File php72-CVE-2022-31628.patch of Package php72

Overview Repositories Revisions Requests Users Attributes Meta

File php72-CVE-2022-31628.patch of Package php72

Index: php-7.2.5/ext/phar/phar.c
===================================================================
--- php-7.2.5.orig/ext/phar/phar.c
+++ php-7.2.5/ext/phar/phar.c
@@ -1572,6 +1572,7 @@ static int phar_open_from_fp(php_stream*
 	const char gz_magic[] = "\x1f\x8b\x08";
 	const char bz_magic[] = "BZh";
 	char *pos, test = '\0';
+	int recursion_count = 3; // arbitrary limit to avoid too deep or even infinite recursion
 	const int window_size = 1024;
 	char buffer[1024 + sizeof(token)]; /* a 1024 byte window + the size of the halt_compiler token (moving window) */
 	const zend_long readsize = sizeof(buffer) - sizeof(token);
@@ -1599,7 +1600,7 @@ static int phar_open_from_fp(php_stream*
 			MAPPHAR_ALLOC_FAIL("internal corruption of phar \"%s\" (truncated entry)")
 		}
 
-		if (!test) {
+		if (!test && recursion_count) {
 			test = '\1';
 			pos = buffer+tokenlen;
 			if (!memcmp(pos, gz_magic, 3)) {
@@ -1661,6 +1662,10 @@ static int phar_open_from_fp(php_stream*
 
 				/* now, start over */
 				test = '\0';
+				if (!--recursion_count) {
+					MAPPHAR_ALLOC_FAIL("unable to decompress gzipped phar archive \"%s\"");
+					break;
+				}
 				continue;
 			} else if (!memcmp(pos, bz_magic, 3)) {
 				php_stream_filter *filter;
@@ -1699,6 +1704,10 @@ static int phar_open_from_fp(php_stream*
 
 				/* now, start over */
 				test = '\0';
+				if (!--recursion_count) {
+					MAPPHAR_ALLOC_FAIL("unable to decompress bzipped phar archive \"%s\"");
+					break;
+				}
 				continue;
 			}

Places

File php72-CVE-2022-31628.patch of Package php72

Places