1
0
mirror of https://github.com/php/php-src.git synced 2026-04-24 00:18:23 +02:00
Commit Graph

1678 Commits

Author SHA1 Message Date
Niels Dossche c395355728 Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3:
  Fix GH-19752: Phar decompression with invalid extension can cause UAF
2025-09-08 23:11:01 +02:00
Niels Dossche f6878b6ccf Fix GH-19752: Phar decompression with invalid extension can cause UAF
The rename code can error out prior to the reassignment of the filename,
which is why the test causes a crash.
The rename code can also error out at a later point,
which means it will have already assigned the new filename.
We detect in which case we are in and act accordingly.

Closes GH-19761.
2025-09-08 23:10:33 +02:00
Niels Dossche 10a2a2a368 Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3:
  Fix memory leak on failure in phar_convert_to_other()
  Fix metadata leak when phar convert logic fails
2025-09-08 19:06:37 +02:00
Niels Dossche 98bb934685 Fix memory leak on failure in phar_convert_to_other()
Closes GH-19755.
2025-09-08 19:06:11 +02:00
Niels Dossche c50b37d231 Fix metadata leak when phar convert logic fails
Closes GH-19756.
2025-09-08 19:05:47 +02:00
Niels Dossche 3d52e925a1 Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3:
  Fix memory leak in phar tar temporary file error handling code
2025-09-07 13:05:07 +02:00
Niels Dossche 2f162214e8 Fix memory leak in phar tar temporary file error handling code
Closes GH-19740.
2025-09-07 13:04:19 +02:00
Gina Peter Banyard 20c274b688 Merge branch 'PHP-8.3' into PHP-8.4 2025-08-23 15:27:25 +02:00
Gina Peter Banyard f5a3a642c6 ext/phar: Fix memory leaks when verifying OpenSSL signature (#19563) 2025-08-23 14:25:42 +01:00
Ilija Tovilo 708d8e9cfd Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3:
  Fix "Constant already defined" warning with repeated inclusion of file with __halt_compiler()
2025-08-14 12:15:00 +02:00
Ilija Tovilo a3de2ce9ba Fix "Constant already defined" warning with repeated inclusion of file with __halt_compiler()
Fixes GH-18850
Closes GH-19471
2025-08-14 12:13:50 +02:00
Ilija Tovilo 74784a0d52 Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3:
  [skip ci] Add missing zlib dep to phar compression test
2025-07-07 16:28:49 +02:00
Ilija Tovilo faa78313d9 [skip ci] Add missing zlib dep to phar compression test 2025-07-07 16:28:18 +02:00
Niels Dossche 2aeefb13be Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3:
  Fix phar crash and file corruption with SplFileObject
2025-07-05 21:44:34 +02:00
Niels Dossche 405be1c940 Fix phar crash and file corruption with SplFileObject
There are two bugfixes here.
The first was a crash that I discovered while working on GH-19035.
The check for when a file pointer was still occupied was wrong, leading
to a UAF. Strangely, zip got this right.

The second issue was that even after fixing the first one, the file
contents were garbage. This is because the file write offset for the
phar stream was wrong.

Closes GH-19038.
2025-07-05 21:44:12 +02:00
Niels Dossche 50a5a6f315 Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3:
  Fix stream double free in phar
2025-07-05 21:31:50 +02:00
Niels Dossche 32344c4dc4 Fix stream double free in phar
The copy function does two things wrong:
- The error recovery logic is a hack that temporarily moves the fp
  pointer to cfp, even though it's not compressed. The respective error
  recovery it talks about is not present in the code, nor is it
  necessary. This is the direct cause of the double free in the original
  reproducer. Fixing this makes it crash in another location though.
- The link following logic is inconsistent and illogical. It cannot be a
  link at this point.

The root cause, after fixing the above issues, is that the file pointers
are not reset properly for the copy. The file pointer need to be the
original ones to perform the copy from the right source, but after that
they need to be set properly to NULL (because fp_type == PHAR_FP).

Closes GH-19035.

Co-authored-by: Yun Dou <dixyes@gmail.com>
2025-07-05 21:31:28 +02:00
Niels Dossche d6ed107510 Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3:
  Fix GH-18642: Signed integer overflow in ext/phar fseek
2025-05-28 18:54:15 +02:00
Niels Dossche 61884c3b52 Fix GH-18642: Signed integer overflow in ext/phar fseek
The overflow checking code already existed, but didn't work because the
math was done on signed numbers instead of unsigned numbers.
In the process I also discovered a pre-existing issue that needs to be
fixed (and seems that other stream wrappers can have this issue too).

Closes GH-18644.
2025-05-28 18:53:55 +02:00
Niels Dossche f9785c230c Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3:
  Add missing filter cleanups on phar failure
2025-05-21 19:48:20 +02:00
Niels Dossche 910aeaafc1 Add missing filter cleanups on phar failure
Closes GH-18609.
2025-05-21 19:47:14 +02:00
Niels Dossche d6c3079910 Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3:
  [ci skip] Fix GH-17808 dependencies
2025-02-16 00:17:06 +01:00
Niels Dossche 3e879f3dd5 [ci skip] Fix GH-17808 dependencies 2025-02-16 00:16:57 +01:00
Niels Dossche 5d8ea65f43 Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3:
  Fix GH-17808: PharFileInfo refcount bug
2025-02-15 13:16:33 +01:00
Niels Dossche e735d2bc3b Fix GH-17808: PharFileInfo refcount bug
PharFileInfo just takes a pointer from the manifest without refcounting
anything. If the entry is then removed from the manifest while the
PharFileInfo object still exists, we get a UAF.
We fix this by using the fp_refcount field. This is technically a
behaviour change as the unlinking is now blocked, and potentially file
modifications can be blocked as well. The alternative would be to have a
field that indicates whether deletion is blocked, but similar corruption
bugs may occur as well with file overwrites, so we increment fp_refcount
instead.
This also fixes an issue where a destructor called multiple times
resulted in a UAF as well, by moving the NULL'ing of the entry field out
of the if.

Closes GH-17811.
2025-02-15 13:15:51 +01:00
Ilija Tovilo d3101fb420 Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3:
  [skip ci] Another flaky phar macOS test
2025-02-04 14:52:31 +01:00
Ilija Tovilo 88e1917cb7 Merge branch 'PHP-8.2' into PHP-8.3
* PHP-8.2:
  [skip ci] Another flaky phar macOS test
2025-02-04 14:52:23 +01:00
Ilija Tovilo 99d2055670 Merge branch 'PHP-8.1' into PHP-8.2
* PHP-8.1:
  [skip ci] Another flaky phar macOS test
2025-02-04 14:52:15 +01:00
Ilija Tovilo d8aedb589c [skip ci] Another flaky phar macOS test 2025-02-04 14:52:03 +01:00
Ilija Tovilo 4d545f91bc Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3:
  [skip ci] Another flaky macOS phar test
2025-01-28 12:59:25 +01:00
Ilija Tovilo dc06a52362 Merge branch 'PHP-8.2' into PHP-8.3
* PHP-8.2:
  [skip ci] Another flaky macOS phar test
2025-01-28 12:58:55 +01:00
Ilija Tovilo c14601cc90 Merge branch 'PHP-8.1' into PHP-8.2
* PHP-8.1:
  [skip ci] Another flaky macOS phar test
2025-01-28 12:58:42 +01:00
Ilija Tovilo d9744869e6 [skip ci] Another flaky macOS phar test 2025-01-28 12:58:30 +01:00
Ilija Tovilo c63460c92c Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3:
  [skip ci] Another flaky macOS phar test
2025-01-28 12:45:35 +01:00
Ilija Tovilo b598dbf822 Merge branch 'PHP-8.2' into PHP-8.3
* PHP-8.2:
  [skip ci] Another flaky macOS phar test
2025-01-28 12:45:17 +01:00
Ilija Tovilo 01309961bb Merge branch 'PHP-8.1' into PHP-8.2
* PHP-8.1:
  [skip ci] Another flaky macOS phar test
2025-01-28 12:45:10 +01:00
Ilija Tovilo 65b990a1e0 [skip ci] Another flaky macOS phar test 2025-01-28 12:44:24 +01:00
Niels Dossche 7cc8719ee5 Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3:
  Fix GH-17518: offset overflow phar extractTo()
2025-01-19 13:05:55 +01:00
Niels Dossche eab209d81d Fix GH-17518: offset overflow phar extractTo()
`search` can be the empty string, so we need to check the length before
checking the last char.

Closes GH-17519.
2025-01-19 13:05:19 +01:00
Niels Dossche 57eb399700 Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3:
  Fix GH-17137: Segmentation fault ext/phar/phar.c
2024-12-15 13:55:44 +01:00
Niels Dossche 142f85e2e1 Fix GH-17137: Segmentation fault ext/phar/phar.c
Commit edae2431 attempted to fix a leak and double free, but didn't
properly understand what was going on, causing a reference count mistake
and subsequent segfault in this case.

The first mistake of that commit is that the reference count should've
been increased because we're reusing a phar object. The error handling
path should've gotten changed instead to undo this refcount increase
instead of not refcounting at all (root cause of this bug).

The second mistake is that the alias isn't supposed to be transferred or
whatever, that just doesn't make sense. The reason the test
bug69958.phpt originally leaked is because in the non-reuse case we
borrowed the alias and otherwise we own the alias. If we own the alias
the alias information shouldn't get deleted anyway as that would desync
the alias map.

Fixing these will reveal a third issue in which the alias memory is not
always properly in sync with the persistence-ness of the phar, fix this
as well.

Closes GH-17150.
2024-12-15 13:50:09 +01:00
Ilija Tovilo 8a9d45b86f Backport flaky flag for phar tests
4e12189604
b6ca871396
062837aa13
2024-12-10 10:35:00 +01:00
Niels Dossche c6d7d07a1d Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3:
  Fix GH-16695: phar:// tar parser and zero-length file header blocks
2024-11-09 17:08:49 +01:00
Niels Dossche 58f4b45bca Merge branch 'PHP-8.2' into PHP-8.3
* PHP-8.2:
  Fix GH-16695: phar:// tar parser and zero-length file header blocks
2024-11-09 17:08:19 +01:00
Niels Dossche 72c0222926 Fix GH-16695: phar:// tar parser and zero-length file header blocks
There are two issues:
1) There's an off-by-one in the check for the minimum file size for a
   tar (i.e. `>` instead of `>=`).
2) The loop in the tar parsing parses a header, and then unconditionally
   reads the next one. However, that doesn't necessarily exist.
   Instead, we remove the loop condition and check for the end of the
   file before reading the next header. Note that we can't use
   php_stream_eof as the flag may not be set yet when we're already at
   the end.

Closes GH-16700.
2024-11-09 17:07:53 +01:00
Ilija Tovilo fe310181e4 Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3:
  [skip ci] Mark another phar test as flaky on macOS
2024-10-18 15:24:55 +02:00
Ilija Tovilo ce44a7f95c Merge branch 'PHP-8.2' into PHP-8.3
* PHP-8.2:
  [skip ci] Mark another phar test as flaky on macOS
2024-10-18 15:24:44 +02:00
Ilija Tovilo 062837aa13 [skip ci] Mark another phar test as flaky on macOS 2024-10-18 15:24:15 +02:00
Niels Dossche d8e516631f Merge branch 'PHP-8.3' into PHP-8.4
* PHP-8.3:
  Fix GH-16406: Assertion failure in ext/phar/phar.c:2808
2024-10-17 21:24:08 +02:00
Niels Dossche 25817ad298 Merge branch 'PHP-8.2' into PHP-8.3
* PHP-8.2:
  Fix GH-16406: Assertion failure in ext/phar/phar.c:2808
2024-10-17 21:23:47 +02:00