From f6878b6ccfe9d7fb2d581d36232452d7de304be1 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Mon, 8 Sep 2025 18:48:43 +0200
Subject: [PATCH] Fix GH-19752: Phar decompression with invalid extension can
 cause UAF

The rename code can error out prior to the reassignment of the filename,
which is why the test causes a crash.
The rename code can also error out at a later point,
which means it will have already assigned the new filename.
We detect in which case we are in and act accordingly.

Closes GH-19761.
---
 NEWS                        |  2 ++
 ext/phar/phar_object.c      |  6 +++++-
 ext/phar/tests/gh19752.phpt | 13 +++++++++++++
 3 files changed, 20 insertions(+), 1 deletion(-)
 create mode 100644 ext/phar/tests/gh19752.phpt

diff --git a/NEWS b/NEWS
index 2ded7b11adc..b006f93e0c3 100644
--- a/NEWS
+++ b/NEWS
@@ -50,6 +50,8 @@ PHP                                                                        NEWS
   . Fix memory leak in phar tar temporary file error handling code. (nielsdos)
   . Fix metadata leak when phar convert logic fails. (nielsdos)
   . Fix memory leak on failure in phar_convert_to_other(). (nielsdos)
+  . Fixed bug GH-19752 (Phar decompression with invalid extension
+    can cause UAF). (nielsdos)
 
 - Standard:
   . Fixed bug GH-16649 (UAF during array_splice). (alexandre-daubois)
diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
index e91ebd0735e..9f83fa991d4 100644
--- a/ext/phar/phar_object.c
+++ b/ext/phar/phar_object.c
@@ -2328,7 +2328,11 @@ no_copy:
 			if (phar->fp) {
 				php_stream_close(phar->fp);
 			}
-			efree(phar->fname);
+			if (phar->fname != source->fname) {
+				/* Depending on when phar_rename_archive() errors, the new filename
+				 * may have already been assigned or it may still be the old one. */
+				efree(phar->fname);
+			}
 			efree(phar);
 		}
 		return NULL;
diff --git a/ext/phar/tests/gh19752.phpt b/ext/phar/tests/gh19752.phpt
new file mode 100644
index 00000000000..0b236fff109
--- /dev/null
+++ b/ext/phar/tests/gh19752.phpt
@@ -0,0 +1,13 @@
+--TEST--
+GH-19752 (Phar decompression with invalid extension can cause UAF)
+--FILE--
+<?php
+$phar = new PharData(__DIR__.'/gh19752.1');
+try {
+    $phar->decompress("*");
+} catch (BadMethodCallException $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECTF--
+data phar converted from "%sgh19752.1" has invalid extension *