diff options
author | Felix Yan | 2015-07-23 19:55:08 +0800 |
---|---|---|
committer | Felix Yan | 2015-07-23 19:55:08 +0800 |
commit | 46328e7f9a997f2080d9b01ea32910302ca1fbb2 (patch) | |
tree | ab71f43b4093ed44f201782a09e3b55a9aea3e32 /CVE-2015-3329.patch | |
download | aur-46328e7f9a997f2080d9b01ea32910302ca1fbb2.tar.gz |
addpkg: php53 5.3.29-4
Diffstat (limited to 'CVE-2015-3329.patch')
-rw-r--r-- | CVE-2015-3329.patch | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/CVE-2015-3329.patch b/CVE-2015-3329.patch new file mode 100644 index 000000000000..b1660fc2b11f --- /dev/null +++ b/CVE-2015-3329.patch @@ -0,0 +1,35 @@ +From f59b67ae50064560d7bfcdb0d6a8ab284179053c Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Tue, 14 Apr 2015 00:03:50 -0700 +Subject: [PATCH] Fix bug #69441 (Buffer Overflow when parsing tar/zip/phar in + phar_set_inode) + +--- + ext/phar/phar_internal.h | 9 ++++++--- + ext/phar/tests/bug69441.phar | Bin 0 -> 5780 bytes + ext/phar/tests/bug69441.phpt | 21 +++++++++++++++++++++ + 3 files changed, 27 insertions(+), 3 deletions(-) + create mode 100644 ext/phar/tests/bug69441.phar + create mode 100644 ext/phar/tests/bug69441.phpt + +Index: php5-5.3.10/ext/phar/phar_internal.h +=================================================================== +--- php5-5.3.10.orig/ext/phar/phar_internal.h 2015-04-17 06:25:17.074639244 -0400 ++++ php5-5.3.10/ext/phar/phar_internal.h 2015-04-17 06:25:17.070639210 -0400 +@@ -618,10 +618,13 @@ + { + char tmp[MAXPATHLEN]; + int tmp_len; ++ size_t len; + +- tmp_len = entry->filename_len + entry->phar->fname_len; +- memcpy(tmp, entry->phar->fname, entry->phar->fname_len); +- memcpy(tmp + entry->phar->fname_len, entry->filename, entry->filename_len); ++ tmp_len = MIN(MAXPATHLEN, entry->filename_len + entry->phar->fname_len); ++ len = MIN(entry->phar->fname_len, tmp_len); ++ memcpy(tmp, entry->phar->fname, len); ++ len = MIN(tmp_len - len, entry->filename_len); ++ memcpy(tmp + entry->phar->fname_len, entry->filename, len); + entry->inode = (unsigned short)zend_get_hash_value(tmp, tmp_len); + } + /* }}} */ |