Patch phar-69958 for Reproducible crash Bug #69958
Patch version 2015-07-05 04:04 UTC
Return to Bug #69958 |
Download this patch
Patch Revisions:
Developer: stas@php.net
commit 452d30cf7d1ba36d7f8bb8aeff5fb3134376f873
Author: Stanislav Malyshev <stas@php.net>
Date: Sat Jul 4 21:01:50 2015 -0700
Fix bug #69958 - Segfault in Phar::convertToData on invalid file
diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
index add1fa0..1184863 100644
--- a/ext/phar/phar_object.c
+++ b/ext/phar/phar_object.c
@@ -1269,7 +1269,7 @@ PHP_METHOD(Phar, __construct)
INIT_PZVAL(&arg2);
ZVAL_LONG(&arg2, flags);
- zend_call_method_with_2_params(&zobj, Z_OBJCE_P(zobj),
+ zend_call_method_with_2_params(&zobj, Z_OBJCE_P(zobj),
&spl_ce_RecursiveDirectoryIterator->constructor, "__construct", NULL, &arg1, &arg2);
if (!phar_data->is_persistent) {
@@ -1293,7 +1293,7 @@ PHP_METHOD(Phar, getSupportedSignatures)
if (zend_parse_parameters_none() == FAILURE) {
return;
}
-
+
array_init(return_value);
add_next_index_stringl(return_value, "MD5", 3, 1);
@@ -1320,7 +1320,7 @@ PHP_METHOD(Phar, getSupportedCompression)
if (zend_parse_parameters_none() == FAILURE) {
return;
}
-
+
array_init(return_value);
phar_request_initialize(TSRMLS_C);
@@ -1608,7 +1608,7 @@ phar_spl_fileinfo:
}
return ZEND_HASH_APPLY_STOP;
}
-
+
base = temp;
base_len = strlen(base);
@@ -1805,7 +1805,7 @@ after_open_fp:
/* {{{ proto array Phar::buildFromDirectory(string base_dir[, string regex])
* Construct a phar archive from an existing directory, recursively.
* Optional second parameter is a regular expression for filtering directory contents.
- *
+ *
* Return value is an array mapping phar index to actual files added.
*/
PHP_METHOD(Phar, buildFromDirectory)
@@ -1845,7 +1845,7 @@ PHP_METHOD(Phar, buildFromDirectory)
ZVAL_LONG(&arg2, SPL_FILE_DIR_SKIPDOTS|SPL_FILE_DIR_UNIXPATHS);
#endif
- zend_call_method_with_2_params(&iter, spl_ce_RecursiveDirectoryIterator,
+ zend_call_method_with_2_params(&iter, spl_ce_RecursiveDirectoryIterator,
&spl_ce_RecursiveDirectoryIterator->constructor, "__construct", NULL, &arg, &arg2);
if (EG(exception)) {
@@ -1862,7 +1862,7 @@ PHP_METHOD(Phar, buildFromDirectory)
RETURN_FALSE;
}
- zend_call_method_with_1_params(&iteriter, spl_ce_RecursiveIteratorIterator,
+ zend_call_method_with_1_params(&iteriter, spl_ce_RecursiveIteratorIterator,
&spl_ce_RecursiveIteratorIterator->constructor, "__construct", NULL, iter);
if (EG(exception)) {
@@ -1887,7 +1887,7 @@ PHP_METHOD(Phar, buildFromDirectory)
INIT_PZVAL(&arg2);
ZVAL_STRINGL(&arg2, regex, regex_len, 0);
- zend_call_method_with_2_params(®exiter, spl_ce_RegexIterator,
+ zend_call_method_with_2_params(®exiter, spl_ce_RegexIterator,
&spl_ce_RegexIterator->constructor, "__construct", NULL, iteriter, &arg2);
}
@@ -2008,7 +2008,7 @@ PHP_METHOD(Phar, buildFromIterator)
PHP_METHOD(Phar, count)
{
PHAR_ARCHIVE_OBJECT();
-
+
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@@ -2173,7 +2173,7 @@ static zval *phar_rename_archive(phar_archive_data *phar, char *ext, zend_bool c
spprintf(&newname, 0, "%s.%s", strtok(basename, "."), ext);
efree(basename);
-
+
basepath = estrndup(oldpath, (strlen(oldpath) - oldname_len));
phar->fname_len = spprintf(&newpath, 0, "%s%s", basepath, newname);
@@ -2419,7 +2419,9 @@ no_copy:
zend_hash_destroy(&(phar->manifest));
zend_hash_destroy(&(phar->mounted_dirs));
zend_hash_destroy(&(phar->virtual_dirs));
- php_stream_close(phar->fp);
+ if (phar->fp) {
+ php_stream_close(phar->fp);
+ }
efree(phar->fname);
efree(phar);
return NULL;
@@ -2639,7 +2641,7 @@ PHP_METHOD(Phar, convertToData)
PHP_METHOD(Phar, isCompressed)
{
PHAR_ARCHIVE_OBJECT();
-
+
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@@ -2663,7 +2665,7 @@ PHP_METHOD(Phar, isWritable)
{
php_stream_statbuf ssb;
PHAR_ARCHIVE_OBJECT();
-
+
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@@ -2741,7 +2743,7 @@ PHP_METHOD(Phar, delete)
PHP_METHOD(Phar, getAlias)
{
PHAR_ARCHIVE_OBJECT();
-
+
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@@ -2758,7 +2760,7 @@ PHP_METHOD(Phar, getAlias)
PHP_METHOD(Phar, getPath)
{
PHAR_ARCHIVE_OBJECT();
-
+
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@@ -2874,7 +2876,7 @@ valid_alias:
PHP_METHOD(Phar, getVersion)
{
PHAR_ARCHIVE_OBJECT();
-
+
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@@ -2889,7 +2891,7 @@ PHP_METHOD(Phar, getVersion)
PHP_METHOD(Phar, startBuffering)
{
PHAR_ARCHIVE_OBJECT();
-
+
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@@ -2904,7 +2906,7 @@ PHP_METHOD(Phar, startBuffering)
PHP_METHOD(Phar, isBuffering)
{
PHAR_ARCHIVE_OBJECT();
-
+
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@@ -2921,7 +2923,7 @@ PHP_METHOD(Phar, stopBuffering)
char *error;
PHAR_ARCHIVE_OBJECT();
-
+
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@@ -3156,7 +3158,7 @@ PHP_METHOD(Phar, setSignatureAlgorithm)
PHP_METHOD(Phar, getSignature)
{
PHAR_ARCHIVE_OBJECT();
-
+
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@@ -3200,7 +3202,7 @@ PHP_METHOD(Phar, getSignature)
PHP_METHOD(Phar, getModified)
{
PHAR_ARCHIVE_OBJECT();
-
+
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@@ -3462,7 +3464,7 @@ PHP_METHOD(Phar, decompressFiles)
{
char *error;
PHAR_ARCHIVE_OBJECT();
-
+
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@@ -3983,7 +3985,7 @@ PHP_METHOD(Phar, getStub)
phar_entry_info *stub;
PHAR_ARCHIVE_OBJECT();
-
+
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@@ -4086,7 +4088,7 @@ PHP_METHOD(Phar, hasMetadata)
PHP_METHOD(Phar, getMetadata)
{
PHAR_ARCHIVE_OBJECT();
-
+
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@@ -4544,7 +4546,7 @@ PHP_METHOD(PharFileInfo, __construct)
INIT_PZVAL(&arg1);
ZVAL_STRINGL(&arg1, fname, fname_len, 0);
- zend_call_method_with_1_params(&zobj, Z_OBJCE_P(zobj),
+ zend_call_method_with_1_params(&zobj, Z_OBJCE_P(zobj),
&spl_ce_SplFileInfo->constructor, "__construct", NULL, &arg1);
}
/* }}} */
@@ -4582,7 +4584,7 @@ PHP_METHOD(PharFileInfo, __destruct)
PHP_METHOD(PharFileInfo, getCompressedSize)
{
PHAR_ENTRY_OBJECT();
-
+
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@@ -4624,7 +4626,7 @@ PHP_METHOD(PharFileInfo, isCompressed)
PHP_METHOD(PharFileInfo, getCRC32)
{
PHAR_ENTRY_OBJECT();
-
+
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@@ -4650,7 +4652,7 @@ PHP_METHOD(PharFileInfo, getCRC32)
PHP_METHOD(PharFileInfo, isCRCChecked)
{
PHAR_ENTRY_OBJECT();
-
+
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@@ -4665,7 +4667,7 @@ PHP_METHOD(PharFileInfo, isCRCChecked)
PHP_METHOD(PharFileInfo, getPharFlags)
{
PHAR_ENTRY_OBJECT();
-
+
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@@ -4743,7 +4745,7 @@ PHP_METHOD(PharFileInfo, chmod)
PHP_METHOD(PharFileInfo, hasMetadata)
{
PHAR_ENTRY_OBJECT();
-
+
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@@ -4758,7 +4760,7 @@ PHP_METHOD(PharFileInfo, hasMetadata)
PHP_METHOD(PharFileInfo, getMetadata)
{
PHAR_ENTRY_OBJECT();
-
+
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@@ -4839,7 +4841,7 @@ PHP_METHOD(PharFileInfo, delMetadata)
char *error;
PHAR_ENTRY_OBJECT();
-
+
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@@ -4897,7 +4899,7 @@ PHP_METHOD(PharFileInfo, getContent)
phar_entry_info *link;
PHAR_ENTRY_OBJECT();
-
+
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@@ -5071,7 +5073,7 @@ PHP_METHOD(PharFileInfo, decompress)
{
char *error;
PHAR_ENTRY_OBJECT();
-
+
if (zend_parse_parameters_none() == FAILURE) {
return;
}
diff --git a/ext/phar/tests/bug69958.phpt b/ext/phar/tests/bug69958.phpt
new file mode 100644
index 0000000..d63b413
--- /dev/null
+++ b/ext/phar/tests/bug69958.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Phar: bug #69958: Segfault in Phar::convertToData on invalid file
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+$tarphar = new PharData(__DIR__.'/bug69958.tar');
+$phar = $tarphar->convertToData(Phar::TAR);
+--EXPECTF--
+Fatal error: Uncaught exception 'BadMethodCallException' with message 'phar "%s/bug69958.tar" exists and must be unlinked prior to conversion' in %s/bug69958.php:%d
+Stack trace:
+#0 %s/bug69958.php(%d): PharData->convertToData(%d)
+#1 {main}
+ thrown in %s/bug69958.php on line %d
diff --git a/ext/phar/tests/bug69958.tar b/ext/phar/tests/bug69958.tar
new file mode 100644
index 0000000..0227524
Binary files /dev/null and b/ext/phar/tests/bug69958.tar differ
|