71391.diff

commit 1c1b8b69982375700d4b011eb89ea48b66dbd5aa
Author: Stanislav Malyshev <stas@php.net>
Date:   Sat Jan 16 20:43:43 2016 -0800

    Fix bug #71391: NULL Pointer Dereference in phar_tar_setupmetadata()

diff --git a/ext/phar/tar.c b/ext/phar/tar.c
index 34ef0ef..5f26805 100644
--- a/ext/phar/tar.c
+++ b/ext/phar/tar.c
@@ -880,6 +880,9 @@ static int phar_tar_setupmetadata(void *pDest, void *argument TSRMLS_DC) /* {{{
 
 	if (entry->filename_len >= sizeof(".phar/.metadata") && !memcmp(entry->filename, ".phar/.metadata", sizeof(".phar/.metadata")-1)) {
 		if (entry->filename_len == sizeof(".phar/.metadata.bin")-1 && !memcmp(entry->filename, ".phar/.metadata.bin", sizeof(".phar/.metadata.bin")-1)) {
+			if (entry->phar->metadata == NULL) {
+				return ZEND_HASH_APPLY_REMOVE;
+			}
 			return phar_tar_setmetadata(entry->phar->metadata, entry, error TSRMLS_CC);
 		}
 		/* search for the file this metadata entry references */
diff --git a/ext/phar/tests/bug71391.phpt b/ext/phar/tests/bug71391.phpt
new file mode 100644
index 0000000..b8d84f5
--- /dev/null
+++ b/ext/phar/tests/bug71391.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Phar: bug #71391: NULL Pointer Dereference in phar_tar_setupmetadata()
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+// duplicate since the tar will change
+copy(__DIR__."/bug71391.tar", __DIR__."/bug71391.test.tar");
+$p = new PharData(__DIR__."/bug71391.test.tar");
+$p->delMetaData();
+?>
+DONE
+--CLEAN--
+<?php 
+unlink(__DIR__."/bug71391.test.tar");
+?>
+--EXPECT--
+DONE
\ No newline at end of file
diff --git a/ext/phar/tests/bug71391.tar b/ext/phar/tests/bug71391.tar
new file mode 100644
index 0000000..a5b155a
Binary files /dev/null and b/ext/phar/tests/bug71391.tar differ