PHP :: Bug #80964 :: A use after free bug in ext/phar/phar.c

Bug #80964	A use after free bug in ext/phar/phar.c
Submitted:	2021-04-18 05:45 UTC	Modified:	2021-05-23 04:22 UTC
From:	lylgood at foxmail dot com	Assigned:
Status:	No Feedback	Package:	*Extensibility Functions
PHP Version:	master-Git-2021-04-18 (Git)	OS:	All
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	lylgood at foxmail dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2021-04-18 05:45 UTC] lylgood at foxmail dot com

Description:
------------
File: ext/phar/phar.c
Bug Function: phar_entry_remove

In function phar_entry_remove, idata->phar is assigned to phar at line 419.
The idata->phar could be freed at line 430 by calling phar_entry_delref(idata)->phar_archive_delref(idata->phar)->phar_destroy_phar_data(phar).
Whereas the freed idata->phar is dereferenced via phar->donotflus at line 433,
which causes a use after free bug.




Test script:
---------------
419:	phar = idata->phar;

	if (idata->internal_file->fp_refcount < 2) {
		if (idata->fp && idata->fp != idata->phar->fp && idata->fp != idata->phar->ufp && idata->fp != idata->internal_file->fp) {
			php_stream_close(idata->fp);
		}
		zend_hash_str_del(&idata->phar->manifest, idata->internal_file->filename, idata->internal_file->filename_len);
		idata->phar->refcount--;
		efree(idata);
	} else {
		idata->internal_file->is_deleted = 1;
430:		phar_entry_delref(idata); // idata->phar freed here !
	}

433:	if (!phar->donotflush) {  // use after free here!

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-04-26 02:53 UTC] lylgood at foxmail dot com

Hi, maintainers.

Sorry to distrub you. Is the bug is a truth one?
Thanks for your time.

[2021-04-26 15:45 UTC] cmb@php.net

I think the scenario you're describing is never supposed to
happen, due to the refcount check on line 421.  However, that is
about phar_archive_data->internal_file->fp_refcount and not
phar_archive_data->refcount, so I'm not sure.

[2021-05-11 06:39 UTC] krakjoe@php.net

-Status: Open +Status: Feedback

[2021-05-11 06:39 UTC] krakjoe@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves.

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external
resources such as databases, etc. If the script requires a
database to demonstrate the issue, please make sure it creates
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

[2021-05-23 04:22 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 24 05:00:02 2025 UTC