php/SOURCES/php-cve-2023-3823.patch

From c398fe98c044c8e7c23135acdc38d4ef7bedc983 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Mon, 10 Jul 2023 13:25:34 +0200
Subject: [PATCH 1/4] Fix buffer mismanagement in phar_dir_read()

Fixes GHSA-jqcx-ccgc-xwhv.

(cherry picked from commit 80316123f3e9dcce8ac419bd9dd43546e2ccb5ef)
---
 ext/phar/dirstream.c                    | 15 ++++++++------
 ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt | 27 +++++++++++++++++++++++++
 2 files changed, 36 insertions(+), 6 deletions(-)
 create mode 100644 ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt

diff --git a/ext/phar/dirstream.c b/ext/phar/dirstream.c
index 4710703c70e..490b14528f1 100644
--- a/ext/phar/dirstream.c
+++ b/ext/phar/dirstream.c
@@ -91,25 +91,28 @@ static int phar_dir_seek(php_stream *stream, zend_off_t offset, int whence, zend
  */
 static ssize_t phar_dir_read(php_stream *stream, char *buf, size_t count) /* {{{ */
 {
-	size_t to_read;
 	HashTable *data = (HashTable *)stream->abstract;
 	zend_string *str_key;
 	zend_ulong unused;
 
+	if (count != sizeof(php_stream_dirent)) {
+		return -1;
+	}
+
 	if (HASH_KEY_NON_EXISTENT == zend_hash_get_current_key(data, &str_key, &unused)) {
 		return 0;
 	}
 
 	zend_hash_move_forward(data);
-	to_read = MIN(ZSTR_LEN(str_key), count);
 
-	if (to_read == 0 || count < ZSTR_LEN(str_key)) {
+	php_stream_dirent *dirent = (php_stream_dirent *) buf;
+
+	if (sizeof(dirent->d_name) <= ZSTR_LEN(str_key)) {
 		return 0;
 	}
 
-	memset(buf, 0, sizeof(php_stream_dirent));
-	memcpy(((php_stream_dirent *) buf)->d_name, ZSTR_VAL(str_key), to_read);
-	((php_stream_dirent *) buf)->d_name[to_read + 1] = '\0';
+	memset(dirent, 0, sizeof(php_stream_dirent));
+	PHP_STRLCPY(dirent->d_name, ZSTR_VAL(str_key), sizeof(dirent->d_name), ZSTR_LEN(str_key));
 
 	return sizeof(php_stream_dirent);
 }
diff --git a/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt b/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt
new file mode 100644
index 00000000000..4e12f05fb62
--- /dev/null
+++ b/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt
@@ -0,0 +1,27 @@
+--TEST--
+GHSA-jqcx-ccgc-xwhv (Buffer overflow and overread in phar_dir_read())
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--INI--
+phar.readonly=0
+--FILE--
+<?php
+$phar = new Phar(__DIR__. '/GHSA-jqcx-ccgc-xwhv.phar');
+$phar->startBuffering();
+$phar->addFromString(str_repeat('A', PHP_MAXPATHLEN - 1), 'This is the content of file 1.');
+$phar->addFromString(str_repeat('B', PHP_MAXPATHLEN - 1).'C', 'This is the content of file 2.');
+$phar->stopBuffering();
+
+$handle = opendir('phar://' . __DIR__ . '/GHSA-jqcx-ccgc-xwhv.phar');
+var_dump(strlen(readdir($handle)));
+// Must not be a string of length PHP_MAXPATHLEN+1
+var_dump(readdir($handle));
+closedir($handle);
+?>
+--CLEAN--
+<?php
+unlink(__DIR__. '/GHSA-jqcx-ccgc-xwhv.phar');
+?>
+--EXPECTF--
+int(%d)
+bool(false)
-- 
2.41.0
import php-7.4.33-2.module+el8.10.0+22485+a3539972 2 months ago			`From c398fe98c044c8e7c23135acdc38d4ef7bedc983 Mon Sep 17 00:00:00 2001`
			`From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>`
			`Date: Mon, 10 Jul 2023 13:25:34 +0200`
			`Subject: [PATCH 1/4] Fix buffer mismanagement in phar_dir_read()`

			`Fixes GHSA-jqcx-ccgc-xwhv.`

			`(cherry picked from commit 80316123f3e9dcce8ac419bd9dd43546e2ccb5ef)`
			`---`
			`ext/phar/dirstream.c \| 15 ++++++++------`
			`ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt \| 27 +++++++++++++++++++++++++`
			`2 files changed, 36 insertions(+), 6 deletions(-)`
			`create mode 100644 ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt`

			`diff --git a/ext/phar/dirstream.c b/ext/phar/dirstream.c`
			`index 4710703c70e..490b14528f1 100644`
			`--- a/ext/phar/dirstream.c`
			`+++ b/ext/phar/dirstream.c`
			`@@ -91,25 +91,28 @@ static int phar_dir_seek(php_stream *stream, zend_off_t offset, int whence, zend`
			`*/`
			`static ssize_t phar_dir_read(php_stream stream, char buf, size_t count) /* {{{ */`
			`{`
			`- size_t to_read;`
			`HashTable data = (HashTable )stream->abstract;`
			`zend_string *str_key;`
			`zend_ulong unused;`

			`+ if (count != sizeof(php_stream_dirent)) {`
			`+ return -1;`
			`+ }`
			`+`
			`if (HASH_KEY_NON_EXISTENT == zend_hash_get_current_key(data, &str_key, &unused)) {`
			`return 0;`
			`}`

			`zend_hash_move_forward(data);`
			`- to_read = MIN(ZSTR_LEN(str_key), count);`

			`- if (to_read == 0 \|\| count < ZSTR_LEN(str_key)) {`
			`+ php_stream_dirent dirent = (php_stream_dirent ) buf;`
			`+`
			`+ if (sizeof(dirent->d_name) <= ZSTR_LEN(str_key)) {`
			`return 0;`
			`}`

			`- memset(buf, 0, sizeof(php_stream_dirent));`
			`- memcpy(((php_stream_dirent *) buf)->d_name, ZSTR_VAL(str_key), to_read);`
			`- ((php_stream_dirent *) buf)->d_name[to_read + 1] = '\0';`
			`+ memset(dirent, 0, sizeof(php_stream_dirent));`
			`+ PHP_STRLCPY(dirent->d_name, ZSTR_VAL(str_key), sizeof(dirent->d_name), ZSTR_LEN(str_key));`

			`return sizeof(php_stream_dirent);`
			`}`
			`diff --git a/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt b/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt`
			`new file mode 100644`
			`index 00000000000..4e12f05fb62`
			`--- /dev/null`
			`+++ b/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt`
			`@@ -0,0 +1,27 @@`
			`+--TEST--`
			`+GHSA-jqcx-ccgc-xwhv (Buffer overflow and overread in phar_dir_read())`
			`+--SKIPIF--`
			`+<?php if (!extension_loaded("phar")) die("skip"); ?>`
			`+--INI--`
			`+phar.readonly=0`
			`+--FILE--`
			`+<?php`
			`+$phar = new Phar(__DIR__. '/GHSA-jqcx-ccgc-xwhv.phar');`
			`+$phar->startBuffering();`
			`+$phar->addFromString(str_repeat('A', PHP_MAXPATHLEN - 1), 'This is the content of file 1.');`
			`+$phar->addFromString(str_repeat('B', PHP_MAXPATHLEN - 1).'C', 'This is the content of file 2.');`
			`+$phar->stopBuffering();`
			`+`
			`+$handle = opendir('phar://' . __DIR__ . '/GHSA-jqcx-ccgc-xwhv.phar');`
			`+var_dump(strlen(readdir($handle)));`
			`+// Must not be a string of length PHP_MAXPATHLEN+1`
			`+var_dump(readdir($handle));`
			`+closedir($handle);`
			`+?>`
			`+--CLEAN--`
			`+<?php`
			`+unlink(__DIR__. '/GHSA-jqcx-ccgc-xwhv.phar');`
			`+?>`
			`+--EXPECTF--`
			`+int(%d)`
			`+bool(false)`
			`--`
			`2.41.0`