Commitcd1101e

cmb69

authored and

smalyshev

committed

Fix #77919: Potential UAF in Phar RSHUTDOWN

We have to properly clean up in case phar_flush() is failing.We also make the expectation of the respective test case less liberalto avoid missing such bugs in the future.

1 parent42e8b85 commitcd1101eCopy full SHA for cd1101e

File tree

3 files changed

+10

-2

lines changed

NEWS
ext/phar
- phar_object.c
- tests
  - bug71488.phpt

3 files changed

+10

-2

lines changed

`‎NEWS‎`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,9 @@ PHP NEWS`
`10`	`10`	`(CVE-2019-11042) (Stas)`
`11`	`11`	`. Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail).`
`12`	`12`	`(CVE-2019-11041) (Stas)`
	`13`	`+`
	`14`	`+- Phar:`
	`15`	`+ . Fixed bug #77919 (Potential UAF in Phar RSHUTDOWN). (cmb)`
`13`	`16`
`14`	`17`	`30 May 2019, PHP 7.1.30`
`15`	`18`

`‎ext/phar/phar_object.c‎`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -2037,7 +2037,7 @@ static zend_object phar_rename_archive(phar_archive_data sphar, char ext, ze`
`2037`	`2037`	`charnewname=NULL,newpath=NULL;`
`2038`	`2038`	`zvalret,arg1;`
`2039`	`2039`	`zend_class_entry*ce;`
`2040`		`-char*error;`
	`2040`	`+char*error=NULL;`
`2041`	`2041`	`constchar*pcr_error;`
`2042`	`2042`	`intext_len=ext ?strlen(ext) :0;`
`2043`	`2043`	`size_tnew_len,oldname_len;`
`@@ -2205,6 +2205,8 @@ static zend_object phar_rename_archive(phar_archive_data sphar, char ext, ze`
`2205`	`2205`	`phar_flush(phar,0,0,1,&error);`
`2206`	`2206`
`2207`	`2207`	`if (error) {`
	`2208`	`+zend_hash_str_del(&(PHAR_G(phar_fname_map)),newpath,phar->fname_len);`
	`2209`	`+*sphar=NULL;`
`2208`	`2210`	`zend_throw_exception_ex(spl_ce_BadMethodCallException,0,"%s",error);`
`2209`	`2211`	`efree(error);`
`2210`	`2212`	`efree(oldpath);`

`‎ext/phar/tests/bug71488.phpt‎`

Lines changed: 4 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -15,4 +15,7 @@ DONE`
`15`	`15`	`?>`
`16`	`16`	`--EXPECTF--`
`17`	`17`	`Fatal error: Uncaught BadMethodCallException: tar-based phar "%s/bug71488.test" cannot be created, link "%s" is too long for format in %sbug71488.php:%d`
`18`		`-Stack trace:%A`
	`18`	`+Stack trace:`
	`19`	`+#0 %s(%d): PharData->decompress('test')`
	`20`	`+#1 {main}`
	`21`	`+ thrown in %s on line %d`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitcd1101e

File tree

3 files changed

3 files changed

`‎NEWS‎`

`‎ext/phar/phar_object.c‎`

`‎ext/phar/tests/bug71488.phpt‎`

0 commit comments