From 4c2424eb24b0178456acc404dbfff528cdc44197 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Thu, 14 Jan 2016 22:58:40 -0800
Subject: [PATCH] Fixed bug #71331 - Uninitialized pointer in
 phar_make_dirstream()

---
 ext/phar/dirstream.c         |   3 ++-
 ext/phar/tar.c               |   2 +-
 ext/phar/tests/bug71331.phpt |  15 +++++++++++++++
 ext/phar/tests/bug71331.tar  | Bin 0 -> 2560 bytes
 4 files changed, 18 insertions(+), 2 deletions(-)
 create mode 100644 ext/phar/tests/bug71331.phpt
 create mode 100644 ext/phar/tests/bug71331.tar

diff --git a/ext/phar/dirstream.c b/ext/phar/dirstream.c
index 05f37e695c..f843501b58 100644
--- a/ext/phar/dirstream.c
+++ b/ext/phar/dirstream.c
@@ -198,12 +198,13 @@ static php_stream *phar_make_dirstream(char *dir, HashTable *manifest TSRMLS_DC)
 	zend_hash_internal_pointer_reset(manifest);
 
 	while (FAILURE != zend_hash_has_more_elements(manifest)) {
+		keylen = 0;
 		if (HASH_KEY_NON_EXISTENT == zend_hash_get_current_key_ex(manifest, &str_key, &keylen, &unused, 0, NULL)) {
 			break;
 		}
 
 		if (keylen <= (uint)dirlen) {
-			if (keylen < (uint)dirlen || !strncmp(str_key, dir, dirlen)) {
+			if (keylen == 0 || keylen < (uint)dirlen || !strncmp(str_key, dir, dirlen)) {
 				if (SUCCESS != zend_hash_move_forward(manifest)) {
 					break;
 				}
diff --git a/ext/phar/tar.c b/ext/phar/tar.c
index 2eb1a23676..5d121cb030 100644
--- a/ext/phar/tar.c
+++ b/ext/phar/tar.c
@@ -348,7 +348,7 @@ bail:
 			entry.filename_len = entry.uncompressed_filesize;
 
 			/* Check for overflow - bug 61065 */
-			if (entry.filename_len == UINT_MAX) {
+			if (entry.filename_len == UINT_MAX || entry.filename_len == 0) {
 				if (error) {
 					spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file (invalid entry size)", fname);
 				}
diff --git a/ext/phar/tests/bug71331.phpt b/ext/phar/tests/bug71331.phpt
new file mode 100644
index 0000000000..106fd540fc
--- /dev/null
+++ b/ext/phar/tests/bug71331.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #71331 (Uninitialized pointer in phar_make_dirstream())
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+$p = new PharData(__DIR__."/bug71331.tar");
+?>
+DONE
+--EXPECTF--
+Fatal error: Uncaught exception 'UnexpectedValueException' with message 'phar error: "%s/bug71331.tar" is a corrupted tar file (invalid entry size)' in %s/bug71331.php:2
+Stack trace:
+#0 %s/bug71331.php(2): PharData->__construct('%s')
+#1 {main}
+  thrown in %s/bug71331.php on line 2
\ No newline at end of file
diff --git a/ext/phar/tests/bug71331.tar b/ext/phar/tests/bug71331.tar
new file mode 100644
index 0000000000000000000000000000000000000000..14eec28781e13d24cd0f9aed19b6c15949e34be5
GIT binary patch
literal 2560
zcmeH{OA5m<3`D)|DSU&<A6b{^B?3)|Y3L$x?_aApD{Z4faI`TDXk_a#F5^~mF{%Z%
z2vN*ny_Inez*C6e&{PeHynToc1>v)mVXY$-tj}Ose*EwAus+qU%ZyWu!oRVvN7(rX
zM9=&aIk10W(mDS*-vpOS=w|~h|4V+q)E><_CnDj`daFJE_5TOXKVb^iPk9+d*TF*P
N`9FA@m)*%W@CCUIE3g0n

literal 0
HcmV?d00001

-- 
2.50.1