Fix #79797: Use of freed hash key in the phar_parse_zipfile function

We must not use heap memory after we freed it.

(cherry picked from commit 7355ab81763a3d6a04ac11660e6a16d58838d187)

4 files changed, 19 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index ddcf1d15f9..10820bb391 100644
--- a/NEWS
+++ b/NEWS
@@ -30,6 +30,10 @@ PHP                                                                        NEWS
 - Mbstring:
   . Fixed bug #79787 (mb_strimwidth does not trim string). (XXiang)
 
+- Phar:
+  . Fixed bug #79797 (Use of freed hash key in the phar_parse_zipfile
+    function). (CVE-2020-7068) (cmb)
+
 - Standard:
   . Fixed bug #70362 (Can't copy() large 'data://' with open_basedir). (cmb)
   . Fixed bug #79817 (str_replace() does not handle INDIRECT elements). (Nikita)
diff --git a/ext/phar/tests/bug79797.phar b/ext/phar/tests/bug79797.phar
new file mode 100644
index 0000000000..21d43d9eeb
--- /dev/null
+++ b/ext/phar/tests/bug79797.phar
diff --git a/ext/phar/tests/bug79797.phpt b/ext/phar/tests/bug79797.phpt
new file mode 100644
index 0000000000..761e5379e0
--- /dev/null
+++ b/ext/phar/tests/bug79797.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Bug #79797 (Use of freed hash key in the phar_parse_zipfile function)
+--SKIPIF--
+<?php
+if (!extension_loaded('phar')) die('skip phar extension not available');
+?>
+--INI--
+phar.cache_list={PWD}/bug79797.phar
+--FILE--
+<?php
+echo "done\n";
+?>
+--EXPECT--
+done
diff --git a/ext/phar/zip.c b/ext/phar/zip.c
index 9c9e3f6d68..4bed35f636 100644
--- a/ext/phar/zip.c
+++ b/ext/phar/zip.c
@@ -705,7 +705,7 @@ foundit:
 			efree(actual_alias);
 		}
 
-		zend_hash_str_add_ptr(&(PHAR_G(phar_alias_map)), actual_alias, mydata->alias_len, mydata);
+		zend_hash_str_add_ptr(&(PHAR_G(phar_alias_map)), mydata->alias, mydata->alias_len, mydata);
 	} else {
 		phar_archive_data *fd_ptr;