/.patch Secret
Created
July 29, 2019 14:09
Fix PHP bug #77919
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| From 8fe110d2fe622f11de979fc5442d59a1490d139e Mon Sep 17 00:00:00 2001 | |
| From: "Christoph M. Becker" <cmbecker69@gmx.de> | |
| Date: Mon, 29 Jul 2019 16:08:03 +0200 | |
| Subject: [PATCH] Fix #77919: Potential UAF in Phar RSHUTDOWN | |
| From 8fe110d2fe622f11de979fc5442d59a1490d139e Mon Sep 17 00:00:00 2001 | |
| From: "Christoph M. Becker" <cmbecker69@gmx.de> | |
| Date: Mon, 29 Jul 2019 16:08:03 +0200 | |
| Subject: [PATCH] Fix #77919: Potential UAF in Phar RSHUTDOWN | |
| We have to properly clean up in case phar_flush() is failing. | |
| We also make the expectation of the respective test case less liberal | |
| to avoid missing such bugs in the future. | |
| --- | |
| ext/phar/phar_object.c | 4 +++- | |
| ext/phar/tests/bug71488.phpt | 5 ++++- | |
| 2 files changed, 7 insertions(+), 2 deletions(-) | |
| diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c | |
| index 6bd5c1dc33..c1ba97a195 100644 | |
| --- a/ext/phar/phar_object.c | |
| +++ b/ext/phar/phar_object.c | |
| @@ -2037,7 +2037,7 @@ static zend_object *phar_rename_archive(phar_archive_data **sphar, char *ext, ze | |
| char *newname = NULL, *newpath = NULL; | |
| zval ret, arg1; | |
| zend_class_entry *ce; | |
| - char *error; | |
| + char *error = NULL; | |
| const char *pcr_error; | |
| int ext_len = ext ? strlen(ext) : 0; | |
| size_t new_len, oldname_len; | |
| @@ -2205,6 +2205,8 @@ its_ok: | |
| phar_flush(phar, 0, 0, 1, &error); | |
| if (error) { | |
| + zend_hash_str_del(&(PHAR_G(phar_fname_map)), newpath, phar->fname_len); | |
| + *sphar = NULL; | |
| zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, "%s", error); | |
| efree(error); | |
| efree(oldpath); | |
| diff --git a/ext/phar/tests/bug71488.phpt b/ext/phar/tests/bug71488.phpt | |
| index 9c58d89488..7f8f6c00af 100644 | |
| --- a/ext/phar/tests/bug71488.phpt | |
| +++ b/ext/phar/tests/bug71488.phpt | |
| @@ -15,4 +15,7 @@ DONE | |
| ?> | |
| --EXPECTF-- | |
| Fatal error: Uncaught BadMethodCallException: tar-based phar "%s/bug71488.test" cannot be created, link "%s" is too long for format in %sbug71488.php:%d | |
| -Stack trace:%A | |
| \ No newline at end of file | |
| +Stack trace: | |
| +#0 %s(%d): PharData->decompress('test') | |
| +#1 {main} | |
| + thrown in %s on line %d | |
| -- | |
| 2.22.0.windows.1 | |
| We have to properly clean up in case phar_flush() is failing. | |
| We also make the expectation of the respective test case less liberal | |
| to avoid missing such bugs in the future. | |
| --- | |
| ext/phar/phar_object.c | 4 +++- | |
| ext/phar/tests/bug71488.phpt | 5 ++++- | |
| 2 files changed, 7 insertions(+), 2 deletions(-) | |
| diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c | |
| index 6bd5c1dc33..c1ba97a195 100644 | |
| --- a/ext/phar/phar_object.c | |
| +++ b/ext/phar/phar_object.c | |
| @@ -2037,7 +2037,7 @@ static zend_object *phar_rename_archive(phar_archive_data **sphar, char *ext, ze | |
| char *newname = NULL, *newpath = NULL; | |
| zval ret, arg1; | |
| zend_class_entry *ce; | |
| - char *error; | |
| + char *error = NULL; | |
| const char *pcr_error; | |
| int ext_len = ext ? strlen(ext) : 0; | |
| size_t new_len, oldname_len; | |
| @@ -2205,6 +2205,8 @@ its_ok: | |
| phar_flush(phar, 0, 0, 1, &error); | |
| if (error) { | |
| + zend_hash_str_del(&(PHAR_G(phar_fname_map)), newpath, phar->fname_len); | |
| + *sphar = NULL; | |
| zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, "%s", error); | |
| efree(error); | |
| efree(oldpath); | |
| diff --git a/ext/phar/tests/bug71488.phpt b/ext/phar/tests/bug71488.phpt | |
| index 9c58d89488..7f8f6c00af 100644 | |
| --- a/ext/phar/tests/bug71488.phpt | |
| +++ b/ext/phar/tests/bug71488.phpt | |
| @@ -15,4 +15,7 @@ DONE | |
| ?> | |
| --EXPECTF-- | |
| Fatal error: Uncaught BadMethodCallException: tar-based phar "%s/bug71488.test" cannot be created, link "%s" is too long for format in %sbug71488.php:%d | |
| -Stack trace:%A | |
| \ No newline at end of file | |
| +Stack trace: | |
| +#0 %s(%d): PharData->decompress('test') | |
| +#1 {main} | |
| + thrown in %s on line %d | |
| -- | |
| 2.22.0.windows.1 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment