Partial, without binary part From bd3395d35b2bbed0f6716c33cff217b00eddc2eb Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Tue, 14 Jul 2020 17:04:24 +0200 Subject: [PATCH] Fix #79797: Use of freed hash key in the phar_parse_zipfile function We must not use heap memory after we freed it. (cherry picked from commit 7355ab81763a3d6a04ac11660e6a16d58838d187) --- NEWS | 6 ++++++ ext/phar/tests/bug79797.phar | Bin 0 -> 274 bytes ext/phar/tests/bug79797.phpt | 14 ++++++++++++++ ext/phar/zip.c | 2 +- 4 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 ext/phar/tests/bug79797.phar create mode 100644 ext/phar/tests/bug79797.phpt diff --git a/NEWS b/NEWS index e153539d98..2655a1747f 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,12 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| +Backported from 7.2.33 + +- Phar: + . Fixed bug #79797 (Use of freed hash key in the phar_parse_zipfile + function). (CVE-2020-7068) (cmb) + Backported from 7.2.31 - Core: diff --git a/ext/phar/zip.c b/ext/phar/zip.c index 1c05fbd80f..f9b43a5487 100644 --- a/ext/phar/zip.c +++ b/ext/phar/zip.c @@ -704,7 +704,7 @@ int phar_parse_zipfile(php_stream *fp, char *fname, int fname_len, char *alias, efree(actual_alias); } - zend_hash_str_add_ptr(&(PHAR_G(phar_alias_map)), actual_alias, mydata->alias_len, mydata); + zend_hash_str_add_ptr(&(PHAR_G(phar_alias_map)), mydata->alias, mydata->alias_len, mydata); } else { phar_archive_data *fd_ptr;