Fix GH-20732: Phar::LoadPhar undefined behavior when loading directory

The size of `got` was incorrect: it being unsigned means that the error
return codes are converted from -1 to SIZE_MAX. We should use ssize_t
instead.

Closes GH-20735.

NEWS

@@ -29,6 +29,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-20674 (Fix GH-20674 mb_decode_mimeheader does not handle
     separator). (Yuya Hamada)
 
+- Phar:
+  . Fixed bug GH-20732 (Phar::LoadPhar undefined behavior when reading fails).
+    (ndossche)
+
 - SPL:
   . Fixed bug GH-20678 (resource created by GlobIterator crashes with fclose()).
     (David Carlier)

ext/phar/phar.c

@@ -1609,7 +1609,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, size_t fname_len, char
 	const zend_long readsize = sizeof(buffer) - sizeof(token);
 	const zend_long tokenlen = sizeof(token) - 1;
 	zend_long halt_offset;
-	size_t got;
+	ssize_t got;
 	uint32_t compression = PHAR_FILE_COMPRESSED_NONE;
 
 	if (error) {
@@ -1627,7 +1627,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, size_t fname_len, char
 	/* Maybe it's better to compile the file instead of just searching,  */
 	/* but we only want the offset. So we want a .re scanner to find it. */
 	while(!php_stream_eof(fp)) {
-		if ((got = php_stream_read(fp, buffer+tokenlen, readsize)) < (size_t) tokenlen) {
+		if ((got = php_stream_read(fp, buffer+tokenlen, readsize)) < tokenlen) {
 			MAPPHAR_ALLOC_FAIL("internal corruption of phar \"%s\" (truncated entry)")
 		}
 

ext/phar/tests/gh20732.phpt

@@ -0,0 +1,14 @@
+--TEST--
+GH-20732 (Phar::LoadPhar undefined behavior when loading directory)
+--EXTENSIONS--
+phar
+--FILE--
+<?php
+try {
+    @Phar::LoadPhar('.');
+} catch (PharException $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECTF--
+%r(internal corruption of phar "%s" \(truncated entry\)|unable to open phar for reading ".")%r