From ccca2c448df35ac457eeef11fb7f0d604de3e5f9 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Wed, 22 Apr 2020 14:11:13 +0200
Subject: Fix #79503: Memory leak on duplicate metadata

Duplicate metadata can only happen if someone tampers with the phar, so
we can and should treat that as error.
---
 NEWS                         |   3 +++
 ext/phar/tar.c               |   8 ++++++++
 ext/phar/tests/bug79503.phar | Bin 0 -> 4001 bytes
 ext/phar/tests/bug79503.phpt |  16 ++++++++++++++++
 4 files changed, 27 insertions(+)
 create mode 100644 ext/phar/tests/bug79503.phar
 create mode 100644 ext/phar/tests/bug79503.phpt

diff --git a/NEWS b/NEWS
index 84b0a46b1a..1831014f24 100644
--- a/NEWS
+++ b/NEWS
@@ -22,6 +22,9 @@ PHP                                                                        NEWS
   . Fixed bug #79497 (stream_socket_client() throws an unknown error sometimes
     with <1s timeout). (Joe Cai)
 
+- Phar:
+  . Fix bug #79503 (Memory leak on duplicate metadata). (cmb)
+
 - Standard:
   . Fixed bug #79468 (SIGSEGV when closing stream handle with a stream filter
     appended). (dinosaur)
diff --git a/ext/phar/tar.c b/ext/phar/tar.c
index 7004676e0b..5df5bfec73 100644
--- a/ext/phar/tar.c
+++ b/ext/phar/tar.c
@@ -181,9 +181,17 @@ static int phar_tar_process_metadata(phar_entry_info *entry, php_stream *fp) /*
 	}
 
 	if (entry->filename_len == sizeof(".phar/.metadata.bin")-1 && !memcmp(entry->filename, ".phar/.metadata.bin", sizeof(".phar/.metadata.bin")-1)) {
+		if (Z_TYPE(entry->phar->metadata) != IS_UNDEF) {
+			efree(metadata);
+			return FAILURE;
+		}
 		entry->phar->metadata = entry->metadata;
 		ZVAL_UNDEF(&entry->metadata);
 	} else if (entry->filename_len >= sizeof(".phar/.metadata/") + sizeof("/.metadata.bin") - 1 && NULL != (mentry = zend_hash_str_find_ptr(&(entry->phar->manifest), entry->filename + sizeof(".phar/.metadata/") - 1, entry->filename_len - (sizeof("/.metadata.bin") - 1 + sizeof(".phar/.metadata/") - 1)))) {
+		if (Z_TYPE(mentry->metadata) != IS_UNDEF) {
+			efree(metadata);
+			return FAILURE;
+		}
 		/* transfer this metadata to the entry it refers */
 		mentry->metadata = entry->metadata;
 		ZVAL_UNDEF(&entry->metadata);
diff --git a/ext/phar/tests/bug79503.phar b/ext/phar/tests/bug79503.phar
new file mode 100644
index 0000000000..d378c6f3df
Binary files /dev/null and b/ext/phar/tests/bug79503.phar differ
diff --git a/ext/phar/tests/bug79503.phpt b/ext/phar/tests/bug79503.phpt
new file mode 100644
index 0000000000..874330fac7
--- /dev/null
+++ b/ext/phar/tests/bug79503.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug #79503 (Memory leak on duplicate metadata)
+--SKIPIF--
+<?php
+if (!extension_loaded('phar')) die('skip phar extension not available');
+?>
+--FILE--
+<?php
+try {
+    new Phar(__DIR__ . '/bug79503.phar');
+} catch (UnexpectedValueException $ex) {
+    echo $ex->getMessage();
+}
+?>
+--EXPECTF--
+phar error: tar-based phar "%s%ebug79503.phar" has invalid metadata in magic file ".phar/.metadata.bin"
-- 
cgit v1.2.1