diff options
| author | Christoph M. Becker <cmbecker69@gmx.de> | 2020-04-22 14:11:13 +0200 |
|---|---|---|
| committer | Christoph M. Becker <cmbecker69@gmx.de> | 2020-04-22 15:07:46 +0200 |
| commit | ccca2c448df35ac457eeef11fb7f0d604de3e5f9 (patch) | |
| tree | acdf2b12493c9522705d417426a975f0ecc9a17e | |
| parent | fa10abd6d75aeb9fde1f53cf80116e39577a4555 (diff) | |
| download | php-git-ccca2c448df35ac457eeef11fb7f0d604de3e5f9.tar.gz | |
Fix #79503: Memory leak on duplicate metadata
Duplicate metadata can only happen if someone tampers with the phar, so
we can and should treat that as error.
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | ext/phar/tar.c | 8 | ||||
| -rw-r--r-- | ext/phar/tests/bug79503.phar | bin | 0 -> 4001 bytes | |||
| -rw-r--r-- | ext/phar/tests/bug79503.phpt | 16 |
4 files changed, 27 insertions, 0 deletions
@@ -22,6 +22,9 @@ PHP NEWS . Fixed bug #79497 (stream_socket_client() throws an unknown error sometimes with <1s timeout). (Joe Cai) +- Phar: + . Fix bug #79503 (Memory leak on duplicate metadata). (cmb) + - Standard: . Fixed bug #79468 (SIGSEGV when closing stream handle with a stream filter appended). (dinosaur) diff --git a/ext/phar/tar.c b/ext/phar/tar.c index 7004676e0b..5df5bfec73 100644 --- a/ext/phar/tar.c +++ b/ext/phar/tar.c @@ -181,9 +181,17 @@ static int phar_tar_process_metadata(phar_entry_info *entry, php_stream *fp) /* } if (entry->filename_len == sizeof(".phar/.metadata.bin")-1 && !memcmp(entry->filename, ".phar/.metadata.bin", sizeof(".phar/.metadata.bin")-1)) { + if (Z_TYPE(entry->phar->metadata) != IS_UNDEF) { + efree(metadata); + return FAILURE; + } entry->phar->metadata = entry->metadata; ZVAL_UNDEF(&entry->metadata); } else if (entry->filename_len >= sizeof(".phar/.metadata/") + sizeof("/.metadata.bin") - 1 && NULL != (mentry = zend_hash_str_find_ptr(&(entry->phar->manifest), entry->filename + sizeof(".phar/.metadata/") - 1, entry->filename_len - (sizeof("/.metadata.bin") - 1 + sizeof(".phar/.metadata/") - 1)))) { + if (Z_TYPE(mentry->metadata) != IS_UNDEF) { + efree(metadata); + return FAILURE; + } /* transfer this metadata to the entry it refers */ mentry->metadata = entry->metadata; ZVAL_UNDEF(&entry->metadata); diff --git a/ext/phar/tests/bug79503.phar b/ext/phar/tests/bug79503.phar Binary files differnew file mode 100644 index 0000000000..d378c6f3df --- /dev/null +++ b/ext/phar/tests/bug79503.phar diff --git a/ext/phar/tests/bug79503.phpt b/ext/phar/tests/bug79503.phpt new file mode 100644 index 0000000000..874330fac7 --- /dev/null +++ b/ext/phar/tests/bug79503.phpt @@ -0,0 +1,16 @@ +--TEST-- +Bug #79503 (Memory leak on duplicate metadata) +--SKIPIF-- +<?php +if (!extension_loaded('phar')) die('skip phar extension not available'); +?> +--FILE-- +<?php +try { + new Phar(__DIR__ . '/bug79503.phar'); +} catch (UnexpectedValueException $ex) { + echo $ex->getMessage(); +} +?> +--EXPECTF-- +phar error: tar-based phar "%s%ebug79503.phar" has invalid metadata in magic file ".phar/.metadata.bin" |