1 |
|
|
2 |
|
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2386 |
3 |
|
|
4 |
|
http://git.php.net/?p=php-src.git;a=commit;h=158d8a6b088662ce9d31e0c777c6ebe90efdc854 |
5 |
|
|
6 |
|
--- php-5.3.3/ext/phar/tar.c.cve2386 |
7 |
|
+++ php-5.3.3/ext/phar/tar.c |
8 |
|
@@ -38,7 +38,7 @@ static php_uint32 phar_tar_number(char * |
9 |
|
/* }}} */ |
10 |
|
|
11 |
|
/* adapted from format_octal() in libarchive |
12 |
|
- * |
13 |
|
+ * |
14 |
|
* Copyright (c) 2003-2009 Tim Kientzle |
15 |
|
* All rights reserved. |
16 |
|
* |
17 |
|
@@ -161,7 +161,7 @@ static int phar_tar_process_metadata(pha |
18 |
|
size_t save = php_stream_tell(fp), read; |
19 |
|
phar_entry_info *mentry; |
20 |
|
|
21 |
|
- metadata = (char *) emalloc(entry->uncompressed_filesize + 1); |
22 |
|
+ metadata = (char *) safe_emalloc(1, entry->uncompressed_filesize, 1); |
23 |
|
|
24 |
|
read = php_stream_read(fp, metadata, entry->uncompressed_filesize); |
25 |
|
if (read != entry->uncompressed_filesize) { |
26 |
|
@@ -367,7 +367,7 @@ bail: |
27 |
|
} |
28 |
|
|
29 |
|
read = php_stream_read(fp, buf, sizeof(buf)); |
30 |
|
- |
31 |
|
+ |
32 |
|
if (read != sizeof(buf)) { |
33 |
|
efree(entry.filename); |
34 |
|
if (error) { |