summaryrefslogtreecommitdiffstats
path: root/php-bug79797.patch
blob: f29d1cfc9eefcb8367b051422d71d63b996e95d0 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
Partial, without binary part



From d7980cd5ef5862d9a01a0f34ee44bec07be88096 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 14 Jul 2020 17:04:24 +0200
Subject: [PATCH] Fix #79797: Use of freed hash key in the phar_parse_zipfile
 function

We must not use heap memory after we freed it.

(cherry picked from commit 7355ab81763a3d6a04ac11660e6a16d58838d187)
---
 NEWS                         |   6 ++++++
 ext/phar/tests/bug79797.phar | Bin 0 -> 274 bytes
 ext/phar/tests/bug79797.phpt |  14 ++++++++++++++
 ext/phar/zip.c               |   2 +-
 4 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 ext/phar/tests/bug79797.phar
 create mode 100644 ext/phar/tests/bug79797.phpt

diff --git a/NEWS b/NEWS
index b53c9e28cb..501283aabe 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,12 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 
+Backported from 7.2.33
+
+- Phar:
+  . Fixed bug #79797 (Use of freed hash key in the phar_parse_zipfile
+    function). (CVE-2020-7068) (cmb)
+
 Backported from 7.2.31
 
 - Core:
diff --git a/ext/phar/zip.c b/ext/phar/zip.c
index ed156a2d00..3ab02ab35a 100644
--- a/ext/phar/zip.c
+++ b/ext/phar/zip.c
@@ -682,7 +682,7 @@ int phar_parse_zipfile(php_stream *fp, char *fname, int fname_len, char *alias,
 			efree(actual_alias);
 		}
 
-		zend_hash_add(&(PHAR_GLOBALS->phar_alias_map), actual_alias, mydata->alias_len, (void*)&mydata, sizeof(phar_archive_data*), NULL);
+		zend_hash_add(&(PHAR_GLOBALS->phar_alias_map), mydata->alias, mydata->alias_len, (void*)&mydata, sizeof(phar_archive_data*), NULL);
 	} else {
 		phar_archive_data **fd_ptr;