diff --git a/NEWS b/NEWS index ba45d98c377..844c2851013 100644 --- a/NEWS +++ b/NEWS @@ -13,6 +13,10 @@ PHP NEWS . Fixed bug GH-20329 (opcache.file_cache broken with full interned string buffer). (Arnaud) +- Phar: + . Fixed bug GH-20442 (Phar does not respect case-insensitiveness of + __halt_compiler() when reading stub). (ndossche, TimWolla) + - Standard: . Fix memory leak in array_diff() with custom type checks. (ndossche) diff --git a/ext/phar/phar.c b/ext/phar/phar.c index a9aff9489df..aa9a8821d8e 100644 --- a/ext/phar/phar.c +++ b/ext/phar/phar.c @@ -1590,35 +1590,6 @@ int phar_open_from_filename(char *fname, size_t fname_len, char *alias, size_t a } /* }}}*/ -static inline char *phar_strnstr(const char *buf, size_t buf_len, const char *search, size_t search_len) /* {{{ */ -{ - const char *c; - ptrdiff_t so_far = 0; - - if (buf_len < search_len) { - return NULL; - } - - c = buf - 1; - - do { - if (!(c = memchr(c + 1, search[0], buf_len - search_len - so_far))) { - return (char *) NULL; - } - - so_far = c - buf; - - if (so_far >= (buf_len - search_len)) { - return (char *) NULL; - } - - if (!memcmp(c, search, search_len)) { - return (char *) c; - } - } while (1); -} -/* }}} */ - /** * Scan an open fp for the required __HALT_COMPILER(); ?> token and verify * that the manifest is proper, then pass it to phar_parse_pharfile(). SUCCESS @@ -1630,7 +1601,8 @@ static int phar_open_from_fp(php_stream* fp, char *fname, size_t fname_len, char static const char zip_magic[] = "PK\x03\x04"; static const char gz_magic[] = "\x1f\x8b\x08"; static const char bz_magic[] = "BZh"; - char *pos, test = '\0'; + const char *pos; + char test = '\0'; int recursion_count = 3; // arbitrary limit to avoid too deep or even infinite recursion const int window_size = 1024; char buffer[1024 + sizeof(token)]; /* a 1024 byte window + the size of the halt_compiler token (moving window) */ @@ -1779,14 +1751,14 @@ static int phar_open_from_fp(php_stream* fp, char *fname, size_t fname_len, char } if (got >= 512) { - if (phar_is_tar(pos, fname)) { + if (phar_is_tar((char *) pos, fname)) { /* TODO: fix const correctness */ php_stream_rewind(fp); return phar_parse_tarfile(fp, fname, fname_len, alias, alias_len, pphar, is_data, compression, error); } } } - if (got > 0 && (pos = phar_strnstr(buffer, got + sizeof(token), token, sizeof(token)-1)) != NULL) { + if (got > 0 && (pos = php_memnistr(buffer, token, tokenlen, buffer + got + sizeof(token))) != NULL) { halt_offset += (pos - buffer); /* no -tokenlen+tokenlen here */ return phar_parse_pharfile(fp, fname, fname_len, alias, alias_len, halt_offset, pphar, compression, error); } diff --git a/ext/phar/tests/files/gh20442.phar b/ext/phar/tests/files/gh20442.phar new file mode 100644 index 00000000000..26fac67ede5 Binary files /dev/null and b/ext/phar/tests/files/gh20442.phar differ diff --git a/ext/phar/tests/gh20442.phpt b/ext/phar/tests/gh20442.phpt new file mode 100644 index 00000000000..e6862f3d33d --- /dev/null +++ b/ext/phar/tests/gh20442.phpt @@ -0,0 +1,18 @@ +--TEST-- +GH-20442 (Phar does not respect case-insensitiveness of __halt_compiler() when reading stub) +--EXTENSIONS-- +phar +--FILE-- +count()); +var_dump($phar->getStub()); + +?> +--EXPECT-- +int(1) +string(50) " +"