From: Greg Beaver <cellog@php.net>
Date: Sat, 19 Apr 2008 05:30:48 +0000 (+0000)
Subject: new test for corrupted zip with mis-matched entry counts, and fix memleaks in this... 
X-Git-Tag: RELEASE_2_0_0b1~328
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=531caa6393e4d0a8e1f2e9578b63c13a9cd06c0f;p=php

new test for corrupted zip with mis-matched entry counts, and fix memleaks in this test case
---

diff --git a/ext/phar/tests/zip/files/corrupt_count1.php.inc b/ext/phar/tests/zip/files/corrupt_count1.php.inc
new file mode 100644
index 0000000000..59017d6030
--- /dev/null
+++ b/ext/phar/tests/zip/files/corrupt_count1.php.inc
@@ -0,0 +1,8 @@
+<?php
+include dirname(__FILE__) . '/corrupt_zipmaker.php.inc';
+$a = new corrupt_zipmaker;
+$a->addFile('hi', null, 'hii');
+$a->addFile('hi2', null, 'hii2');
+$a->writeZip(dirname(__FILE__) . '/count1.zip', 'count1');
+$a->writeZip(dirname(__FILE__) . '/count2.zip', 'count2');
+?>
diff --git a/ext/phar/tests/zip/files/count1.zip b/ext/phar/tests/zip/files/count1.zip
new file mode 100644
index 0000000000..3b9577229a
Binary files /dev/null and b/ext/phar/tests/zip/files/count1.zip differ
diff --git a/ext/phar/tests/zip/files/count2.zip b/ext/phar/tests/zip/files/count2.zip
new file mode 100644
index 0000000000..8dfd82e540
Binary files /dev/null and b/ext/phar/tests/zip/files/count2.zip differ
diff --git a/ext/phar/zip.c b/ext/phar/zip.c
index 29e4bbbe4a..4581676f9e 100644
--- a/ext/phar/zip.c
+++ b/ext/phar/zip.c
@@ -158,6 +158,9 @@ int phar_open_zipfile(php_stream *fp, char *fname, int fname_len, char *alias, i
 		size = sizeof(locator) + 65536;
 		if (FAILURE == php_stream_seek(fp, -size, SEEK_END)) {
 			php_stream_close(fp);
+			if (error) {
+				spprintf(error, 4096, "phar error: unable to search for end of central directory in zip-based phar \"%s\"", fname);
+			}
 			return FAILURE;
 		}
 	} else {
@@ -165,6 +168,9 @@ int phar_open_zipfile(php_stream *fp, char *fname, int fname_len, char *alias, i
 	}
 	if (!(read = php_stream_read(fp, buf, size))) {
 		php_stream_close(fp);
+		if (error) {
+			spprintf(error, 4096, "phar error: unable to read in data to search for end of central directory in zip-based phar \"%s\"", fname);
+		}
 		return FAILURE;
 	}
 	while ((p=(char *) memchr(p + 1, 'P', (size_t)(buf - (p+1) + sizeof(locator) + 65536 - 4 + 1))) != NULL) {
@@ -174,11 +180,24 @@ int phar_open_zipfile(php_stream *fp, char *fname, int fname_len, char *alias, i
 		}
 	}
 	php_stream_close(fp);
+	if (error) {
+		spprintf(error, 4096, "phar error: end of central directory not found in zip-based phar \"%s\"", fname);
+	}
 	return FAILURE;
 foundit:
 	if (locator.centraldisk != 0 || locator.disknumber != 0) {
 		/* split archives not handled */
 		php_stream_close(fp);
+		if (error) {
+			spprintf(error, 4096, "phar error: split archives spanning multiple zips cannot be processed in zip-based phar \"%s\"", fname);
+		}
+		return FAILURE;
+	}
+	if (locator.counthere != locator.count) {
+		if (error) {
+			spprintf(error, 4096, "phar error: corrupt zip archive, conflicting file count in end of central directory record in zip-based phar \"%s\"", fname);
+		}
+		php_stream_close(fp);
 		return FAILURE;
 	}
 	mydata = ecalloc(sizeof(phar_archive_data), 1);