fix bug #60164 (Stubs of a specific length break phar_open_from_fp scanning for __HAL...

diff --git a/NEWS b/NEWS
index ce53b99b6b10b820313cea76cefe812d6bcb7804..2c347f34587811347928ca1bbfc0c7118751c6b7 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -42,6 +42,8 @@ PHP                                                                        NEWS
     
 - Phar:
   . Fixed bug #60261 (NULL pointer dereference in phar). (Felipe)
+  . Fixed bug #60164 (Stubs of a specific length break phar_open_from_fp
+    scanning for __HALT_COMPILER). (Ralph Schindler)
 
 - Postgres:
   . Fixed bug #60244 (pg_fetch_* functions do not validate that row param 

diff --git a/ext/phar/phar.c b/ext/phar/phar.c
index 24d8c428afc1731e6c5fe225b1215663356f551b..e201ca50d0427512879e2e7f3d3708d4baf391a7 100644 (file)
--- a/ext/phar/phar.c
+++ b/ext/phar/phar.c
@@ -1569,7 +1569,9 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a
        const char zip_magic[] = "PK\x03\x04";
        const char gz_magic[] = "\x1f\x8b\x08";
        const char bz_magic[] = "BZh";
-       char *pos, buffer[1024 + sizeof(token)], test = '\0';
+       char *pos, test = '\0';
+       const int window_size = 1024;
+       char buffer[window_size + sizeof(token)]; /* a 1024 byte window + the size of the halt_compiler token (moving window) */
        const long readsize = sizeof(buffer) - sizeof(token);
        const long tokenlen = sizeof(token) - 1;
        long halt_offset;
@@ -1717,7 +1719,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a
                }
 
                halt_offset += got;
-               memmove(buffer, buffer + tokenlen, got + 1);
+               memmove(buffer, buffer + window_size, tokenlen); /* move the memory buffer by the size of the window */
        }
 
        MAPPHAR_ALLOC_FAIL("internal corruption of phar \"%s\" (__HALT_COMPILER(); not found)")

diff --git a/ext/phar/tests/bug60164.phpt b/ext/phar/tests/bug60164.phpt
new file mode 100644 (file)
index 0000000..8fd5de5
--- /dev/null
+++ b/ext/phar/tests/bug60164.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Phar: verify stub of specific length does not break __HALT_COMPILER(); scanning in php
+--SKIPIF--
+<?php
+if (!extension_loaded("phar")) die("skip");
+?>
+--INI--
+phar.require_hash=0
+phar.readonly=0
+--FILE--
+<?php
+$phar = __DIR__ . '/files/stuboflength1041.phar';
+foreach (new RecursiveIteratorIterator(new Phar($phar, null, 'stuboflength1041.phar')) as $item) {
+    var_dump($item->getFileName());
+}
+?>
+===DONE===
+--EXPECT--
+string(5) "a.php"
+string(5) "b.php"
+===DONE===
\ No newline at end of file

diff --git a/ext/phar/tests/files/stuboflength1041.phar b/ext/phar/tests/files/stuboflength1041.phar
new file mode 100644 (file)
index 0000000..d90fb8f
Binary files /dev/null and b/ext/phar/tests/files/stuboflength1041.phar differ

diff --git a/ext/phar/tests/files/stuboflength1041.phar.inc b/ext/phar/tests/files/stuboflength1041.phar.inc
new file mode 100644 (file)
index 0000000..4a26a41
--- /dev/null
+++ b/ext/phar/tests/files/stuboflength1041.phar.inc
@@ -0,0 +1,42 @@
+<?php
+
+@unlink(__DIR__ . '/stuboflength1041.phar');
+
+$phar = new Phar('./stuboflength1041.phar');
+$phar['a.php'] = 'hi1';
+$phar['b.php'] = 'hi2';
+
+$phar->setStub('<?php
+/***stub of length 1041 including the halt compiler*********************************************
+************************************************************************************************
+************************************************************************************************
+************************************************************************************************
+************************************************************************************************
+************************************************************************************************
+************************************************************************************************
+************************************************************************************************
+************************************************************************************************
+************************************************************************************************
+*********************************************/
+__HALT_COMPILER();');
+<?php
+
+@unlink(__DIR__ . '/stuboflength1041.phar');
+
+$phar = new Phar('./stuboflength1041.phar');
+$phar['a.php'] = 'hi1';
+$phar['b.php'] = 'hi2';
+
+$phar->setStub('<?php
+/***stub of length 1041 including the halt compiler*********************************************
+************************************************************************************************
+************************************************************************************************
+************************************************************************************************
+************************************************************************************************
+************************************************************************************************
+************************************************************************************************
+************************************************************************************************
+************************************************************************************************
+************************************************************************************************
+*********************************************/
+__HALT_COMPILER();');
\ No newline at end of file