Fix GH-19752: Phar decompression with invalid extension can cause UAF

The rename code can error out prior to the reassignment of the filename,
which is why the test causes a crash.
The rename code can also error out at a later point,
which means it will have already assigned the new filename.
We detect in which case we are in and act accordingly.

Closes GH-19761.

NEWS

@@ -50,6 +50,8 @@ PHP                                                                        NEWS
   . Fix memory leak in phar tar temporary file error handling code. (nielsdos)
   . Fix metadata leak when phar convert logic fails. (nielsdos)
   . Fix memory leak on failure in phar_convert_to_other(). (nielsdos)
+  . Fixed bug GH-19752 (Phar decompression with invalid extension
+    can cause UAF). (nielsdos)
 
 - Standard:
   . Fixed bug GH-16649 (UAF during array_splice). (alexandre-daubois)

ext/phar/phar_object.c

@@ -2328,7 +2328,11 @@ no_copy:
 			if (phar->fp) {
 				php_stream_close(phar->fp);
 			}
-			efree(phar->fname);
+			if (phar->fname != source->fname) {
+				/* Depending on when phar_rename_archive() errors, the new filename
+				 * may have already been assigned or it may still be the old one. */
+				efree(phar->fname);
+			}
 			efree(phar);
 		}
 		return NULL;

ext/phar/tests/gh19752.phpt

@@ -0,0 +1,13 @@
+--TEST--
+GH-19752 (Phar decompression with invalid extension can cause UAF)
+--FILE--
+<?php
+$phar = new PharData(__DIR__.'/gh19752.1');
+try {
+    $phar->decompress("*");
+} catch (BadMethodCallException $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECTF--
+data phar converted from "%sgh19752.1" has invalid extension *