/72321.diff Secret

## 72321.diff
commit d144590d38fa321b46b8e199c754006318985c84
Author: Stanislav Malyshev <stas@php.net>
Date:   Sun Jun 12 16:43:12 2016 -0700

    Fix bug #72321 - use efree() for emalloc allocation

diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
index 08d2983..64d7a6c 100644
--- a/ext/phar/phar_object.c
+++ b/ext/phar/phar_object.c
@@ -4217,14 +4217,14 @@ static int phar_extract_file(zend_bool overwrite, phar_entry_info *entry, char *
 			if (!php_stream_mkdir(fullpath, entry->flags & PHAR_ENT_PERM_MASK,  PHP_STREAM_MKDIR_RECURSIVE, NULL)) {
 				spprintf(error, 4096, "Cannot extract \"%s\", could not create directory \"%s\"", entry->filename, fullpath);
 				efree(fullpath);
-				free(new_state.cwd);
+				efree(new_state.cwd);
 				return FAILURE;
 			}
 		} else {
 			if (!php_stream_mkdir(fullpath, 0777,  PHP_STREAM_MKDIR_RECURSIVE, NULL)) {
 				spprintf(error, 4096, "Cannot extract \"%s\", could not create directory \"%s\"", entry->filename, fullpath);
 				efree(fullpath);
-				free(new_state.cwd);
+				efree(new_state.cwd);
 				return FAILURE;
 			}
 		}
diff --git a/ext/phar/tests/72321_1.zip b/ext/phar/tests/72321_1.zip
new file mode 100644
index 0000000..ebc44ea
Binary files /dev/null and b/ext/phar/tests/72321_1.zip differ
diff --git a/ext/phar/tests/72321_2.zip b/ext/phar/tests/72321_2.zip
new file mode 100644
index 0000000..de7ca26
Binary files /dev/null and b/ext/phar/tests/72321_2.zip differ
diff --git a/ext/phar/tests/bug72321.phpt b/ext/phar/tests/bug72321.phpt
new file mode 100644
index 0000000..37aca19
--- /dev/null
+++ b/ext/phar/tests/bug72321.phpt
@@ -0,0 +1,26 @@
+--TEST--
+Phar: PHP bug #72321: invalid free in phar_extract_file()
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+chdir(__DIR__);
+mkdir("test72321");
+$phar = new PharData("72321_1.zip");
+$phar->extractTo("test72321");
+$phar = new PharData("72321_2.zip");
+try {
+$phar->extractTo("test72321");
+} catch(PharException $e) {
+	print $e->getMessage()."\n";
+}
+?>
+DONE
+--CLEAN--
+<?php unlink(__DIR__."/test72321/AAAAAAAAxxxxBBBBCCCCCCCCxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
+rmdir(__DIR__."/test72321");
+?>
+--EXPECTF--
+Warning: PharData::extractTo(): Not a directory in %s/bug72321.php on line %d
+Extraction from phar "%s/72321_2.zip" failed: Cannot extract "AAAAAAAAxxxxBBBBCCCCCCCCxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/b/c", could not create directory "test72321/AAAAAAAAxxxxBBBBCCCCCCCCxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/b"
+DONE
\ No newline at end of file
	commit d144590d38fa321b46b8e199c754006318985c84
	Author: Stanislav Malyshev <stas@php.net>
	Date: Sun Jun 12 16:43:12 2016 -0700

	Fix bug #72321 - use efree() for emalloc allocation

	diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
	index 08d2983..64d7a6c 100644
	--- a/ext/phar/phar_object.c
	+++ b/ext/phar/phar_object.c
	@@ -4217,14 +4217,14 @@ static int phar_extract_file(zend_bool overwrite, phar_entry_info entry, char
	if (!php_stream_mkdir(fullpath, entry->flags & PHAR_ENT_PERM_MASK, PHP_STREAM_MKDIR_RECURSIVE, NULL)) {
	spprintf(error, 4096, "Cannot extract \"%s\", could not create directory \"%s\"", entry->filename, fullpath);
	efree(fullpath);
	- free(new_state.cwd);
	+ efree(new_state.cwd);
	return FAILURE;
	}
	} else {
	if (!php_stream_mkdir(fullpath, 0777, PHP_STREAM_MKDIR_RECURSIVE, NULL)) {
	spprintf(error, 4096, "Cannot extract \"%s\", could not create directory \"%s\"", entry->filename, fullpath);
	efree(fullpath);
	- free(new_state.cwd);
	+ efree(new_state.cwd);
	return FAILURE;
	}
	}
	diff --git a/ext/phar/tests/72321_1.zip b/ext/phar/tests/72321_1.zip
	new file mode 100644
	index 0000000..ebc44ea
	Binary files /dev/null and b/ext/phar/tests/72321_1.zip differ
	diff --git a/ext/phar/tests/72321_2.zip b/ext/phar/tests/72321_2.zip
	new file mode 100644
	index 0000000..de7ca26
	Binary files /dev/null and b/ext/phar/tests/72321_2.zip differ
	diff --git a/ext/phar/tests/bug72321.phpt b/ext/phar/tests/bug72321.phpt
	new file mode 100644
	index 0000000..37aca19
	--- /dev/null
	+++ b/ext/phar/tests/bug72321.phpt
	@@ -0,0 +1,26 @@
	+--TEST--
	+Phar: PHP bug #72321: invalid free in phar_extract_file()
	+--SKIPIF--
	+<?php if (!extension_loaded("phar")) die("skip"); ?>
	+--FILE--
	+<?php
	+chdir(__DIR__);
	+mkdir("test72321");
	+$phar = new PharData("72321_1.zip");
	+$phar->extractTo("test72321");
	+$phar = new PharData("72321_2.zip");
	+try {
	+$phar->extractTo("test72321");
	+} catch(PharException $e) {
	+ print $e->getMessage()."\n";
	+}
	+?>
	+DONE
	+--CLEAN--
	+<?php unlink(__DIR__."/test72321/AAAAAAAAxxxxBBBBCCCCCCCCxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
	+rmdir(__DIR__."/test72321");
	+?>
	+--EXPECTF--
	+Warning: PharData::extractTo(): Not a directory in %s/bug72321.php on line %d
	+Extraction from phar "%s/72321_2.zip" failed: Cannot extract "AAAAAAAAxxxxBBBBCCCCCCCCxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/b/c", could not create directory "test72321/AAAAAAAAxxxxBBBBCCCCCCCCxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/b"
	+DONE
	\ No newline at end of file