@
+<?php
+
+@unlink(__DIR__ . '/stuboflength1041.phar');
+
+$phar = new Phar('./stuboflength1041.phar');
+$phar['a.php'] = 'hi1';
+$phar['b.php'] = 'hi2';
+
+$phar->setStub('<?php
+/***stub of length 1041 including the halt compiler*********************************************
+************************************************************************************************
+************************************************************************************************
+************************************************************************************************
+************************************************************************************************
+************************************************************************************************
+************************************************************************************************
+************************************************************************************************
+************************************************************************************************
+************************************************************************************************
+*********************************************/
+__HALT_COMPILER();');
+<?php
+
+@unlink(__DIR__ . '/stuboflength1041.phar');
+
+$phar = new Phar('./stuboflength1041.phar');
+$phar['a.php'] = 'hi1';
+$phar['b.php'] = 'hi2';
+
+$phar->setStub('<?php
+/***stub of length 1041 including the halt compiler*********************************************
+************************************************************************************************
+************************************************************************************************
+************************************************************************************************
+************************************************************************************************
+************************************************************************************************
+************************************************************************************************
+************************************************************************************************
+************************************************************************************************
+************************************************************************************************
+*********************************************/
+__HALT_COMPILER();');