--- embedaddon/php/ext/phar/tar.c	2012/02/21 23:47:59	1.1.1.1
+++ embedaddon/php/ext/phar/tar.c	2014/06/15 20:03:54	1.1.1.3
@@ -2,7 +2,7 @@
   +----------------------------------------------------------------------+
   | TAR archive support for Phar                                         |
   +----------------------------------------------------------------------+
-  | Copyright (c) 2005-2012 The PHP Group                                |
+  | Copyright (c) 2005-2014 The PHP Group                                |
   +----------------------------------------------------------------------+
   | This source file is subject to version 3.01 of the PHP license,      |
   | that is bundled with this package in the file LICENSE, and is        |
@@ -38,7 +38,7 @@ static php_uint32 phar_tar_number(char *buf, int len) 
 /* }}} */
 
 /* adapted from format_octal() in libarchive
- * 
+ *
  * Copyright (c) 2003-2009 Tim Kientzle
  * All rights reserved.
  *
@@ -161,7 +161,7 @@ static int phar_tar_process_metadata(phar_entry_info *
 	size_t save = php_stream_tell(fp), read;
 	phar_entry_info *mentry;
 
-	metadata = (char *) emalloc(entry->uncompressed_filesize + 1);
+	metadata = (char *) safe_emalloc(1, entry->uncompressed_filesize, 1);
 
 	read = php_stream_read(fp, metadata, entry->uncompressed_filesize);
 	if (read != entry->uncompressed_filesize) {
@@ -337,6 +337,16 @@ bail:
 			last_was_longlink = 1;
 			/* support the ././@LongLink system for storing long filenames */
 			entry.filename_len = entry.uncompressed_filesize;
+
+			/* Check for overflow - bug 61065 */
+			if (entry.filename_len == UINT_MAX) {
+				if (error) {
+					spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file (invalid entry size)", fname);
+				}
+				php_stream_close(fp);
+				phar_destroy_phar_data(myphar TSRMLS_CC);
+				return FAILURE;
+			}
 			entry.filename = pemalloc(entry.filename_len+1, myphar->is_persistent);
 
 			read = php_stream_read(fp, entry.filename, entry.filename_len);
@@ -367,7 +377,7 @@ bail:
 			}
 
 			read = php_stream_read(fp, buf, sizeof(buf));
-	
+
 			if (read != sizeof(buf)) {
 				efree(entry.filename);
 				if (error) {
@@ -837,7 +847,10 @@ int phar_tar_setmetadata(zval *metadata, phar_entry_in
 	entry->is_modified = 1;
 	entry->fp = php_stream_fopen_tmpfile();
 	entry->offset = entry->offset_abs = 0;
-
+	if (entry->fp == NULL) {
+		spprintf(error, 0, "phar error: unable to create temporary file");
+		return -1;
+	}
 	if (entry->metadata_str.len != php_stream_write(entry->fp, entry->metadata_str.c, entry->metadata_str.len)) {
 		spprintf(error, 0, "phar tar error: unable to write metadata to magic metadata file \"%s\"", entry->filename);
 		zend_hash_del(&(entry->phar->manifest), entry->filename, entry->filename_len);
@@ -939,7 +952,10 @@ int phar_tar_flush(phar_archive_data *phar, char *user
 		entry.filename = estrndup(".phar/alias.txt", sizeof(".phar/alias.txt")-1);
 		entry.filename_len = sizeof(".phar/alias.txt")-1;
 		entry.fp = php_stream_fopen_tmpfile();
-
+		if (entry.fp == NULL) {
+			spprintf(error, 0, "phar error: unable to create temporary file");
+			return -1;
+		}
 		if (phar->alias_len != (int)php_stream_write(entry.fp, phar->alias, phar->alias_len)) {
 			if (error) {
 				spprintf(error, 0, "unable to set alias in tar-based phar \"%s\"", phar->fname);
@@ -976,11 +992,8 @@ int phar_tar_flush(phar_archive_data *phar, char *user
 				len = -len;
 			}
 			user_stub = 0;
-#if PHP_MAJOR_VERSION >= 6
-			if (!(len = php_stream_copy_to_mem(stubfile, (void **) &user_stub, len, 0)) || !user_stub) {
-#else
+
 			if (!(len = php_stream_copy_to_mem(stubfile, &user_stub, len, 0)) || !user_stub) {
-#endif
 				if (error) {
 					spprintf(error, 0, "unable to read resource to copy stub to new tar-based phar \"%s\"", phar->fname);
 				}
@@ -1007,6 +1020,10 @@ int phar_tar_flush(phar_archive_data *phar, char *user
 
 		len = pos - user_stub + 18;
 		entry.fp = php_stream_fopen_tmpfile();
+		if (entry.fp == NULL) {
+			spprintf(error, 0, "phar error: unable to create temporary file");
+			return EOF;
+		}
 		entry.uncompressed_filesize = len + 5;
 
 		if ((size_t)len != php_stream_write(entry.fp, user_stub, len)
@@ -1031,7 +1048,10 @@ int phar_tar_flush(phar_archive_data *phar, char *user
 	} else {
 		/* Either this is a brand new phar (add the stub), or the default stub is required (overwrite the stub) */
 		entry.fp = php_stream_fopen_tmpfile();
-
+		if (entry.fp == NULL) {
+			spprintf(error, 0, "phar error: unable to create temporary file");
+			return EOF;
+		}
 		if (sizeof(newstub)-1 != php_stream_write(entry.fp, newstub, sizeof(newstub)-1)) {
 			php_stream_close(entry.fp);
 			if (error) {
@@ -1080,7 +1100,6 @@ nostub:
 	}
 
 	newfile = php_stream_fopen_tmpfile();
-
 	if (!newfile) {
 		if (error) {
 			spprintf(error, 0, "unable to create temporary file");
@@ -1167,7 +1186,10 @@ nostub:
 		entry.filename = ".phar/signature.bin";
 		entry.filename_len = sizeof(".phar/signature.bin")-1;
 		entry.fp = php_stream_fopen_tmpfile();
-
+		if (entry.fp == NULL) {
+			spprintf(error, 0, "phar error: unable to create temporary file");
+			return EOF;
+		}
 #ifdef WORDS_BIGENDIAN
 # define PHAR_SET_32(var, buffer) \
 	*(php_uint32 *)(var) = (((((unsigned char*)&(buffer))[3]) << 24) \