From e78ac461dbefb7c4a3e9fde78d50fbc56b7b0183 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Mon, 28 Sep 2015 17:12:35 -0700 Subject: [PATCH] FIx bug #70433 - Uninitialized pointer in phar_make_dirstream when zip entry filename is "/" Upstream-Status: Backport https://git.php.net/?p=php-src.git;a=patch;h=e78ac461dbefb7c4a3e9fde78d50fbc56b7b0183 excluded the zip part of the original patch. Hand applied dirstream change CVE: CVE-2015-7804 Signed-off-by: Armin Kuster --- ext/phar/dirstream.c | 2 +- ext/phar/tests/bug70433.phpt | 23 +++++++++++++++++++++++ ext/phar/tests/bug70433.zip | Bin 0 -> 264 bytes 3 files changed, 24 insertions(+), 1 deletion(-) create mode 100644 ext/phar/tests/bug70433.phpt create mode 100755 ext/phar/tests/bug70433.zip Index: php-5.6.12/ext/phar/dirstream.c =================================================================== --- php-5.6.12.orig/ext/phar/dirstream.c +++ php-5.6.12/ext/phar/dirstream.c @@ -198,7 +198,7 @@ static php_stream *phar_make_dirstream(c zend_hash_internal_pointer_reset(manifest); while (FAILURE != zend_hash_has_more_elements(manifest)) { - if (HASH_KEY_NON_EXISTENT == zend_hash_get_current_key_ex(manifest, &str_key, &keylen, &unused, 0, NULL)) { + if (HASH_KEY_IS_STRING != zend_hash_get_current_key_ex(manifest, &str_key, &keylen, &unused, 0, NULL)) { break; } Index: php-5.6.12/ext/phar/tests/bug70433.phpt =================================================================== --- /dev/null +++ php-5.6.12/ext/phar/tests/bug70433.phpt @@ -0,0 +1,23 @@ +--TEST-- +Phar - bug #70433 - Uninitialized pointer in phar_make_dirstream when zip entry filename is "/" +--SKIPIF-- + +--FILE-- +getMetadata(); +var_dump($meta); +?> +DONE +--EXPECTF-- +object(PharData)#1 (3) { + ["pathName":"SplFileInfo":private]=> + string(0) "" + ["glob":"DirectoryIterator":private]=> + bool(false) + ["subPathName":"RecursiveDirectoryIterator":private]=> + string(0) "" +} +NULL +DONE