summaryrefslogtreecommitdiffstats
path: root/0002-Fix-GH-19688-Remove-pattern-overflow-in-zip-addGlob.patch
diff options
context:
space:
mode:
Diffstat (limited to '0002-Fix-GH-19688-Remove-pattern-overflow-in-zip-addGlob.patch')
-rw-r--r--0002-Fix-GH-19688-Remove-pattern-overflow-in-zip-addGlob.patch142
1 files changed, 142 insertions, 0 deletions
diff --git a/0002-Fix-GH-19688-Remove-pattern-overflow-in-zip-addGlob.patch b/0002-Fix-GH-19688-Remove-pattern-overflow-in-zip-addGlob.patch
new file mode 100644
index 0000000..cdff431
--- /dev/null
+++ b/0002-Fix-GH-19688-Remove-pattern-overflow-in-zip-addGlob.patch
@@ -0,0 +1,142 @@
+From fa331a32d499b895aa836040b88f70697bf4ba9c Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Thu, 18 Sep 2025 11:17:58 +0200
+Subject: [PATCH 2/4] Fix GH-19688: Remove pattern overflow in zip addGlob()
+
+From https://github.com/php/php-src/commit/901f71e6e3a9c97928a8c32ab7e70bd52e93819c#diff-7ee66c4f1536ac84dc5bbff1b8312e2eef24b974b3e48a5c5c2bcfdf2eb8f3ce
+---
+ package.xml | 2 ++
+ php5/php_zip.c | 2 +-
+ php7/php_zip.c | 2 +-
+ php73/php_zip.c | 2 +-
+ php74/php_zip.c | 2 +-
+ php8/php_zip.c | 2 +-
+ php81/php_zip.c | 2 +-
+ php85/php_zip.c | 2 +-
+ tests/gh19688.phpt | 23 +++++++++++++++++++++++
+ 9 files changed, 32 insertions(+), 7 deletions(-)
+ create mode 100644 tests/gh19688.phpt
+
+diff --git a/php5/php_zip.c b/php5/php_zip.c
+index 8d16d3b..8773944 100644
+--- a/php5/php_zip.c
++++ b/php5/php_zip.c
+@@ -1968,7 +1968,7 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /*
+ php_basename(Z_STRVAL_PP(zval_file), Z_STRLEN_PP(zval_file), NULL, 0,
+ &basename, (size_t *)&file_stripped_len TSRMLS_CC);
+ file_stripped = basename;
+- } else if (opts.remove_path && !memcmp(Z_STRVAL_PP(zval_file), opts.remove_path, opts.remove_path_len)) {
++ } else if (opts.remove_path && Z_STRLEN_PP(zval_file) > opts.remove_path_len && !memcmp(Z_STRVAL_PP(zval_file), opts.remove_path, opts.remove_path_len)) {
+ if (IS_SLASH(Z_STRVAL_PP(zval_file)[opts.remove_path_len])) {
+ file_stripped = Z_STRVAL_PP(zval_file) + opts.remove_path_len + 1;
+ file_stripped_len = Z_STRLEN_PP(zval_file) - opts.remove_path_len - 1;
+diff --git a/php7/php_zip.c b/php7/php_zip.c
+index d962618..6363728 100644
+--- a/php7/php_zip.c
++++ b/php7/php_zip.c
+@@ -1896,7 +1896,7 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /*
+ basename = php_basename(Z_STRVAL_P(zval_file), Z_STRLEN_P(zval_file), NULL, 0);
+ file_stripped = ZSTR_VAL(basename);
+ file_stripped_len = ZSTR_LEN(basename);
+- } else if (opts.remove_path && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
++ } else if (opts.remove_path && Z_STRLEN_P(zval_file) > opts.remove_path_len && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
+ if (IS_SLASH(Z_STRVAL_P(zval_file)[opts.remove_path_len])) {
+ file_stripped = Z_STRVAL_P(zval_file) + opts.remove_path_len + 1;
+ file_stripped_len = Z_STRLEN_P(zval_file) - opts.remove_path_len - 1;
+diff --git a/php73/php_zip.c b/php73/php_zip.c
+index eb2c5b6..63715e7 100644
+--- a/php73/php_zip.c
++++ b/php73/php_zip.c
+@@ -1899,7 +1899,7 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /*
+ basename = php_basename(Z_STRVAL_P(zval_file), Z_STRLEN_P(zval_file), NULL, 0);
+ file_stripped = ZSTR_VAL(basename);
+ file_stripped_len = ZSTR_LEN(basename);
+- } else if (opts.remove_path && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
++ } else if (opts.remove_path && Z_STRLEN_P(zval_file) > opts.remove_path_len && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
+ if (IS_SLASH(Z_STRVAL_P(zval_file)[opts.remove_path_len])) {
+ file_stripped = Z_STRVAL_P(zval_file) + opts.remove_path_len + 1;
+ file_stripped_len = Z_STRLEN_P(zval_file) - opts.remove_path_len - 1;
+diff --git a/php74/php_zip.c b/php74/php_zip.c
+index f987056..17f5476 100644
+--- a/php74/php_zip.c
++++ b/php74/php_zip.c
+@@ -1884,7 +1884,7 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /*
+ basename = php_basename(Z_STRVAL_P(zval_file), Z_STRLEN_P(zval_file), NULL, 0);
+ file_stripped = ZSTR_VAL(basename);
+ file_stripped_len = ZSTR_LEN(basename);
+- } else if (opts.remove_path && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
++ } else if (opts.remove_path && Z_STRLEN_P(zval_file) > opts.remove_path_len && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
+ if (IS_SLASH(Z_STRVAL_P(zval_file)[opts.remove_path_len])) {
+ file_stripped = Z_STRVAL_P(zval_file) + opts.remove_path_len + 1;
+ file_stripped_len = Z_STRLEN_P(zval_file) - opts.remove_path_len - 1;
+diff --git a/php8/php_zip.c b/php8/php_zip.c
+index 8129c15..d3516f8 100644
+--- a/php8/php_zip.c
++++ b/php8/php_zip.c
+@@ -1786,7 +1786,7 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /*
+ basename = php_basename(Z_STRVAL_P(zval_file), Z_STRLEN_P(zval_file), NULL, 0);
+ file_stripped = ZSTR_VAL(basename);
+ file_stripped_len = ZSTR_LEN(basename);
+- } else if (opts.remove_path && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
++ } else if (opts.remove_path && Z_STRLEN_P(zval_file) > opts.remove_path_len && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
+ if (IS_SLASH(Z_STRVAL_P(zval_file)[opts.remove_path_len])) {
+ file_stripped = Z_STRVAL_P(zval_file) + opts.remove_path_len + 1;
+ file_stripped_len = Z_STRLEN_P(zval_file) - opts.remove_path_len - 1;
+diff --git a/php81/php_zip.c b/php81/php_zip.c
+index 8bc582d..7316643 100644
+--- a/php81/php_zip.c
++++ b/php81/php_zip.c
+@@ -1806,7 +1806,7 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /*
+ basename = php_basename(Z_STRVAL_P(zval_file), Z_STRLEN_P(zval_file), NULL, 0);
+ file_stripped = ZSTR_VAL(basename);
+ file_stripped_len = ZSTR_LEN(basename);
+- } else if (opts.remove_path && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
++ } else if (opts.remove_path && Z_STRLEN_P(zval_file) > opts.remove_path_len && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
+ if (IS_SLASH(Z_STRVAL_P(zval_file)[opts.remove_path_len])) {
+ file_stripped = Z_STRVAL_P(zval_file) + opts.remove_path_len + 1;
+ file_stripped_len = Z_STRLEN_P(zval_file) - opts.remove_path_len - 1;
+diff --git a/php85/php_zip.c b/php85/php_zip.c
+index 604b403..4fcb66f 100644
+--- a/php85/php_zip.c
++++ b/php85/php_zip.c
+@@ -1742,7 +1742,7 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /*
+ basename = php_basename(Z_STRVAL_P(zval_file), Z_STRLEN_P(zval_file), NULL, 0);
+ file_stripped = ZSTR_VAL(basename);
+ file_stripped_len = ZSTR_LEN(basename);
+- } else if (opts.remove_path && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
++ } else if (opts.remove_path && Z_STRLEN_P(zval_file) > opts.remove_path_len && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
+ if (IS_SLASH(Z_STRVAL_P(zval_file)[opts.remove_path_len])) {
+ file_stripped = Z_STRVAL_P(zval_file) + opts.remove_path_len + 1;
+ file_stripped_len = Z_STRLEN_P(zval_file) - opts.remove_path_len - 1;
+diff --git a/tests/gh19688.phpt b/tests/gh19688.phpt
+new file mode 100644
+index 0000000..09513a9
+--- /dev/null
++++ b/tests/gh19688.phpt
+@@ -0,0 +1,23 @@
++--TEST--
++GH-19688 (Remove pattern overflow in zip addGlob())
++--SKIPIF--
++<?php
++if (!extension_loaded('zip')) die('skip');
++?>
++--FILE--
++<?php
++$dir = __DIR__ . '/';
++$testfile = $dir . '001.phpt';
++$zip = new ZipArchive();
++$filename = $dir . '/gh19688.zip';
++$zip->open($filename, ZipArchive::CREATE | ZipArchive::OVERWRITE);
++$options = array('remove_path' => $dir . 'a very long string here that will overrun');
++$zip->addGlob($testfile, 0, $options);
++var_dump($zip->getNameIndex(0));
++?>
++--CLEAN--
++<?php
++@unlink(__DIR__ . '/gh19688.zip');
++?>
++--EXPECTF--
++string(%d) "%s001.phpt"
+--
+2.51.0
+
generated by cgit (git 2.34.1) at 2025-10-07 19:34:59 +0000