From fc75b115088d5b08b5853e20c565f732c78309af Mon Sep 17 00:00:00 2001 From: Georgij Tsarin <68424751+crystarm@users.noreply.github.com> Date: Thu, 2 Jul 2026 17:42:19 +0300 Subject: [PATCH] ext/phar: add upper-bound check on LongLink entry size to prevent OOM DoS --- NEWS | 4 ++++ ext/phar/tar.c | 5 +++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index aa6f7f81a89d..4eb8b310895a 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,10 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? ????, PHP 8.6.0alpha2 +- Phar: + . Fixed bug GH-22556 (OOM DoS via oversized ././@LongLink entry in TAR phar). + (crystarm) + - DBA: . Fixed OOB read on malformed length field in dba flatfile handler. (alhudz) diff --git a/ext/phar/tar.c b/ext/phar/tar.c index f85241ccc4e5..a70d68e6f68c 100644 --- a/ext/phar/tar.c +++ b/ext/phar/tar.c @@ -371,8 +371,9 @@ zend_result phar_parse_tarfile( last_was_longlink = true; /* support the ././@LongLink system for storing long filenames */ - /* Check for overflow - bug 61065 */ - if (entry.uncompressed_filesize == UINT_MAX || entry.uncompressed_filesize == 0) { + /* Check for empty or excessively large ././@LongLink filename entries - bug 61065 */ + if (entry.uncompressed_filesize == 0 + || entry.uncompressed_filesize > UINT16_MAX) { if (error) { spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file (invalid entry size)", fname); }