Merge branch 'PHP-5.4' into PHP-5.5

* PHP-5.4: Fix bug #69669 (mysqlnd is vulnerable to BACKRONYM) Fix bug #69923 - Buffer overflow and stack smashing error in phar_fix_filepath Fix bug #69958 - Segfault in Phar::convertToData on invalid file Conflicts: ext/mysqlnd/mysqlnd.c
author: Stanislav Malyshev <stas@php.net> 2015-07-06 21:52:49 -0700
committer: Stanislav Malyshev <stas@php.net> 2015-07-06 21:52:49 -0700
commit: 303d97feda15e97f9058e4ab96799ec2dbd3652f (patch)
tree: 8071010fb681343c4f6e8b559dd29064072015bc /ext/phar
parent: 8f2e08239fc1f8aabc26398393303fa685e810dd (diff)
parent: 0d2f147d80bd02d4d1ccaa0fa530d9d4846b3c75 (diff)
download: php-git-303d97feda15e97f9058e4ab96799ec2dbd3652f.tar.gz
4 files changed, 58 insertions, 36 deletions
diff --git a/ext/phar/phar.c b/ext/phar/phar.c
index e7d7429610..4b9a493926 100644
--- a/ext/phar/phar.c
+++ b/ext/phar/phar.c
@@ -2141,7 +2141,7 @@ char *tsrm_strtok_r(char *s, const char *delim, char **last) /* {{{ */
  */
 char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{ */
 {
-	char newpath[MAXPATHLEN];
+	char *newpath;
 	int newpath_len;
 	char *ptr;
 	char *tok;
@@ -2149,8 +2149,10 @@ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{
 
 	if (PHAR_G(cwd_len) && use_cwd && path_length > 2 && path[0] == '.' && path[1] == '/') {
 		newpath_len = PHAR_G(cwd_len);
+		newpath = emalloc(strlen(path) + newpath_len + 1);
 		memcpy(newpath, PHAR_G(cwd), newpath_len);
 	} else {
+		newpath = emalloc(strlen(path) + 2);
 		newpath[0] = '/';
 		newpath_len = 1;
 	}
@@ -2173,6 +2175,7 @@ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{
 				if (*tok == '.') {
 					efree(path);
 					*new_len = 1;
+					efree(newpath);
 					return estrndup("/", 1);
 				}
 				break;
@@ -2180,9 +2183,11 @@ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{
 				if (tok[0] == '.' && tok[1] == '.') {
 					efree(path);
 					*new_len = 1;
+					efree(newpath);
 					return estrndup("/", 1);
 				}
 		}
+		efree(newpath);
 		return path;
 	}
 
@@ -2231,7 +2236,8 @@ last_time:
 
 	efree(path);
 	*new_len = newpath_len;
-	return estrndup(newpath, newpath_len);
+	newpath[newpath_len] = '\0';
+	return erealloc(newpath, newpath_len + 1);
 }
 /* }}} */
 
diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
index 0712b86f7b..98f06e954d 100644
--- a/ext/phar/phar_object.c
+++ b/ext/phar/phar_object.c
@@ -1252,7 +1252,7 @@ PHP_METHOD(Phar, __construct)
 	INIT_PZVAL(&arg2);
 	ZVAL_LONG(&arg2, flags);
 
-	zend_call_method_with_2_params(&zobj, Z_OBJCE_P(zobj), 
+	zend_call_method_with_2_params(&zobj, Z_OBJCE_P(zobj),
 		&spl_ce_RecursiveDirectoryIterator->constructor, "__construct", NULL, &arg1, &arg2);
 
 	if (!phar_data->is_persistent) {
@@ -1276,7 +1276,7 @@ PHP_METHOD(Phar, getSupportedSignatures)
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
-	
+
 	array_init(return_value);
 
 	add_next_index_stringl(return_value, "MD5", 3, 1);
@@ -1303,7 +1303,7 @@ PHP_METHOD(Phar, getSupportedCompression)
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
-	
+
 	array_init(return_value);
 	phar_request_initialize(TSRMLS_C);
 
@@ -1548,7 +1548,7 @@ phar_spl_fileinfo:
 			}
 			return ZEND_HASH_APPLY_STOP;
 		}
-		
+
 		base = temp;
 		base_len = strlen(base);
 
@@ -1737,7 +1737,7 @@ after_open_fp:
 /* {{{ proto array Phar::buildFromDirectory(string base_dir[, string regex])
  * Construct a phar archive from an existing directory, recursively.
  * Optional second parameter is a regular expression for filtering directory contents.
- * 
+ *
  * Return value is an array mapping phar index to actual files added.
  */
 PHP_METHOD(Phar, buildFromDirectory)
@@ -1773,7 +1773,7 @@ PHP_METHOD(Phar, buildFromDirectory)
 	INIT_PZVAL(&arg2);
 	ZVAL_LONG(&arg2, SPL_FILE_DIR_SKIPDOTS|SPL_FILE_DIR_UNIXPATHS);
 
-	zend_call_method_with_2_params(&iter, spl_ce_RecursiveDirectoryIterator, 
+	zend_call_method_with_2_params(&iter, spl_ce_RecursiveDirectoryIterator,
 			&spl_ce_RecursiveDirectoryIterator->constructor, "__construct", NULL, &arg, &arg2);
 
 	if (EG(exception)) {
@@ -1790,7 +1790,7 @@ PHP_METHOD(Phar, buildFromDirectory)
 		RETURN_FALSE;
 	}
 
-	zend_call_method_with_1_params(&iteriter, spl_ce_RecursiveIteratorIterator, 
+	zend_call_method_with_1_params(&iteriter, spl_ce_RecursiveIteratorIterator,
 			&spl_ce_RecursiveIteratorIterator->constructor, "__construct", NULL, iter);
 
 	if (EG(exception)) {
@@ -1815,7 +1815,7 @@ PHP_METHOD(Phar, buildFromDirectory)
 		INIT_PZVAL(&arg2);
 		ZVAL_STRINGL(&arg2, regex, regex_len, 0);
 
-		zend_call_method_with_2_params(&regexiter, spl_ce_RegexIterator, 
+		zend_call_method_with_2_params(&regexiter, spl_ce_RegexIterator,
 			&spl_ce_RegexIterator->constructor, "__construct", NULL, iteriter, &arg2);
 	}
 
@@ -1936,7 +1936,7 @@ PHP_METHOD(Phar, buildFromIterator)
 PHP_METHOD(Phar, count)
 {
 	PHAR_ARCHIVE_OBJECT();
-	
+
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
@@ -2101,7 +2101,7 @@ static zval *phar_rename_archive(phar_archive_data *phar, char *ext, zend_bool c
 	spprintf(&newname, 0, "%s.%s", strtok(basename, "."), ext);
 	efree(basename);
 
-	
+
 
 	basepath = estrndup(oldpath, (strlen(oldpath) - oldname_len));
 	phar->fname_len = spprintf(&newpath, 0, "%s%s", basepath, newname);
@@ -2339,7 +2339,9 @@ no_copy:
 		zend_hash_destroy(&(phar->manifest));
 		zend_hash_destroy(&(phar->mounted_dirs));
 		zend_hash_destroy(&(phar->virtual_dirs));
-		php_stream_close(phar->fp);
+		if (phar->fp) {
+			php_stream_close(phar->fp);
+		}
 		efree(phar->fname);
 		efree(phar);
 		return NULL;
@@ -2559,7 +2561,7 @@ PHP_METHOD(Phar, convertToData)
 PHP_METHOD(Phar, isCompressed)
 {
 	PHAR_ARCHIVE_OBJECT();
-	
+
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
@@ -2583,7 +2585,7 @@ PHP_METHOD(Phar, isWritable)
 {
 	php_stream_statbuf ssb;
 	PHAR_ARCHIVE_OBJECT();
-	
+
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
@@ -2661,7 +2663,7 @@ PHP_METHOD(Phar, delete)
 PHP_METHOD(Phar, getAlias)
 {
 	PHAR_ARCHIVE_OBJECT();
-	
+
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
@@ -2678,7 +2680,7 @@ PHP_METHOD(Phar, getAlias)
 PHP_METHOD(Phar, getPath)
 {
 	PHAR_ARCHIVE_OBJECT();
-	
+
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
@@ -2794,7 +2796,7 @@ valid_alias:
 PHP_METHOD(Phar, getVersion)
 {
 	PHAR_ARCHIVE_OBJECT();
-	
+
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
@@ -2809,7 +2811,7 @@ PHP_METHOD(Phar, getVersion)
 PHP_METHOD(Phar, startBuffering)
 {
 	PHAR_ARCHIVE_OBJECT();
-	
+
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
@@ -2824,7 +2826,7 @@ PHP_METHOD(Phar, startBuffering)
 PHP_METHOD(Phar, isBuffering)
 {
 	PHAR_ARCHIVE_OBJECT();
-	
+
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
@@ -2841,7 +2843,7 @@ PHP_METHOD(Phar, stopBuffering)
 	char *error;
 
 	PHAR_ARCHIVE_OBJECT();
-	
+
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
@@ -3076,7 +3078,7 @@ PHP_METHOD(Phar, setSignatureAlgorithm)
 PHP_METHOD(Phar, getSignature)
 {
 	PHAR_ARCHIVE_OBJECT();
-	
+
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
@@ -3120,7 +3122,7 @@ PHP_METHOD(Phar, getSignature)
 PHP_METHOD(Phar, getModified)
 {
 	PHAR_ARCHIVE_OBJECT();
-	
+
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
@@ -3382,7 +3384,7 @@ PHP_METHOD(Phar, decompressFiles)
 {
 	char *error;
 	PHAR_ARCHIVE_OBJECT();
-	
+
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
@@ -3899,7 +3901,7 @@ PHP_METHOD(Phar, getStub)
 	phar_entry_info *stub;
 
 	PHAR_ARCHIVE_OBJECT();
-	
+
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
@@ -4002,7 +4004,7 @@ PHP_METHOD(Phar, hasMetadata)
 PHP_METHOD(Phar, getMetadata)
 {
 	PHAR_ARCHIVE_OBJECT();
-	
+
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
@@ -4450,7 +4452,7 @@ PHP_METHOD(PharFileInfo, __construct)
 	INIT_PZVAL(&arg1);
 	ZVAL_STRINGL(&arg1, fname, fname_len, 0);
 
-	zend_call_method_with_1_params(&zobj, Z_OBJCE_P(zobj), 
+	zend_call_method_with_1_params(&zobj, Z_OBJCE_P(zobj),
 		&spl_ce_SplFileInfo->constructor, "__construct", NULL, &arg1);
 }
 /* }}} */
@@ -4488,7 +4490,7 @@ PHP_METHOD(PharFileInfo, __destruct)
 PHP_METHOD(PharFileInfo, getCompressedSize)
 {
 	PHAR_ENTRY_OBJECT();
-	
+
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
@@ -4530,7 +4532,7 @@ PHP_METHOD(PharFileInfo, isCompressed)
 PHP_METHOD(PharFileInfo, getCRC32)
 {
 	PHAR_ENTRY_OBJECT();
-	
+
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
@@ -4556,7 +4558,7 @@ PHP_METHOD(PharFileInfo, getCRC32)
 PHP_METHOD(PharFileInfo, isCRCChecked)
 {
 	PHAR_ENTRY_OBJECT();
-	
+
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
@@ -4571,7 +4573,7 @@ PHP_METHOD(PharFileInfo, isCRCChecked)
 PHP_METHOD(PharFileInfo, getPharFlags)
 {
 	PHAR_ENTRY_OBJECT();
-	
+
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
@@ -4649,7 +4651,7 @@ PHP_METHOD(PharFileInfo, chmod)
 PHP_METHOD(PharFileInfo, hasMetadata)
 {
 	PHAR_ENTRY_OBJECT();
-	
+
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
@@ -4664,7 +4666,7 @@ PHP_METHOD(PharFileInfo, hasMetadata)
 PHP_METHOD(PharFileInfo, getMetadata)
 {
 	PHAR_ENTRY_OBJECT();
-	
+
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
@@ -4745,7 +4747,7 @@ PHP_METHOD(PharFileInfo, delMetadata)
 	char *error;
 
 	PHAR_ENTRY_OBJECT();
-	
+
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
@@ -4803,7 +4805,7 @@ PHP_METHOD(PharFileInfo, getContent)
 	phar_entry_info *link;
 
 	PHAR_ENTRY_OBJECT();
-	
+
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
@@ -4977,7 +4979,7 @@ PHP_METHOD(PharFileInfo, decompress)
 {
 	char *error;
 	PHAR_ENTRY_OBJECT();
-	
+
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
diff --git a/ext/phar/tests/bug69958.phpt b/ext/phar/tests/bug69958.phpt
new file mode 100644
index 0000000000..d63b413c29
--- /dev/null
+++ b/ext/phar/tests/bug69958.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Phar: bug #69958: Segfault in Phar::convertToData on invalid file
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+$tarphar = new PharData(__DIR__.'/bug69958.tar');
+$phar = $tarphar->convertToData(Phar::TAR); 
+--EXPECTF--
+Fatal error: Uncaught exception 'BadMethodCallException' with message 'phar "%s/bug69958.tar" exists and must be unlinked prior to conversion' in %s/bug69958.php:%d
+Stack trace:
+#0 %s/bug69958.php(%d): PharData->convertToData(%d)
+#1 {main}
+  thrown in %s/bug69958.php on line %d
diff --git a/ext/phar/tests/bug69958.tar b/ext/phar/tests/bug69958.tar
new file mode 100644
index 0000000000..02275248bd
--- /dev/null
+++ b/ext/phar/tests/bug69958.tar
author	Stanislav Malyshev <stas@php.net>	2015-07-06 21:52:49 -0700
committer	Stanislav Malyshev <stas@php.net>	2015-07-06 21:52:49 -0700
commit	303d97feda15e97f9058e4ab96799ec2dbd3652f (patch)
tree	8071010fb681343c4f6e8b559dd29064072015bc /ext/phar
parent	8f2e08239fc1f8aabc26398393303fa685e810dd (diff)
parent	0d2f147d80bd02d4d1ccaa0fa530d9d4846b3c75 (diff)
download	php-git-303d97feda15e97f9058e4ab96799ec2dbd3652f.tar.gz