ext/phar: Fix recently introduced potential NULL dereferencement segfaults (#11065)

Girgias · web-flow · commit aae20cd119c1 · 2023-04-12T17:05:03.000+01:00
diff --git a/ext/phar/func_interceptors.c b/ext/phar/func_interceptors.c
@@ -47,7 +47,7 @@ PHAR_FUNC(phar_opendir) /* {{{ */
 
 		/* we are checking for existence of a file within the relative path.  Chances are good that this is
 		   retrieving something from within the phar archive */
-		if (!zend_string_starts_with_literal_ci(fname, "phar://")) {
+		if (!fname || !zend_string_starts_with_literal_ci(fname, "phar://")) {
 			goto skip_phar;
 		}
 
@@ -96,7 +96,7 @@ static zend_string* phar_get_name_for_relative_paths(zend_string *filename, bool
 
 	/* we are checking for existence of a file within the relative path.  Chances are good that this is
 	   retrieving something from within the phar archive */
-	if (!zend_string_starts_with_literal_ci(fname, "phar://")) {
+	if (!fname || !zend_string_starts_with_literal_ci(fname, "phar://")) {
 		return NULL;
 	}
 
@@ -497,7 +497,7 @@ static void phar_file_stat(const char *filename, size_t filename_length, int typ
 
 		/* we are checking for existence of a file within the relative path.  Chances are good that this is
 		   retrieving something from within the phar archive */
-		if (!zend_string_starts_with_literal_ci(fname, "phar://")) {
+		if (!fname || !zend_string_starts_with_literal_ci(fname, "phar://")) {
 			goto skip_phar;
 		}
 
@@ -748,7 +748,7 @@ PHAR_FUNC(phar_is_file) /* {{{ */
 
 		/* we are checking for existence of a file within the relative path.  Chances are good that this is
 		   retrieving something from within the phar archive */
-		if (!zend_string_starts_with_literal_ci(fname, "phar://")) {
+		if (!fname || !zend_string_starts_with_literal_ci(fname, "phar://")) {
 			goto skip_phar;
 		}
 
@@ -814,7 +814,7 @@ PHAR_FUNC(phar_is_link) /* {{{ */
 
 		/* we are checking for existence of a file within the relative path.  Chances are good that this is
 		   retrieving something from within the phar archive */
-		if (!zend_string_starts_with_literal_ci(fname, "phar://")) {
+		if (!fname || !zend_string_starts_with_literal_ci(fname, "phar://")) {
 			goto skip_phar;
 		}
 
diff --git a/ext/phar/phar.c b/ext/phar/phar.c
@@ -2324,17 +2324,17 @@ int phar_open_executed_filename(char *alias, size_t alias_len, char **error) /*
 
 	zend_string *fname = zend_get_executed_filename_ex();
 
-	if (phar_open_parsed_phar(ZSTR_VAL(fname), ZSTR_LEN(fname), alias, alias_len, 0, REPORT_ERRORS, NULL, 0) == SUCCESS) {
-		return SUCCESS;
-	}
-
-	if (zend_string_equals_literal(fname, "[no active file]")) {
+	if (!fname) {
 		if (error) {
 			spprintf(error, 0, "cannot initialize a phar outside of PHP execution");
 		}
 		return FAILURE;
 	}
 
+	if (phar_open_parsed_phar(ZSTR_VAL(fname), ZSTR_LEN(fname), alias, alias_len, 0, REPORT_ERRORS, NULL, 0) == SUCCESS) {
+		return SUCCESS;
+	}
+
 	if (0 == zend_get_constant_str("__COMPILER_HALT_OFFSET__", sizeof("__COMPILER_HALT_OFFSET__")-1)) {
 		if (error) {
 			spprintf(error, 0, "__HALT_COMPILER(); must be declared in a phar");
diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
@@ -402,6 +402,9 @@ PHP_METHOD(Phar, running)
 	}
 
 	fname = zend_get_executed_filename_ex();
+	if (!fname) {
+		RETURN_EMPTY_STRING();
+	}
 
 	if (
 		zend_string_starts_with_literal_ci(fname, "phar://")
@@ -445,8 +448,13 @@ PHP_METHOD(Phar, mount)
 	}
 
 	zend_string *zend_file_name = zend_get_executed_filename_ex();
-	fname = ZSTR_VAL(zend_file_name);
-	fname_len = ZSTR_LEN(zend_file_name);
+	if (UNEXPECTED(!zend_file_name)) {
+		fname = "";
+		fname_len = 0;
+	} else {
+		fname = ZSTR_VAL(zend_file_name);
+		fname_len = ZSTR_LEN(zend_file_name);
+	}
 
 #ifdef PHP_WIN32
 	save_fname = fname;
@@ -577,6 +585,10 @@ PHP_METHOD(Phar, webPhar)
 	}
 
 	zend_string *zend_file_name = zend_get_executed_filename_ex();
+	if (UNEXPECTED(!zend_file_name)) {
+		return;
+	}
+
 	fname = ZSTR_VAL(zend_file_name);
 	fname_len = ZSTR_LEN(zend_file_name);
 
@@ -1298,7 +1310,8 @@ PHP_METHOD(Phar, unlinkArchive)
 	zend_string *zend_file_name = zend_get_executed_filename_ex();
 
 	if (
-		zend_string_starts_with_literal_ci(zend_file_name, "phar://")
+		zend_file_name
+		&& zend_string_starts_with_literal_ci(zend_file_name, "phar://")
 		&& SUCCESS == phar_split_fname(ZSTR_VAL(zend_file_name), ZSTR_LEN(zend_file_name), &arch, &arch_len, &entry, &entry_len, 2, 0)
 	) {
 		if (arch_len == fname_len && !memcmp(arch, fname, arch_len)) {
diff --git a/ext/phar/util.c b/ext/phar/util.c
@@ -257,6 +257,10 @@ zend_string *phar_find_in_include_path(zend_string *filename, phar_archive_data
 	}
 
 	zend_string *fname = zend_get_executed_filename_ex();
+	if (!fname) {
+		return NULL;
+	}
+
 	bool is_file_a_phar_wrapper = zend_string_starts_with_literal_ci(fname, "phar://");
 	size_t length_phar_protocol = strlen("phar://");
 

Original file line number	Diff line number	Diff line change
`@@ -257,6 +257,10 @@ zend_string phar_find_in_include_path(zend_string filename, phar_archive_data`
`257`	`257`	`}`
`258`	`258`
`259`	`259`	`zend_string *fname = zend_get_executed_filename_ex();`
	`260`	`+ if (!fname) {`
	`261`	`+ return NULL;`
	`262`	`+ }`
	`263`	`+`
`260`	`264`	`bool is_file_a_phar_wrapper = zend_string_starts_with_literal_ci(fname, "phar://");`
`261`	`265`	`size_t length_phar_protocol = strlen("phar://");`
`262`	`266`