[PATCH] Fixed bug #68839 Possible null pointer dereference

10 years ago by Joshua Rogers — view source — reply

unread

ext/phar/zip.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/ext/phar/zip.c b/ext/phar/zip.c
index 2a95580..2117b0e 100644
--- a/ext/phar/zip.c
+++ b/ext/phar/zip.c
@@ -1217,7 +1217,9 @@ int phar_zip_flush(phar_archive_data *phar, char *user_stub, zend_long len, int
if (!phar->is_temporary_alias && phar->alias_len) {
entry.fp = php_stream_fopen_tmpfile();
if (entry.fp == NULL) {

  	spprintf(error, 0, "phar error: unable to create temporary file");

```
  	if (error) {
```

  		spprintf(error, 0, "phar error: unable to create temporary file");

  	}
  	return EOF;
  }
  if (phar->alias_len != (int)php_stream_write(entry.fp, phar->alias, phar->alias_len)) {

@@ -1309,7 +1311,9 @@ int phar_zip_flush(phar_archive_data *phar, char *user_stub, zend_long len, int
len = pos - user_stub + 18;
entry.fp = php_stream_fopen_tmpfile();
if (entry.fp == NULL) {

  	spprintf(error, 0, "phar error: unable to create temporary file");

```
  	if (error) {
```

  		spprintf(error, 0, "phar error: unable to create temporary file");

  	}
  	return EOF;
  }
  entry.uncompressed_filesize = len + 5;

@@ -1346,7 +1350,9 @@ int phar_zip_flush(phar_archive_data *phar, char user_stub, zend_long len, int
/ Either this is a brand new phar (add the stub), or the default stub is required (overwrite the stub) */
entry.fp = php_stream_fopen_tmpfile();
if (entry.fp == NULL) {

  	spprintf(error, 0, "phar error: unable to create temporary file");

```
  	if (error) {
```

  		spprintf(error, 0, "phar error: unable to create temporary file");

  	}
  	return EOF;
  }
  if (sizeof(newstub)-1 != php_stream_write(entry.fp, newstub, sizeof(newstub)-1)) {

--
1.9.1

10 years ago by Michael Wallner — view source — reply

unread

> ---
> ext/phar/zip.c | 12 +++++++++---
> 1 file changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/ext/phar/zip.c b/ext/phar/zip.c
> index 2a95580..2117b0e 100644
> --- a/ext/phar/zip.c
> +++ b/ext/phar/zip.c
> @@ -1217,7 +1217,9 @@ int phar_zip_flush(phar_archive_data *phar, char *user_stub, zend_long len, int
> if (!phar->is_temporary_alias && phar->alias_len) {
> entry.fp = php_stream_fopen_tmpfile();
> if (entry.fp == NULL) {
> - spprintf(error, 0, "phar error: unable to create temporary file");
> + if (error) {
> + spprintf(error, 0, "phar error: unable to create temporary file");
> + }
> return EOF;
> }
> if (phar->alias_len != (int)php_stream_write(entry.fp, phar->alias, phar->alias_len)) {
> @@ -1309,7 +1311,9 @@ int phar_zip_flush(phar_archive_data *phar, char *user_stub, zend_long len, int
> len = pos - user_stub + 18;
> entry.fp = php_stream_fopen_tmpfile();
> if (entry.fp == NULL) {
> - spprintf(error, 0, "phar error: unable to create temporary file");
> + if (error) {
> + spprintf(error, 0, "phar error: unable to create temporary file");
> + }
> return EOF;
> }
> entry.uncompressed_filesize = len + 5;
> @@ -1346,7 +1350,9 @@ int phar_zip_flush(phar_archive_data *phar, char *user_stub, zend_long len, int
> /* Either this is a brand new phar (add the stub), or the default stub is required (overwrite the stub) */
> entry.fp = php_stream_fopen_tmpfile();
> if (entry.fp == NULL) {
> - spprintf(error, 0, "phar error: unable to create temporary file");
> + if (error) {
> + spprintf(error, 0, "phar error: unable to create temporary file");
> + }
> return EOF;
> }
> if (sizeof(newstub)-1 != php_stream_write(entry.fp, newstub, sizeof(newstub)-1)) {
>

Looks good.

--
Regards,
Mike

10 years ago by Joshua Rogers — view source — reply

unread

Hi,

Looks good.
There's another one(2) in /ext/phar/util.c:

--snip--
911 if (error) {
912 error = NULL;
913 }
914 / seek to start of internal file and read it */

915 if (FAILURE == phar_open_entry_fp(entry, error, 1)) {
916 return NULL;
917 }

918 if (-1 == phar_seek_efp(entry, 0, SEEK_SET, 0, 1)) {
919 spprintf(error, 4096, "phar error: cannot seek to start of file "%s" in phar "%s"", entry->filename, phar->fname);
920 return NULL;
921 }
--snip--

Should the patch, perhaps be inside the spprintf() function?
That would take care of future problems, too.

Thoughts?

Thanks,

-- Joshua Rogers <https://internot.info/

10 years ago by Joshua Rogers — view source — reply

unread

Should the patch, perhaps be inside the spprintf() function?
That would take care of future problems, too.

Thoughts?
Ok, so, there are many many places where 'error' is not checked against
NULL. So I'm going to submit a patch that will fix this in the spprintf
function instead of each use-case.

Thanks,

-- Joshua Rogers <https://internot.info/