Fix bug #71354 - remove UMR when size is 0

3 files changed, 14 insertions, 0 deletions

diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
index 6d25509cdf..e21a9829e3 100644
--- a/ext/phar/phar_object.c
+++ b/ext/phar/phar_object.c
@@ -4884,6 +4884,7 @@ PHP_METHOD(PharFileInfo, getContent)
 
 	phar_seek_efp(link, 0, SEEK_SET, 0, 0 TSRMLS_CC);
 	Z_TYPE_P(return_value) = IS_STRING;
+	Z_STRVAL_P(return_value) = NULL;
 	Z_STRLEN_P(return_value) = php_stream_copy_to_mem(fp, &(Z_STRVAL_P(return_value)), link->uncompressed_filesize, 0);
 
 	if (!Z_STRVAL_P(return_value)) {
diff --git a/ext/phar/tests/bug71354.phpt b/ext/phar/tests/bug71354.phpt
new file mode 100644
index 0000000000..43230f1520
--- /dev/null
+++ b/ext/phar/tests/bug71354.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Phar: bug #71354: Heap corruption in tar/zip/phar parser.
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+$p = new PharData(__DIR__."/bug71354.tar");
+var_dump($p['aaaa']->getContent());
+?>
+DONE
+--EXPECT--
+string(0) ""
+DONE
\ No newline at end of file
diff --git a/ext/phar/tests/bug71354.tar b/ext/phar/tests/bug71354.tar
new file mode 100644
index 0000000000..b0bd992b9e
--- /dev/null
+++ b/ext/phar/tests/bug71354.tar