Create a gist now

Instantly share code, notes, and snippets.

@smalyshev /71391.diff Secret
Last active Jan 17, 2016

What would you like to do?
commit 1c1b8b69982375700d4b011eb89ea48b66dbd5aa
Author: Stanislav Malyshev <stas@php.net>
Date: Sat Jan 16 20:43:43 2016 -0800
Fix bug #71391: NULL Pointer Dereference in phar_tar_setupmetadata()
diff --git a/ext/phar/tar.c b/ext/phar/tar.c
index 34ef0ef..5f26805 100644
--- a/ext/phar/tar.c
+++ b/ext/phar/tar.c
@@ -880,6 +880,9 @@ static int phar_tar_setupmetadata(void *pDest, void *argument TSRMLS_DC) /* {{{
if (entry->filename_len >= sizeof(".phar/.metadata") && !memcmp(entry->filename, ".phar/.metadata", sizeof(".phar/.metadata")-1)) {
if (entry->filename_len == sizeof(".phar/.metadata.bin")-1 && !memcmp(entry->filename, ".phar/.metadata.bin", sizeof(".phar/.metadata.bin")-1)) {
+ if (entry->phar->metadata == NULL) {
+ return ZEND_HASH_APPLY_REMOVE;
+ }
return phar_tar_setmetadata(entry->phar->metadata, entry, error TSRMLS_CC);
}
/* search for the file this metadata entry references */
diff --git a/ext/phar/tests/bug71391.phpt b/ext/phar/tests/bug71391.phpt
new file mode 100644
index 0000000..b8d84f5
--- /dev/null
+++ b/ext/phar/tests/bug71391.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Phar: bug #71391: NULL Pointer Dereference in phar_tar_setupmetadata()
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+// duplicate since the tar will change
+copy(__DIR__."/bug71391.tar", __DIR__."/bug71391.test.tar");
+$p = new PharData(__DIR__."/bug71391.test.tar");
+$p->delMetaData();
+?>
+DONE
+--CLEAN--
+<?php
+unlink(__DIR__."/bug71391.test.tar");
+?>
+--EXPECT--
+DONE
\ No newline at end of file
diff --git a/ext/phar/tests/bug71391.tar b/ext/phar/tests/bug71391.tar
new file mode 100644
index 0000000..a5b155a
Binary files /dev/null and b/ext/phar/tests/bug71391.tar differ
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment