Skip to content

Commit 6fe40de

Browse files
ndosschendossche
committed
Fix GH-20302: Freeing a phar alias may invalidate PharFileInfo objects
Closes GH-20345.
1 parent a585ace commit 6fe40de

File tree

3 files changed

+55
-11
lines changed

3 files changed

+55
-11
lines changed

NEWS

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,8 @@ PHP NEWS
6565
. Fix file descriptor leak in phar_zip_flush() on failure. (nielsdos)
6666
. Fix memory leak when opening temp file fails while trying to open
6767
gzip-compressed archive. (nielsdos)
68+
. Fixed bug GH-20302 (Freeing a phar alias may invalidate
69+
PharFileInfo objects). (nielsdos)
6870

6971
- Random:
7072
. Fix Randomizer::__serialize() w.r.t. INDIRECTs. (nielsdos)

ext/phar/phar_object.c

Lines changed: 17 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -4493,6 +4493,9 @@ PHP_METHOD(PharFileInfo, __construct)
44934493
entry_obj->entry = entry_info;
44944494
if (!entry_info->is_persistent && !entry_info->is_temp_dir) {
44954495
++entry_info->fp_refcount;
4496+
/* The phar data must exist to keep the alias locked. */
4497+
ZEND_ASSERT(!phar_data->is_persistent);
4498+
++phar_data->refcount;
44964499
}
44974500

44984501
ZVAL_STRINGL(&arg1, fname, fname_len);
@@ -4523,23 +4526,26 @@ PHP_METHOD(PharFileInfo, __destruct)
45234526
RETURN_THROWS();
45244527
}
45254528

4526-
if (!entry_obj->entry) {
4529+
phar_entry_info *entry = entry_obj->entry;
4530+
if (!entry) {
45274531
return;
45284532
}
45294533

4530-
if (entry_obj->entry->is_temp_dir) {
4531-
if (entry_obj->entry->filename) {
4532-
efree(entry_obj->entry->filename);
4533-
entry_obj->entry->filename = NULL;
4534+
if (entry->is_temp_dir) {
4535+
if (entry->filename) {
4536+
efree(entry->filename);
4537+
entry->filename = NULL;
45344538
}
45354539

4536-
efree(entry_obj->entry);
4537-
} else if (!entry_obj->entry->is_persistent) {
4538-
--entry_obj->entry->fp_refcount;
4539-
/* It is necessarily still in the manifest, which will ultimately free this. */
4540+
efree(entry);
4541+
entry_obj->entry = NULL;
4542+
} else if (!entry->is_persistent) {
4543+
--entry->fp_refcount;
4544+
/* The entry itself still lives in the manifest,
4545+
* which will either be freed here if the file info was the last reference; or freed later. */
4546+
entry_obj->entry = NULL;
4547+
phar_archive_delref(entry->phar);
45404548
}
4541-
4542-
entry_obj->entry = NULL;
45434549
}
45444550
/* }}} */
45454551

ext/phar/tests/gh20302.phpt

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
--TEST--
2+
GH-20302 (Freeing a phar alias may invalidate PharFileInfo objects)
3+
--EXTENSIONS--
4+
phar
5+
--INI--
6+
phar.require_hash=0
7+
--FILE--
8+
<?php
9+
$fname = __DIR__.'/gh20302.phar';
10+
$pname = 'phar://' . $fname;
11+
$file = "<?php
12+
__HALT_COMPILER(); ?>";
13+
$files = array();
14+
$files['here'] = 'a';
15+
include __DIR__.'/files/phar_test.inc';
16+
$b = new PharFileInfo($pname . '/here');
17+
18+
// Create new phar with same alias and open it
19+
@mkdir(__DIR__.'/gh20302');
20+
$fname = __DIR__.'/gh20302/gh20302.phar';
21+
$pname = 'phar://' . $fname;
22+
include __DIR__.'/files/phar_test.inc';
23+
try {
24+
new Phar($fname);
25+
} catch (UnexpectedValueException $e) {
26+
echo $e->getMessage(), "\n";
27+
}
28+
?>
29+
--CLEAN--
30+
<?php
31+
@unlink(__DIR__.'/gh20302/gh20302.phar');
32+
@unlink(__DIR__.'/gh20302.phar');
33+
@rmdir(__DIR__.'/gh20302');
34+
?>
35+
--EXPECTF--
36+
Cannot open archive "%sgh20302.phar", alias is already in use by existing archive

0 commit comments

Comments
 (0)