From c55973ad182906be1282257f1ba79b89ab9625a2 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Wed, 27 Aug 2025 09:54:34 +0200 Subject: [PATCH 1/2] Fix leak when path is too long in ZipArchive::extractTo() Upstream 09c223de00af9b312e49db7bbc915aefaca5dbf8 --- php5/php_zip.c | 1 + php7/php_zip.c | 1 + php73/php_zip.c | 1 + php74/php_zip.c | 1 + php8/php_zip.c | 1 + php81/php_zip.c | 1 + php85/php_zip.c | 1 + 7 files changed, 7 insertions(+) diff --git a/php5/php_zip.c b/php5/php_zip.c index 08b4963..5dda462 100644 --- a/php5/php_zip.c +++ b/php5/php_zip.c @@ -234,6 +234,7 @@ static int php_zip_extract_file(struct zip * za, char *dest, const char *file, i return 0; } else if (len > MAXPATHLEN) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Full extraction path exceed MAXPATHLEN (%i)", MAXPATHLEN); + efree(fullpath); efree(file_dirname_fullpath); efree(file_basename); efree(new_state.cwd); diff --git a/php7/php_zip.c b/php7/php_zip.c index b660b33..bffed61 100644 --- a/php7/php_zip.c +++ b/php7/php_zip.c @@ -233,6 +233,7 @@ static int php_zip_extract_file(struct zip * za, char *dest, const char *file, s return 0; } else if (len > MAXPATHLEN) { php_error_docref(NULL, E_WARNING, "Full extraction path exceed MAXPATHLEN (%i)", MAXPATHLEN); + efree(fullpath); efree(file_dirname_fullpath); zend_string_release(file_basename); CWD_STATE_FREE(new_state.cwd); diff --git a/php73/php_zip.c b/php73/php_zip.c index 9dd4ac2..0635a84 100644 --- a/php73/php_zip.c +++ b/php73/php_zip.c @@ -233,6 +233,7 @@ static int php_zip_extract_file(struct zip * za, char *dest, const char *file, s return 0; } else if (len > MAXPATHLEN) { php_error_docref(NULL, E_WARNING, "Full extraction path exceed MAXPATHLEN (%i)", MAXPATHLEN); + efree(fullpath); efree(file_dirname_fullpath); zend_string_release_ex(file_basename, 0); CWD_STATE_FREE(new_state.cwd); diff --git a/php74/php_zip.c b/php74/php_zip.c index 5754dd9..0cd33ad 100644 --- a/php74/php_zip.c +++ b/php74/php_zip.c @@ -229,6 +229,7 @@ static int php_zip_extract_file(struct zip * za, char *dest, const char *file, s return 0; } else if (len > MAXPATHLEN) { php_error_docref(NULL, E_WARNING, "Full extraction path exceed MAXPATHLEN (%i)", MAXPATHLEN); + efree(fullpath); efree(file_dirname_fullpath); zend_string_release_ex(file_basename, 0); CWD_STATE_FREE(new_state.cwd); diff --git a/php8/php_zip.c b/php8/php_zip.c index dc5f539..5328c25 100644 --- a/php8/php_zip.c +++ b/php8/php_zip.c @@ -217,6 +217,7 @@ static int php_zip_extract_file(struct zip * za, char *dest, const char *file, s return 0; } else if (len > MAXPATHLEN) { php_error_docref(NULL, E_WARNING, "Full extraction path exceed MAXPATHLEN (%i)", MAXPATHLEN); + efree(fullpath); efree(file_dirname_fullpath); zend_string_release_ex(file_basename, 0); CWD_STATE_FREE(new_state.cwd); diff --git a/php81/php_zip.c b/php81/php_zip.c index 3746ff5..ddcf47f 100644 --- a/php81/php_zip.c +++ b/php81/php_zip.c @@ -226,6 +226,7 @@ static int php_zip_extract_file(struct zip * za, char *dest, const char *file, s return 0; } else if (len > MAXPATHLEN) { php_error_docref(NULL, E_WARNING, "Full extraction path exceed MAXPATHLEN (%i)", MAXPATHLEN); + efree(fullpath); efree(file_dirname_fullpath); zend_string_release_ex(file_basename, 0); CWD_STATE_FREE(new_state.cwd); diff --git a/php85/php_zip.c b/php85/php_zip.c index 450c297..d5f7b01 100644 --- a/php85/php_zip.c +++ b/php85/php_zip.c @@ -211,6 +211,7 @@ static int php_zip_extract_file(struct zip * za, char *dest, const char *file, s return 0; } else if (len > MAXPATHLEN) { php_error_docref(NULL, E_WARNING, "Full extraction path exceed MAXPATHLEN (%i)", MAXPATHLEN); + efree(fullpath); efree(file_dirname_fullpath); zend_string_release_ex(file_basename, 0); CWD_STATE_FREE(new_state.cwd); -- 2.51.0