From 13ad4d3e971807f9a58ab5933182907dc2958539 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Wed, 13 Jan 2016 16:32:29 -0800
Subject: Fix bug #71354 - remove UMR when size is 0

---
 ext/phar/phar_object.c       |   1 +
 ext/phar/tests/bug71354.phpt |  13 +++++++++++++
 ext/phar/tests/bug71354.tar  | Bin 0 -> 1536 bytes
 3 files changed, 14 insertions(+)
 create mode 100644 ext/phar/tests/bug71354.phpt
 create mode 100644 ext/phar/tests/bug71354.tar

(limited to 'ext/phar')

diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
index 6d25509cdf..e21a9829e3 100644
--- a/ext/phar/phar_object.c
+++ b/ext/phar/phar_object.c
@@ -4884,6 +4884,7 @@ PHP_METHOD(PharFileInfo, getContent)
 
 	phar_seek_efp(link, 0, SEEK_SET, 0, 0 TSRMLS_CC);
 	Z_TYPE_P(return_value) = IS_STRING;
+	Z_STRVAL_P(return_value) = NULL;
 	Z_STRLEN_P(return_value) = php_stream_copy_to_mem(fp, &(Z_STRVAL_P(return_value)), link->uncompressed_filesize, 0);
 
 	if (!Z_STRVAL_P(return_value)) {
diff --git a/ext/phar/tests/bug71354.phpt b/ext/phar/tests/bug71354.phpt
new file mode 100644
index 0000000000..43230f1520
--- /dev/null
+++ b/ext/phar/tests/bug71354.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Phar: bug #71354: Heap corruption in tar/zip/phar parser.
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+$p = new PharData(__DIR__."/bug71354.tar");
+var_dump($p['aaaa']->getContent());
+?>
+DONE
+--EXPECT--
+string(0) ""
+DONE
\ No newline at end of file
diff --git a/ext/phar/tests/bug71354.tar b/ext/phar/tests/bug71354.tar
new file mode 100644
index 0000000000..b0bd992b9e
Binary files /dev/null and b/ext/phar/tests/bug71354.tar differ
-- 
cgit v1.2.1


From 1c1b8b69982375700d4b011eb89ea48b66dbd5aa Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sat, 16 Jan 2016 20:43:43 -0800
Subject: Fix bug #71391: NULL Pointer Dereference in phar_tar_setupmetadata()

---
 ext/phar/tar.c               |   3 +++
 ext/phar/tests/bug71391.phpt |  18 ++++++++++++++++++
 ext/phar/tests/bug71391.tar  | Bin 0 -> 3584 bytes
 3 files changed, 21 insertions(+)
 create mode 100644 ext/phar/tests/bug71391.phpt
 create mode 100644 ext/phar/tests/bug71391.tar

(limited to 'ext/phar')

diff --git a/ext/phar/tar.c b/ext/phar/tar.c
index 34ef0ef892..5f2680590e 100644
--- a/ext/phar/tar.c
+++ b/ext/phar/tar.c
@@ -880,6 +880,9 @@ static int phar_tar_setupmetadata(void *pDest, void *argument TSRMLS_DC) /* {{{
 
 	if (entry->filename_len >= sizeof(".phar/.metadata") && !memcmp(entry->filename, ".phar/.metadata", sizeof(".phar/.metadata")-1)) {
 		if (entry->filename_len == sizeof(".phar/.metadata.bin")-1 && !memcmp(entry->filename, ".phar/.metadata.bin", sizeof(".phar/.metadata.bin")-1)) {
+			if (entry->phar->metadata == NULL) {
+				return ZEND_HASH_APPLY_REMOVE;
+			}
 			return phar_tar_setmetadata(entry->phar->metadata, entry, error TSRMLS_CC);
 		}
 		/* search for the file this metadata entry references */
diff --git a/ext/phar/tests/bug71391.phpt b/ext/phar/tests/bug71391.phpt
new file mode 100644
index 0000000000..b8d84f5375
--- /dev/null
+++ b/ext/phar/tests/bug71391.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Phar: bug #71391: NULL Pointer Dereference in phar_tar_setupmetadata()
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+// duplicate since the tar will change
+copy(__DIR__."/bug71391.tar", __DIR__."/bug71391.test.tar");
+$p = new PharData(__DIR__."/bug71391.test.tar");
+$p->delMetaData();
+?>
+DONE
+--CLEAN--
+<?php 
+unlink(__DIR__."/bug71391.test.tar");
+?>
+--EXPECT--
+DONE
\ No newline at end of file
diff --git a/ext/phar/tests/bug71391.tar b/ext/phar/tests/bug71391.tar
new file mode 100644
index 0000000000..a5b155ac87
Binary files /dev/null and b/ext/phar/tests/bug71391.tar differ
-- 
cgit v1.2.1


From 07c7df68bd68bbe706371fccc77c814ebb335d9e Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 31 Jan 2016 19:37:56 -0800
Subject: Fixed bug #71488: Stack overflow when decompressing tar archives

---
 ext/phar/tar.c               |  22 ++++++++++++++++------
 ext/phar/tests/bug71488.phpt |  16 ++++++++++++++++
 ext/phar/tests/bug71488.tar  | Bin 0 -> 10240 bytes
 3 files changed, 32 insertions(+), 6 deletions(-)
 create mode 100644 ext/phar/tests/bug71488.phpt
 create mode 100644 ext/phar/tests/bug71488.tar

(limited to 'ext/phar')

diff --git a/ext/phar/tar.c b/ext/phar/tar.c
index 5f2680590e..3a4bd491f8 100644
--- a/ext/phar/tar.c
+++ b/ext/phar/tar.c
@@ -195,6 +195,13 @@ static int phar_tar_process_metadata(phar_entry_info *entry, php_stream *fp TSRM
 }
 /* }}} */
 
+#if !HAVE_STRNLEN
+static size_t strnlen(const char *s, size_t maxlen) {
+        char *r = (char *)memchr(s, '\0', maxlen);
+        return r ? r-s : maxlen;
+}
+#endif
+
 int phar_parse_tarfile(php_stream* fp, char *fname, int fname_len, char *alias, int alias_len, phar_archive_data** pphar, int is_data, php_uint32 compression, char **error TSRMLS_DC) /* {{{ */
 {
 	char buf[512], *actual_alias = NULL, *p;
@@ -204,6 +211,7 @@ int phar_parse_tarfile(php_stream* fp, char *fname, int fname_len, char *alias,
 	php_uint32 sum1, sum2, size, old;
 	phar_archive_data *myphar, **actual;
 	int last_was_longlink = 0;
+	int linkname_len;
 
 	if (error) {
 		*error = NULL;
@@ -264,7 +272,7 @@ int phar_parse_tarfile(php_stream* fp, char *fname, int fname_len, char *alias,
 			goto next;
 		}
 
-		if (((!old && hdr->prefix[0] == 0) || old) && strlen(hdr->name) == sizeof(".phar/signature.bin")-1 && !strncmp(hdr->name, ".phar/signature.bin", sizeof(".phar/signature.bin")-1)) {
+		if (((!old && hdr->prefix[0] == 0) || old) && strnlen(hdr->name, 100) == sizeof(".phar/signature.bin")-1 && !strncmp(hdr->name, ".phar/signature.bin", sizeof(".phar/signature.bin")-1)) {
 			off_t curloc;
 
 			if (size > 511) {
@@ -474,20 +482,22 @@ bail:
 		}
 
 		entry.link = NULL;
-
+		/* link field is null-terminated unless it has 100 non-null chars.
+		 * Thus we can not use strlen. */
+		linkname_len = strnlen(hdr->linkname, 100);
 		if (entry.tar_type == TAR_LINK) {
-			if (!zend_hash_exists(&myphar->manifest, hdr->linkname, strlen(hdr->linkname))) {
+			if (!zend_hash_exists(&myphar->manifest, hdr->linkname, linkname_len)) {
 				if (error) {
-					spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file - hard link to non-existent file \"%s\"", fname, hdr->linkname);
+					spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file - hard link to non-existent file \"%.*s\"", fname, linkname_len, hdr->linkname);
 				}
 				pefree(entry.filename, entry.is_persistent);
 				php_stream_close(fp);
 				phar_destroy_phar_data(myphar TSRMLS_CC);
 				return FAILURE;
 			}
-			entry.link = estrdup(hdr->linkname);
+			entry.link = estrndup(hdr->linkname, linkname_len);
 		} else if (entry.tar_type == TAR_SYMLINK) {
-			entry.link = estrdup(hdr->linkname);
+			entry.link = estrndup(hdr->linkname, linkname_len);
 		}
 		phar_set_inode(&entry TSRMLS_CC);
 		zend_hash_add(&myphar->manifest, entry.filename, entry.filename_len, (void*)&entry, sizeof(phar_entry_info), (void **) &newentry);
diff --git a/ext/phar/tests/bug71488.phpt b/ext/phar/tests/bug71488.phpt
new file mode 100644
index 0000000000..05fdd8f481
--- /dev/null
+++ b/ext/phar/tests/bug71488.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Phar: bug #71488: Stack overflow when decompressing tar archives
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+$p = new PharData(__DIR__."/bug71488.tar");
+$newp = $p->decompress("test");
+?>
+DONE
+--CLEAN--
+<?php
+@unlink(__DIR__."/bug71488.test");
+?>
+--EXPECT--
+DONE
\ No newline at end of file
diff --git a/ext/phar/tests/bug71488.tar b/ext/phar/tests/bug71488.tar
new file mode 100644
index 0000000000..6e14195025
Binary files /dev/null and b/ext/phar/tests/bug71488.tar differ
-- 
cgit v1.2.1