Skip to content

Commit f590df4

Browse files
committed
Merge branch 'PHP-8.3'
* PHP-8.3: Fix GH-13833: Applying zero offset to null pointer in zend_hash.c
2 parents 376061e + b1a6832 commit f590df4

File tree

3 files changed

+68
-20
lines changed

3 files changed

+68
-20
lines changed

ext/phar/phar.c

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1090,6 +1090,9 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, size_t fname_len, ch
10901090

10911091
mydata = pecalloc(1, sizeof(phar_archive_data), PHAR_G(persist));
10921092
mydata->is_persistent = PHAR_G(persist);
1093+
HT_INVALIDATE(&mydata->manifest);
1094+
HT_INVALIDATE(&mydata->mounted_dirs);
1095+
HT_INVALIDATE(&mydata->virtual_dirs);
10931096

10941097
/* check whether we have meta data, zero check works regardless of byte order */
10951098
SAFE_PHAR_GET_32(buffer, endbuffer, len);

ext/phar/tests/gh13833.phpt

Lines changed: 32 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -1,33 +1,45 @@
11
--TEST--
2-
GH-13836 (Renaming a file in a Phar to an already existing filename causes a NULL pointer dereference)
3-
--EXTENSIONS--
4-
phar
2+
GH-13833 (Applying zero offset to null pointer in zend_hash.c)
53
--INI--
64
phar.require_hash=0
75
phar.readonly=0
86
--FILE--
97
<?php
10-
$fname = __DIR__ . '/gh13836.phar';
8+
$fname = __DIR__ . '/gh13833.phar';
9+
$pname = 'phar://' . $fname;
10+
$file = "<?php
11+
Phar::mapPhar('hio');
12+
__HALT_COMPILER(); ?>";
13+
$files = array();
14+
$files['a'] = 'a';
15+
include 'files/phar_test.inc';
16+
include $fname;
1117

12-
$phar = new Phar($fname, 0, 'a.phar');
13-
$phar['x'] = 'hi1';
14-
$phar['y'] = 'hi2';
18+
$file = "<?php __HALT_COMPILER(); ?>";
19+
$files['a'] = array('cont' => 'a');
20+
include 'files/phar_test.inc';
1521

16-
var_dump(rename("phar://a.phar/x", "phar://a.phar/y"));
17-
18-
var_dump(isset($phar['x']));
19-
var_dump($phar['y']);
22+
$phar = new Phar($fname);
23+
$phar->setMetadata((object) ['my' => 'friend']);
24+
// NOTE: Phar will use the cached value of metadata if setMetaData was called on that Phar path before.
25+
// Save the writes to the phar and use a different file path.
26+
$fname_new = "$fname.copy.phar";
27+
copy($fname, $fname_new);
28+
try {
29+
new Phar($fname_new);
30+
} catch (UnexpectedValueException $e) {
31+
echo $e->getMessage(), "\n";
32+
}
2033
?>
34+
--EXTENSIONS--
35+
phar
2136
--CLEAN--
2237
<?php
23-
unlink(__DIR__ . '/gh13836.phar');
38+
unlink(__DIR__ . '/gh13833.phar');
39+
unlink(__DIR__ . '/gh13833.phar.copy.phar');
2440
?>
41+
--CREDITS--
42+
Yuancheng Jiang <yuancheng@comp.nus.edu.sg>
43+
Felix De Vliegher <felix.devliegher@gmail.com>
2544
--EXPECTF--
26-
bool(true)
27-
bool(false)
28-
object(PharFileInfo)#2 (2) {
29-
["pathName":"SplFileInfo":private]=>
30-
string(%d) "phar://%sgh13836.phar/y"
31-
["fileName":"SplFileInfo":private]=>
32-
string(1) "y"
33-
}
45+
internal corruption of phar "%sgh13833.phar.copy.phar" (trying to read past buffer end)

ext/phar/tests/gh13836.phpt

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
--TEST--
2+
GH-13836 (Renaming a file in a Phar to an already existing filename causes a NULL pointer dereference)
3+
--EXTENSIONS--
4+
phar
5+
--INI--
6+
phar.require_hash=0
7+
phar.readonly=0
8+
--FILE--
9+
<?php
10+
$fname = __DIR__ . '/gh13836.phar';
11+
12+
$phar = new Phar($fname, 0, 'a.phar');
13+
$phar['x'] = 'hi1';
14+
$phar['y'] = 'hi2';
15+
16+
var_dump(rename("phar://a.phar/x", "phar://a.phar/y"));
17+
18+
var_dump(isset($phar['x']));
19+
var_dump($phar['y']);
20+
?>
21+
--CLEAN--
22+
<?php
23+
unlink(__DIR__ . '/gh13836.phar');
24+
?>
25+
--EXPECTF--
26+
bool(true)
27+
bool(false)
28+
object(PharFileInfo)#2 (2) {
29+
["pathName":"SplFileInfo":private]=>
30+
string(%d) "phar://%sgh13836.phar/y"
31+
["fileName":"SplFileInfo":private]=>
32+
string(1) "y"
33+
}

0 commit comments

Comments
 (0)