From c34b452570f28f8a7b2806ef292bcbbdc047b69a Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Tue, 27 Sep 2022 17:43:40 +0200 Subject: [PATCH] Fix regression introduced by fixing bug 81726 When a tar phar is created, `phar_open_from_fp()` is also called, but since the file has just been created, none of the format checks can succeed, so we continue to loop, but must not check again for the format. Therefore, we bring back the old `test` variable. Closes GH-9620. --- ext/phar/phar.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/ext/phar/phar.c b/ext/phar/phar.c index af540a520cc..2403d77aae9 100644 --- a/ext/phar/phar.c +++ b/ext/phar/phar.c @@ -1635,7 +1635,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, size_t fname_len, char const char zip_magic[] = "PK\x03\x04"; const char gz_magic[] = "\x1f\x8b\x08"; const char bz_magic[] = "BZh"; - char *pos; + char *pos, test = '\0'; int recursion_count = 3; // arbitrary limit to avoid too deep or even infinite recursion const int window_size = 1024; char buffer[1024 + sizeof(token)]; /* a 1024 byte window + the size of the halt_compiler token (moving window) */ @@ -1664,7 +1664,8 @@ static int phar_open_from_fp(php_stream* fp, char *fname, size_t fname_len, char MAPPHAR_ALLOC_FAIL("internal corruption of phar \"%s\" (truncated entry)") } - if (recursion_count) { + if (!test && recursion_count) { + test = '\1'; pos = buffer+tokenlen; if (!memcmp(pos, gz_magic, 3)) { char err = 0; @@ -1724,6 +1725,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, size_t fname_len, char compression = PHAR_FILE_COMPRESSED_GZ; /* now, start over */ + test = '\0'; if (!--recursion_count) { MAPPHAR_ALLOC_FAIL("unable to decompress gzipped phar archive \"%s\""); break; @@ -1765,6 +1767,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, size_t fname_len, char compression = PHAR_FILE_COMPRESSED_BZ2; /* now, start over */ + test = '\0'; if (!--recursion_count) { MAPPHAR_ALLOC_FAIL("unable to decompress bzipped phar archive \"%s\""); break;