phar: Fix memory leak when openssl polyfill returns garbage

Closes phpGH-20210.

Author: ndossche

NEWS

@@ -55,6 +55,7 @@ PHP                                                                        NEWS
     (nielsdos)
   . Fix potential buffer length truncation due to usage of type int instead
     of type size_t. (Girgias)
+  . Fix memory leak when openssl polyfill returns garbage. (nielsdos)
 
 - Random:
   . Fix Randomizer::__serialize() w.r.t. INDIRECTs. (nielsdos)

ext/phar/tests/openssl_sign_invalid_polyfill_return_value.phpt

@@ -0,0 +1,34 @@
+--TEST--
+openssl_sign() polyfill with wrong return value
+--EXTENSIONS--
+phar
+--SKIPIF--
+<?php
+if (getenv('SKIP_SLOW_TESTS')) die('skip');
+if (function_exists('openssl_sign')) die('skip requires openssl disabled for mocking purposes');
+?>
+--INI--
+phar.require_hash=0
+--FILE--
+<?php
+$fname = __DIR__ . '/' . basename(__FILE__, '.php') . '.tar';
+
+function openssl_sign() {
+    return str_repeat('foobar', random_int(1, 1));
+}
+
+$phar = new PharData($fname);
+$phar->setSignatureAlgorithm(Phar::OPENSSL, "randomcrap");
+try {
+    $phar->addEmptyDir('blah');
+} catch (PharException $e) {
+    echo $e->getMessage();
+}
+
+?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . '/' . basename(__FILE__, '.clean.php') . '.tar');
+?>
+--EXPECTF--
+phar error: unable to write signature to tar-based phar: unable to write phar "%s" with requested openssl signature

ext/phar/util.c

@@ -1471,7 +1471,6 @@ static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t
 	zval_ptr_dtor_str(&zp[2]);
 
 	switch (Z_TYPE(retval)) {
-		default:
 		case IS_LONG:
 			zval_ptr_dtor(&zp[1]);
 			if (1 == Z_LVAL(retval)) {
@@ -1483,6 +1482,9 @@ static int phar_call_openssl_signverify(int is_sign, php_stream *fp, zend_off_t
 			*signature_len = Z_STRLEN(zp[1]);
 			zval_ptr_dtor(&zp[1]);
 			return SUCCESS;
+		default:
+			zval_ptr_dtor(&retval);
+			ZEND_FALLTHROUGH;
 		case IS_FALSE:
 			zval_ptr_dtor(&zp[1]);
 			return FAILURE;