diff options
| author | Stanislav Malyshev <stas@php.net> | 2016-06-12 16:43:12 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2016-06-12 21:35:13 -0700 |
| commit | d144590d38fa321b46b8e199c754006318985c84 (patch) | |
| tree | f1a5b81f835e8117b662957d2890c06b56692ede | |
| parent | 030731576904de7ad9f58412f5593ffc441121c8 (diff) | |
| download | php-git-d144590d38fa321b46b8e199c754006318985c84.tar.gz | |
Fix bug #72321 - use efree() for emalloc allocation
| -rw-r--r-- | ext/phar/phar_object.c | 4 | ||||
| -rw-r--r-- | ext/phar/tests/72321_1.zip | bin | 0 -> 250 bytes | |||
| -rw-r--r-- | ext/phar/tests/72321_2.zip | bin | 0 -> 258 bytes | |||
| -rw-r--r-- | ext/phar/tests/bug72321.phpt | 26 |
4 files changed, 28 insertions, 2 deletions
diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c index 08d29831e0..64d7a6c76e 100644 --- a/ext/phar/phar_object.c +++ b/ext/phar/phar_object.c @@ -4217,14 +4217,14 @@ static int phar_extract_file(zend_bool overwrite, phar_entry_info *entry, char * if (!php_stream_mkdir(fullpath, entry->flags & PHAR_ENT_PERM_MASK, PHP_STREAM_MKDIR_RECURSIVE, NULL)) { spprintf(error, 4096, "Cannot extract \"%s\", could not create directory \"%s\"", entry->filename, fullpath); efree(fullpath); - free(new_state.cwd); + efree(new_state.cwd); return FAILURE; } } else { if (!php_stream_mkdir(fullpath, 0777, PHP_STREAM_MKDIR_RECURSIVE, NULL)) { spprintf(error, 4096, "Cannot extract \"%s\", could not create directory \"%s\"", entry->filename, fullpath); efree(fullpath); - free(new_state.cwd); + efree(new_state.cwd); return FAILURE; } } diff --git a/ext/phar/tests/72321_1.zip b/ext/phar/tests/72321_1.zip Binary files differnew file mode 100644 index 0000000000..ebc44ea282 --- /dev/null +++ b/ext/phar/tests/72321_1.zip diff --git a/ext/phar/tests/72321_2.zip b/ext/phar/tests/72321_2.zip Binary files differnew file mode 100644 index 0000000000..de7ca266b8 --- /dev/null +++ b/ext/phar/tests/72321_2.zip diff --git a/ext/phar/tests/bug72321.phpt b/ext/phar/tests/bug72321.phpt new file mode 100644 index 0000000000..37aca19e82 --- /dev/null +++ b/ext/phar/tests/bug72321.phpt @@ -0,0 +1,26 @@ +--TEST-- +Phar: PHP bug #72321: invalid free in phar_extract_file() +--SKIPIF-- +<?php if (!extension_loaded("phar")) die("skip"); ?> +--FILE-- +<?php +chdir(__DIR__); +mkdir("test72321"); +$phar = new PharData("72321_1.zip"); +$phar->extractTo("test72321"); +$phar = new PharData("72321_2.zip"); +try { +$phar->extractTo("test72321"); +} catch(PharException $e) { + print $e->getMessage()."\n"; +} +?> +DONE +--CLEAN-- +<?php unlink(__DIR__."/test72321/AAAAAAAAxxxxBBBBCCCCCCCCxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"); +rmdir(__DIR__."/test72321"); +?> +--EXPECTF-- +Warning: PharData::extractTo(): Not a directory in %s/bug72321.php on line %d +Extraction from phar "%s/72321_2.zip" failed: Cannot extract "AAAAAAAAxxxxBBBBCCCCCCCCxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/b/c", could not create directory "test72321/AAAAAAAAxxxxBBBBCCCCCCCCxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/b" +DONE
\ No newline at end of file |