MFPHP5: fix Bug #46032: PharData::__construct wrong memory read

diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
index db82767e4f6216f6e07c00ca0e694593303d83f8..a2d00cec94a12de5fa6f499d324987566e31d743 100755 (executable)
--- a/ext/phar/phar_object.c
+++ b/ext/phar/phar_object.c
@@ -1165,10 +1165,10 @@ PHP_METHOD(Phar, __construct)
                return;
        }
 
+       save_fname = fname;
        if (SUCCESS == phar_split_fname(fname, fname_len, &arch, &arch_len, &entry, &entry_len, !is_data, 2 TSRMLS_CC)) {
                /* use arch (the basename for the archive) for fname instead of fname */
                /* this allows support for RecursiveDirectoryIterator of subdirectories */
-               save_fname = fname;
 #ifdef PHP_WIN32
                phar_unixify_path_separators(arch, arch_len);
 #endif
@@ -1178,7 +1178,6 @@ PHP_METHOD(Phar, __construct)
        } else {
                arch = estrndup(fname, fname_len);
                arch_len = fname_len;
-               save_fname = fname;
                fname = arch;
                phar_unixify_path_separators(arch, arch_len);
 #endif
@@ -1186,7 +1185,7 @@ PHP_METHOD(Phar, __construct)
 
        if (phar_open_or_create_filename(fname, fname_len, alias, alias_len, is_data, REPORT_ERRORS, &phar_data, &error TSRMLS_CC) == FAILURE) {
 
-               if (fname == arch) {
+               if (fname == arch && fname != save_fname) {
                        efree(arch);
                        fname = save_fname;
                }

diff --git a/ext/phar/tests/bug46032.phpt b/ext/phar/tests/bug46032.phpt
new file mode 100644 (file)
index 0000000..be42b04
--- /dev/null
+++ b/ext/phar/tests/bug46032.phpt
@@ -0,0 +1,34 @@
+--TEST--
+Phar: bug #46032: PharData::__construct wrong memory read
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+<?php if (getenv('SKIP_SLOW_TESTS')) die('skip'); ?>
+--FILE--
+<?php
+
+$a = __DIR__ .'/mytest';
+
+try {
+       new phar($a);
+} catch (exception $e) { }
+
+var_dump($a);
+
+try {
+       new phar($a);
+} catch (exception $e) { }
+
+var_dump($a);
+
+new phardata('0000000000000000000');
+?>
+===DONE===
+--EXPECTF--
+string(%d) "%smytest"
+string(%d) "%smytest"
+
+Fatal error: Uncaught exception 'UnexpectedValueException' with message 'Cannot create phar '0000000000000000000', file extension (or combination) not recognised' in %sbug46032.php:%d
+Stack trace:
+#0 /home/cellog/workspace/php5/ext/phar/tests/bug46032.php(%d): PharData->__construct('000000000000000...')
+#1 {main}
+  thrown in %sbug46032.php on line %d

diff --git a/ext/phar/util.c b/ext/phar/util.c
index 0723cd2508fb9046c55c7aad12e60716ba14cd51..573bd42a2d093b09748e81454fd9efa28d4e8fc8 100644 (file)
--- a/ext/phar/util.c
+++ b/ext/phar/util.c
@@ -1186,6 +1186,10 @@ int phar_free_alias(phar_archive_data *phar, char *alias, int alias_len TSRMLS_D
 }
 /* }}} */
 
+static int phar_retrieve_apc(fname, fname_len, archive)
+{
+}
+
 /**
  * Looks up a phar archive in the filename map, connecting it to the alias
  * (if any) or returns null
@@ -1381,11 +1385,18 @@ realpath_success:
 
                        return SUCCESS;
                }
+<<<<<<< util.c
+               if (SUCCESS == phar_retrieve_apc(fname, fname_len, archive)) {
+                       efree(my_realpath);
+                       return SUCCESS;
+               }
+=======
 
                if (PHAR_G(manifest_cached) && SUCCESS == zend_hash_quick_find(&cached_phars, fname, fname_len, fhash, (void**)&fd_ptr)) {
                        goto realpath_success;
                }
 
+>>>>>>> 1.60
                efree(my_realpath);
        }