1 files changed, 54 insertions, 0 deletions

diff --git a/bug71331.patch b/bug71331.patch
new file mode 100644
index 0000000..0151693
--- /dev/null
+++ b/bug71331.patch
@@ -0,0 +1,54 @@
+Backported from 5.5 for 5.4 by Remi Collet
+binary patch dropped
+
+
+From 9649ca1630433473a307d015ba1a79a4a7a779f5 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Thu, 14 Jan 2016 22:58:40 -0800
+Subject: [PATCH] Fixed bug #71331 - Uninitialized pointer in
+ phar_make_dirstream()
+
+---
+ ext/phar/dirstream.c         |   3 ++-
+ ext/phar/tar.c               |   2 +-
+ ext/phar/tests/bug71331.phpt |  15 +++++++++++++++
+ ext/phar/tests/bug71331.tar  | Bin 0 -> 2560 bytes
+ 4 files changed, 18 insertions(+), 2 deletions(-)
+ create mode 100644 ext/phar/tests/bug71331.phpt
+ create mode 100644 ext/phar/tests/bug71331.tar
+
+diff --git a/ext/phar/dirstream.c b/ext/phar/dirstream.c
+index 75cf049..94958a2 100644
+--- a/ext/phar/dirstream.c
++++ b/ext/phar/dirstream.c
+@@ -207,6 +207,7 @@ static php_stream *phar_make_dirstream(c
+ 	zend_hash_internal_pointer_reset(manifest);
+ 
+ 	while (FAILURE != zend_hash_has_more_elements(manifest)) {
++		keylen = 0;
+ 		if (HASH_KEY_NON_EXISTANT == zend_hash_get_current_key_ex(manifest, &key, &keylen, &unused, 0, NULL)) {
+ 			break;
+ 		}
+@@ -214,7 +215,7 @@ static php_stream *phar_make_dirstream(c
+ 		PHAR_STR(key, str_key);
+ 
+ 		if (keylen <= (uint)dirlen) {
+-			if (keylen < (uint)dirlen || !strncmp(str_key, dir, dirlen)) {
++			if (keylen == 0 || keylen < (uint)dirlen || !strncmp(str_key, dir, dirlen)) {
+ 				PHAR_STR_FREE(str_key);
+ 				if (SUCCESS != zend_hash_move_forward(manifest)) {
+ 					break;
+diff --git a/ext/phar/tar.c b/ext/phar/tar.c
+index 3a4bd49..bf19e08 100644
+--- a/ext/phar/tar.c
++++ b/ext/phar/tar.c
+@@ -347,7 +347,7 @@ bail:
+ 			entry.filename_len = entry.uncompressed_filesize;
+ 
+ 			/* Check for overflow - bug 61065 */
+-			if (entry.filename_len == UINT_MAX) {
++			if (entry.filename_len == UINT_MAX || entry.filename_len == 0) {
+ 				if (error) {
+ 					spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file (invalid entry size)", fname);
+ 				}
+