Skip to content

[pull] master from php:master #860

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jul 5, 2025
Merged

[pull] master from php:master #860

merged 6 commits into from
Jul 5, 2025

Conversation

@pull
Copy link

@pull pull bot commented Jul 5, 2025
edited
Loading

See Commits and Changes for more details.

Created by pull[bot] (v2.0.0-alpha.2)

Can you help keep this open source service alive? 💖 Please sponsor : )

ndossche and others added 6 commits July 5, 2025 21:31
@ndossche @dixyes
Fix stream double free in phar
32344c4 
The copy function does two things wrong:
- The error recovery logic is a hack that temporarily moves the fp
  pointer to cfp, even though it's not compressed. The respective error
  recovery it talks about is not present in the code, nor is it
  necessary. This is the direct cause of the double free in the original
  reproducer. Fixing this makes it crash in another location though.
- The link following logic is inconsistent and illogical. It cannot be a
  link at this point.

The root cause, after fixing the above issues, is that the file pointers
are not reset properly for the copy. The file pointer need to be the
original ones to perform the copy from the right source, but after that
they need to be set properly to NULL (because fp_type == PHAR_FP).

Closes GH-19035.

Co-authored-by: Yun Dou <[email protected]>
@ndossche
Merge branch 'PHP-8.3' into PHP-8.4
50a5a6f 
* PHP-8.3:
  Fix stream double free in phar
@ndossche
Merge branch 'PHP-8.4'
4d27420 
* PHP-8.4:
  Fix stream double free in phar
@ndossche
Fix phar crash and file corruption with SplFileObject
405be1c 
There are two bugfixes here.
The first was a crash that I discovered while working on GH-19035.
The check for when a file pointer was still occupied was wrong, leading
to a UAF. Strangely, zip got this right.

The second issue was that even after fixing the first one, the file
contents were garbage. This is because the file write offset for the
phar stream was wrong.

Closes GH-19038.
@ndossche
Merge branch 'PHP-8.3' into PHP-8.4
2aeefb1 
* PHP-8.3:
  Fix phar crash and file corruption with SplFileObject
@ndossche
Merge branch 'PHP-8.4'
5a2a150 
* PHP-8.4:
  Fix phar crash and file corruption with SplFileObject
@pull pull bot locked and limited conversation to collaborators Jul 5, 2025
@pull pull bot added the ⤵️ pull label Jul 5, 2025
@pull pull bot merged commit 5a2a150 into wudi:master Jul 5, 2025
8 checks passed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

⤵️ pull

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ndossche