From fa331a32d499b895aa836040b88f70697bf4ba9c Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Thu, 18 Sep 2025 11:17:58 +0200
Subject: [PATCH 2/4] Fix GH-19688: Remove pattern overflow in zip addGlob()

From https://github.com/php/php-src/commit/901f71e6e3a9c97928a8c32ab7e70bd52e93819c#diff-7ee66c4f1536ac84dc5bbff1b8312e2eef24b974b3e48a5c5c2bcfdf2eb8f3ce
---
 package.xml        |  2 ++
 php5/php_zip.c     |  2 +-
 php7/php_zip.c     |  2 +-
 php73/php_zip.c    |  2 +-
 php74/php_zip.c    |  2 +-
 php8/php_zip.c     |  2 +-
 php81/php_zip.c    |  2 +-
 php85/php_zip.c    |  2 +-
 tests/gh19688.phpt | 23 +++++++++++++++++++++++
 9 files changed, 32 insertions(+), 7 deletions(-)
 create mode 100644 tests/gh19688.phpt

diff --git a/php5/php_zip.c b/php5/php_zip.c
index 8d16d3b..8773944 100644
--- a/php5/php_zip.c
+++ b/php5/php_zip.c
@@ -1968,7 +1968,7 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /*
 					php_basename(Z_STRVAL_PP(zval_file), Z_STRLEN_PP(zval_file), NULL, 0,
 									&basename, (size_t *)&file_stripped_len TSRMLS_CC);
 					file_stripped = basename;
-				} else if (opts.remove_path && !memcmp(Z_STRVAL_PP(zval_file), opts.remove_path, opts.remove_path_len)) {
+				} else if (opts.remove_path && Z_STRLEN_PP(zval_file) > opts.remove_path_len &&  !memcmp(Z_STRVAL_PP(zval_file), opts.remove_path, opts.remove_path_len)) {
 					if (IS_SLASH(Z_STRVAL_PP(zval_file)[opts.remove_path_len])) {
 						file_stripped = Z_STRVAL_PP(zval_file) + opts.remove_path_len + 1;
 						file_stripped_len = Z_STRLEN_PP(zval_file) - opts.remove_path_len - 1;
diff --git a/php7/php_zip.c b/php7/php_zip.c
index d962618..6363728 100644
--- a/php7/php_zip.c
+++ b/php7/php_zip.c
@@ -1896,7 +1896,7 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /*
 					basename = php_basename(Z_STRVAL_P(zval_file), Z_STRLEN_P(zval_file), NULL, 0);
 					file_stripped = ZSTR_VAL(basename);
 					file_stripped_len = ZSTR_LEN(basename);
-				} else if (opts.remove_path && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
+				} else if (opts.remove_path && Z_STRLEN_P(zval_file) > opts.remove_path_len && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
 					if (IS_SLASH(Z_STRVAL_P(zval_file)[opts.remove_path_len])) {
 						file_stripped = Z_STRVAL_P(zval_file) + opts.remove_path_len + 1;
 						file_stripped_len = Z_STRLEN_P(zval_file) - opts.remove_path_len - 1;
diff --git a/php73/php_zip.c b/php73/php_zip.c
index eb2c5b6..63715e7 100644
--- a/php73/php_zip.c
+++ b/php73/php_zip.c
@@ -1899,7 +1899,7 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /*
 					basename = php_basename(Z_STRVAL_P(zval_file), Z_STRLEN_P(zval_file), NULL, 0);
 					file_stripped = ZSTR_VAL(basename);
 					file_stripped_len = ZSTR_LEN(basename);
-				} else if (opts.remove_path && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
+				} else if (opts.remove_path && Z_STRLEN_P(zval_file) > opts.remove_path_len && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
 					if (IS_SLASH(Z_STRVAL_P(zval_file)[opts.remove_path_len])) {
 						file_stripped = Z_STRVAL_P(zval_file) + opts.remove_path_len + 1;
 						file_stripped_len = Z_STRLEN_P(zval_file) - opts.remove_path_len - 1;
diff --git a/php74/php_zip.c b/php74/php_zip.c
index f987056..17f5476 100644
--- a/php74/php_zip.c
+++ b/php74/php_zip.c
@@ -1884,7 +1884,7 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /*
 					basename = php_basename(Z_STRVAL_P(zval_file), Z_STRLEN_P(zval_file), NULL, 0);
 					file_stripped = ZSTR_VAL(basename);
 					file_stripped_len = ZSTR_LEN(basename);
-				} else if (opts.remove_path && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
+				} else if (opts.remove_path && Z_STRLEN_P(zval_file) > opts.remove_path_len && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
 					if (IS_SLASH(Z_STRVAL_P(zval_file)[opts.remove_path_len])) {
 						file_stripped = Z_STRVAL_P(zval_file) + opts.remove_path_len + 1;
 						file_stripped_len = Z_STRLEN_P(zval_file) - opts.remove_path_len - 1;
diff --git a/php8/php_zip.c b/php8/php_zip.c
index 8129c15..d3516f8 100644
--- a/php8/php_zip.c
+++ b/php8/php_zip.c
@@ -1786,7 +1786,7 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /*
 					basename = php_basename(Z_STRVAL_P(zval_file), Z_STRLEN_P(zval_file), NULL, 0);
 					file_stripped = ZSTR_VAL(basename);
 					file_stripped_len = ZSTR_LEN(basename);
-				} else if (opts.remove_path && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
+				} else if (opts.remove_path && Z_STRLEN_P(zval_file) > opts.remove_path_len && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
 					if (IS_SLASH(Z_STRVAL_P(zval_file)[opts.remove_path_len])) {
 						file_stripped = Z_STRVAL_P(zval_file) + opts.remove_path_len + 1;
 						file_stripped_len = Z_STRLEN_P(zval_file) - opts.remove_path_len - 1;
diff --git a/php81/php_zip.c b/php81/php_zip.c
index 8bc582d..7316643 100644
--- a/php81/php_zip.c
+++ b/php81/php_zip.c
@@ -1806,7 +1806,7 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /*
 					basename = php_basename(Z_STRVAL_P(zval_file), Z_STRLEN_P(zval_file), NULL, 0);
 					file_stripped = ZSTR_VAL(basename);
 					file_stripped_len = ZSTR_LEN(basename);
-				} else if (opts.remove_path && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
+				} else if (opts.remove_path && Z_STRLEN_P(zval_file) > opts.remove_path_len && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
 					if (IS_SLASH(Z_STRVAL_P(zval_file)[opts.remove_path_len])) {
 						file_stripped = Z_STRVAL_P(zval_file) + opts.remove_path_len + 1;
 						file_stripped_len = Z_STRLEN_P(zval_file) - opts.remove_path_len - 1;
diff --git a/php85/php_zip.c b/php85/php_zip.c
index 604b403..4fcb66f 100644
--- a/php85/php_zip.c
+++ b/php85/php_zip.c
@@ -1742,7 +1742,7 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /*
 					basename = php_basename(Z_STRVAL_P(zval_file), Z_STRLEN_P(zval_file), NULL, 0);
 					file_stripped = ZSTR_VAL(basename);
 					file_stripped_len = ZSTR_LEN(basename);
-				} else if (opts.remove_path && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
+				} else if (opts.remove_path && Z_STRLEN_P(zval_file) > opts.remove_path_len && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
 					if (IS_SLASH(Z_STRVAL_P(zval_file)[opts.remove_path_len])) {
 						file_stripped = Z_STRVAL_P(zval_file) + opts.remove_path_len + 1;
 						file_stripped_len = Z_STRLEN_P(zval_file) - opts.remove_path_len - 1;
diff --git a/tests/gh19688.phpt b/tests/gh19688.phpt
new file mode 100644
index 0000000..09513a9
--- /dev/null
+++ b/tests/gh19688.phpt
@@ -0,0 +1,23 @@
+--TEST--
+GH-19688 (Remove pattern overflow in zip addGlob())
+--SKIPIF--
+<?php
+if (!extension_loaded('zip')) die('skip');
+?>
+--FILE--
+<?php
+$dir = __DIR__ . '/';
+$testfile = $dir . '001.phpt';
+$zip = new ZipArchive();
+$filename = $dir . '/gh19688.zip';
+$zip->open($filename, ZipArchive::CREATE | ZipArchive::OVERWRITE);
+$options = array('remove_path' => $dir . 'a very long string here that will overrun');
+$zip->addGlob($testfile, 0, $options);
+var_dump($zip->getNameIndex(0));
+?>
+--CLEAN--
+<?php
+@unlink(__DIR__  . '/gh19688.zip');
+?>
+--EXPECTF--
+string(%d) "%s001.phpt"
-- 
2.51.0