diff options
author | Christoph M. Becker <cmbecker69@gmx.de> | 2020-07-14 17:04:24 +0200 |
---|---|---|
committer | Christoph M. Becker <cmbecker69@gmx.de> | 2020-08-03 11:04:01 +0200 |
commit | f57a99937967ed010c6c57b339b703a3fff5eaa6 (patch) | |
tree | 6608cc363a90020792e849370eb2f3999ab07ad8 | |
parent | 82949e507658d0ddf6db32d8047eeb4e763286c8 (diff) | |
download | php-git-f57a99937967ed010c6c57b339b703a3fff5eaa6.tar.gz |
Fix #79797: Use of freed hash key in the phar_parse_zipfile function
We must not use heap memory after we freed it.
(cherry picked from commit 7355ab81763a3d6a04ac11660e6a16d58838d187)
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | ext/phar/tests/bug79797.phar | bin | 0 -> 274 bytes | |||
-rw-r--r-- | ext/phar/tests/bug79797.phpt | 14 | ||||
-rw-r--r-- | ext/phar/zip.c | 2 |
4 files changed, 19 insertions, 1 deletions
@@ -30,6 +30,10 @@ PHP NEWS - Mbstring: . Fixed bug #79787 (mb_strimwidth does not trim string). (XXiang) +- Phar: + . Fixed bug #79797 (Use of freed hash key in the phar_parse_zipfile + function). (CVE-2020-7068) (cmb) + - Standard: . Fixed bug #70362 (Can't copy() large 'data://' with open_basedir). (cmb) . Fixed bug #79817 (str_replace() does not handle INDIRECT elements). (Nikita) diff --git a/ext/phar/tests/bug79797.phar b/ext/phar/tests/bug79797.phar Binary files differnew file mode 100644 index 0000000000..21d43d9eeb --- /dev/null +++ b/ext/phar/tests/bug79797.phar diff --git a/ext/phar/tests/bug79797.phpt b/ext/phar/tests/bug79797.phpt new file mode 100644 index 0000000000..761e5379e0 --- /dev/null +++ b/ext/phar/tests/bug79797.phpt @@ -0,0 +1,14 @@ +--TEST-- +Bug #79797 (Use of freed hash key in the phar_parse_zipfile function) +--SKIPIF-- +<?php +if (!extension_loaded('phar')) die('skip phar extension not available'); +?> +--INI-- +phar.cache_list={PWD}/bug79797.phar +--FILE-- +<?php +echo "done\n"; +?> +--EXPECT-- +done diff --git a/ext/phar/zip.c b/ext/phar/zip.c index 9c9e3f6d68..4bed35f636 100644 --- a/ext/phar/zip.c +++ b/ext/phar/zip.c @@ -705,7 +705,7 @@ foundit: efree(actual_alias); } - zend_hash_str_add_ptr(&(PHAR_G(phar_alias_map)), actual_alias, mydata->alias_len, mydata); + zend_hash_str_add_ptr(&(PHAR_G(phar_alias_map)), mydata->alias, mydata->alias_len, mydata); } else { phar_archive_data *fd_ptr; |