phar: Fix memleak+UAF when opening temp stream in buildFromDirectory() fails

Obvious memleak, but can also cause a UAF depending on destruction ordering with lingering PCRE regex instances in the SPL objects. Closes GH-20157.
2026-03-24 00:02:20 +01:00 · 2025-10-13 00:15:14 +02:00
parent b529c77094
commit 5a7c84f274
2 changed files with 6 additions and 0 deletions
--- a/2
+++ b/2
@@ -31,6 +31,8 @@ PHP                                                                        NEWS
  . Fix a bunch of memory leaks in phar_parse_zipfile() error handling.
    (nielsdos)
  . Fix file descriptor/memory leak when opening central fp fails. (nielsdos)
+  . Fix memleak+UAF when opening temp stream in buildFromDirectory() fails.
+    (nielsdos)

 - Random:
  . Fix Randomizer::__serialize() w.r.t. INDIRECTs. (nielsdos)
--- a/ext/phar/phar_object.c
+++ b/ext/phar/phar_object.c
@@ -1784,6 +1784,10 @@ PHP_METHOD(Phar, buildFromDirectory)
 	pass.ret = return_value;
 	pass.fp = php_stream_fopen_tmpfile();
 	if (pass.fp == NULL) {
+		zval_ptr_dtor(&iteriter);
+		if (apply_reg) {
+			zval_ptr_dtor(&regexiter);
+		}
 		zend_throw_exception_ex(phar_ce_PharException, 0, "phar \"%s\" unable to create temporary file", phar_obj->archive->fname);
 		RETURN_THROWS();
 	}