Fix GH-10370: File corruption in _php_stream_copy_to_stream_ex when using copy_file_range

nielsdos · nielsdos · commit 45fbb898f827 · 2023-01-24T22:38:29.000+01:00
copy_file_range can return early without copying all the data. This is
legal behaviour and worked properly, unless the mmap fallback was used.
The mmap fallback would read too much data into the destination,
corrupting the destination file. Furthermore, if the mmap fallback would
fail and have to fallback to the regular file copying mechanism, a
similar issue would occur because both maxlen and haveread are modified.
Furthermore, there was a mmap-resource in one of the failure paths of
the mmap fallback code.
This patch fixes these issues. This also adds regression tests using the
new copy_file_range early-return simulation added in the previous
commit.
diff --git a/ext/zend_test/tests/gh10370.tar b/ext/zend_test/tests/gh10370.tar
diff --git a/ext/zend_test/tests/gh10370_1.phpt b/ext/zend_test/tests/gh10370_1.phpt
@@ -0,0 +1,29 @@
+--TEST--
+GH-10370: File corruption in _php_stream_copy_to_stream_ex when using copy_file_range - partial copy
+--EXTENSIONS--
+zend_test
+phar
+--SKIPIF--
+<?php
+if (PHP_OS != 'Linux') {
+    die('skip For Linux only');
+}
+?>
+--INI--
+zend_test.limit_copy_file_range=3584
+--FILE--
+<?php
+/* Note: the value 3584 is chosen so that the mmap in _php_stream_copy_to_stream_ex() will mmap
+ *       at an offset of a multiple of 4096, which is the standard page size in most Linux systems. */
+$archive = new PharData(__DIR__ . DIRECTORY_SEPARATOR . 'gh10370.tar');
+var_dump($archive->extractTo(__DIR__ . DIRECTORY_SEPARATOR . 'gh10370', ['testfile']));
+var_dump(sha1_file(__DIR__ . DIRECTORY_SEPARATOR . 'gh10370' . DIRECTORY_SEPARATOR . 'testfile'));
+?>
+--EXPECT--
+bool(true)
+string(40) "34e163be8e43c5631d8b92e9c43ab0bf0fa62b9c"
+--CLEAN--
+<?php
+@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'gh10370' . DIRECTORY_SEPARATOR . 'testfile');
+@rmdir(__DIR__ . DIRECTORY_SEPARATOR . 'gh10370');
+?>
diff --git a/ext/zend_test/tests/gh10370_2.phpt b/ext/zend_test/tests/gh10370_2.phpt
@@ -0,0 +1,30 @@
+--TEST--
+GH-10370: File corruption in _php_stream_copy_to_stream_ex when using copy_file_range - unlimited copy
+--EXTENSIONS--
+zend_test
+--SKIPIF--
+<?php
+if (PHP_OS != 'Linux') {
+    die('skip For Linux only');
+}
+?>
+--INI--
+zend_test.limit_copy_file_range=4096
+--FILE--
+<?php
+/* Note: the value 4096 is chosen so that the mmap in _php_stream_copy_to_stream_ex() will mmap
+ *       at an offset of a multiple of 4096, which is the standard page size in most Linux systems. */
+$input_file = fopen(__DIR__ . DIRECTORY_SEPARATOR . 'gh10370.tar', 'r');
+file_put_contents(__DIR__ . DIRECTORY_SEPARATOR . 'gh10370_out.tar', $input_file);
+fclose($input_file);
+
+var_dump(sha1_file(__DIR__ . DIRECTORY_SEPARATOR . 'gh10370.tar'));
+var_dump(sha1_file(__DIR__ . DIRECTORY_SEPARATOR . 'gh10370_out.tar'));
+?>
+--EXPECT--
+string(40) "04929d1dee68551c74f5c9809691040d16ba854b"
+string(40) "04929d1dee68551c74f5c9809691040d16ba854b"
+--CLEAN--
+<?php
+@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'gh10370_out.tar');
+?>
diff --git a/main/streams/streams.c b/main/streams/streams.c
@@ -1634,8 +1634,21 @@ PHPAPI zend_result _php_stream_copy_to_stream_ex(php_stream *src, php_stream *de
 		char *p;
 
 		do {
-			size_t chunk_size = (maxlen == 0 || maxlen > PHP_STREAM_MMAP_MAX) ? PHP_STREAM_MMAP_MAX : maxlen;
-			size_t mapped;
+			/* We must not modify maxlen here, because otherwise the file copy fallback below can fail */
+			size_t chunk_size, must_read, mapped;
+			if (maxlen == 0) {
+				/* Unlimited read */
+				must_read = chunk_size = PHP_STREAM_MMAP_MAX;
+			} else {
+				must_read = maxlen - haveread;
+				if (must_read >= PHP_STREAM_MMAP_MAX) {
+					chunk_size = PHP_STREAM_MMAP_MAX;
+				} else {
+					/* In case the length we still have to read from the file could be smaller than the file size,
+					 * chunk_size must not get bigger the size we're trying to read. */
+					chunk_size = must_read;
+				}
+			}
 
 			p = php_stream_mmap_range(src, php_stream_tell(src), chunk_size, PHP_STREAM_MAP_MODE_SHARED_READONLY, &mapped);
 
@@ -1650,6 +1663,7 @@ PHPAPI zend_result _php_stream_copy_to_stream_ex(php_stream *src, php_stream *de
 				didwrite = php_stream_write(dest, p, mapped);
 				if (didwrite < 0) {
 					*len = haveread;
+					php_stream_mmap_unmap(src);
 					return FAILURE;
 				}
 
@@ -1666,9 +1680,10 @@ PHPAPI zend_result _php_stream_copy_to_stream_ex(php_stream *src, php_stream *de
 				if (mapped < chunk_size) {
 					return SUCCESS;
 				}
+				/* If we're not reading as much as possible, so a bounded read */
 				if (maxlen != 0) {
-					maxlen -= mapped;
-					if (maxlen == 0) {
+					must_read -= mapped;
+					if (must_read == 0) {
 						return SUCCESS;
 					}
 				}
