diff options
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | ext/phar/phar_object.c | 4 | ||||
-rw-r--r-- | ext/phar/tests/bug71488.phpt | 5 |
3 files changed, 10 insertions, 2 deletions
@@ -10,6 +10,9 @@ PHP NEWS (CVE-2019-11042) (Stas) . Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail). (CVE-2019-11041) (Stas) + +- Phar: + . Fixed bug #77919 (Potential UAF in Phar RSHUTDOWN). (cmb) 30 May 2019, PHP 7.1.30 diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c index 6bd5c1dc33..c1ba97a195 100644 --- a/ext/phar/phar_object.c +++ b/ext/phar/phar_object.c @@ -2037,7 +2037,7 @@ static zend_object *phar_rename_archive(phar_archive_data **sphar, char *ext, ze char *newname = NULL, *newpath = NULL; zval ret, arg1; zend_class_entry *ce; - char *error; + char *error = NULL; const char *pcr_error; int ext_len = ext ? strlen(ext) : 0; size_t new_len, oldname_len; @@ -2205,6 +2205,8 @@ its_ok: phar_flush(phar, 0, 0, 1, &error); if (error) { + zend_hash_str_del(&(PHAR_G(phar_fname_map)), newpath, phar->fname_len); + *sphar = NULL; zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, "%s", error); efree(error); efree(oldpath); diff --git a/ext/phar/tests/bug71488.phpt b/ext/phar/tests/bug71488.phpt index 9c58d89488..7f8f6c00af 100644 --- a/ext/phar/tests/bug71488.phpt +++ b/ext/phar/tests/bug71488.phpt @@ -15,4 +15,7 @@ DONE ?> --EXPECTF-- Fatal error: Uncaught BadMethodCallException: tar-based phar "%s/bug71488.test" cannot be created, link "%s" is too long for format in %sbug71488.php:%d -Stack trace:%A
\ No newline at end of file +Stack trace: +#0 %s(%d): PharData->decompress('test') +#1 {main} + thrown in %s on line %d |