From cd1101e8c87aa175c2d5e87ddec656e50ef4ab5d Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Mon, 29 Jul 2019 16:08:03 +0200 Subject: [PATCH] Fix #77919: Potential UAF in Phar RSHUTDOWN We have to properly clean up in case phar_flush() is failing. We also make the expectation of the respective test case less liberal to avoid missing such bugs in the future. --- NEWS | 3 +++ ext/phar/phar_object.c | 4 +++- ext/phar/tests/bug71488.phpt | 5 ++++- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index f2e22b62b6..72e26f5924 100644 --- a/NEWS +++ b/NEWS @@ -10,6 +10,9 @@ PHP NEWS (CVE-2019-11042) (Stas) . Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail). (CVE-2019-11041) (Stas) + +- Phar: + . Fixed bug #77919 (Potential UAF in Phar RSHUTDOWN). (cmb) 30 May 2019, PHP 7.1.30 diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c index 6bd5c1dc33..c1ba97a195 100644 --- a/ext/phar/phar_object.c +++ b/ext/phar/phar_object.c @@ -2037,7 +2037,7 @@ static zend_object *phar_rename_archive(phar_archive_data **sphar, char *ext, ze char *newname = NULL, *newpath = NULL; zval ret, arg1; zend_class_entry *ce; - char *error; + char *error = NULL; const char *pcr_error; int ext_len = ext ? strlen(ext) : 0; size_t new_len, oldname_len; @@ -2205,6 +2205,8 @@ its_ok: phar_flush(phar, 0, 0, 1, &error); if (error) { + zend_hash_str_del(&(PHAR_G(phar_fname_map)), newpath, phar->fname_len); + *sphar = NULL; zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, "%s", error); efree(error); efree(oldpath); diff --git a/ext/phar/tests/bug71488.phpt b/ext/phar/tests/bug71488.phpt index 9c58d89488..7f8f6c00af 100644 --- a/ext/phar/tests/bug71488.phpt +++ b/ext/phar/tests/bug71488.phpt @@ -15,4 +15,7 @@ DONE ?> --EXPECTF-- Fatal error: Uncaught BadMethodCallException: tar-based phar "%s/bug71488.test" cannot be created, link "%s" is too long for format in %sbug71488.php:%d -Stack trace:%A \ No newline at end of file +Stack trace: +#0 %s(%d): PharData->decompress('test') +#1 {main} + thrown in %s on line %d -- 2.40.0