Fix #79503: Memory leak on duplicate metadata

Duplicate metadata can only happen if someone tampers with the phar, so
we can and should treat that as error.

NEWS

@@ -22,6 +22,9 @@ PHP                                                                        NEWS
   . Fixed bug #79497 (stream_socket_client() throws an unknown error sometimes
     with <1s timeout). (Joe Cai)
 
+- Phar:
+  . Fix bug #79503 (Memory leak on duplicate metadata). (cmb)
+
 - Standard:
   . Fixed bug #79468 (SIGSEGV when closing stream handle with a stream filter
     appended). (dinosaur)

ext/phar/tar.c

@@ -181,9 +181,17 @@ static int phar_tar_process_metadata(phar_entry_info *entry, php_stream *fp) /*
 	}
 
 	if (entry->filename_len == sizeof(".phar/.metadata.bin")-1 && !memcmp(entry->filename, ".phar/.metadata.bin", sizeof(".phar/.metadata.bin")-1)) {
+		if (Z_TYPE(entry->phar->metadata) != IS_UNDEF) {
+			efree(metadata);
+			return FAILURE;
+		}
 		entry->phar->metadata = entry->metadata;
 		ZVAL_UNDEF(&entry->metadata);
 	} else if (entry->filename_len >= sizeof(".phar/.metadata/") + sizeof("/.metadata.bin") - 1 && NULL != (mentry = zend_hash_str_find_ptr(&(entry->phar->manifest), entry->filename + sizeof(".phar/.metadata/") - 1, entry->filename_len - (sizeof("/.metadata.bin") - 1 + sizeof(".phar/.metadata/") - 1)))) {
+		if (Z_TYPE(mentry->metadata) != IS_UNDEF) {
+			efree(metadata);
+			return FAILURE;
+		}
 		/* transfer this metadata to the entry it refers */
 		mentry->metadata = entry->metadata;
 		ZVAL_UNDEF(&entry->metadata);

ext/phar/tests/bug79503.phpt

@@ -0,0 +1,16 @@
+--TEST--
+Bug #79503 (Memory leak on duplicate metadata)
+--SKIPIF--
+<?php
+if (!extension_loaded('phar')) die('skip phar extension not available');
+?>
+--FILE--
+<?php
+try {
+    new Phar(__DIR__ . '/bug79503.phar');
+} catch (UnexpectedValueException $ex) {
+    echo $ex->getMessage();
+}
+?>
+--EXPECTF--
+phar error: tar-based phar "%s%ebug79503.phar" has invalid metadata in magic file ".phar/.metadata.bin"