1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
From fa331a32d499b895aa836040b88f70697bf4ba9c Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Thu, 18 Sep 2025 11:17:58 +0200
Subject: [PATCH 2/4] Fix GH-19688: Remove pattern overflow in zip addGlob()
From https://github.com/php/php-src/commit/901f71e6e3a9c97928a8c32ab7e70bd52e93819c#diff-7ee66c4f1536ac84dc5bbff1b8312e2eef24b974b3e48a5c5c2bcfdf2eb8f3ce
---
package.xml | 2 ++
php5/php_zip.c | 2 +-
php7/php_zip.c | 2 +-
php73/php_zip.c | 2 +-
php74/php_zip.c | 2 +-
php8/php_zip.c | 2 +-
php81/php_zip.c | 2 +-
php85/php_zip.c | 2 +-
tests/gh19688.phpt | 23 +++++++++++++++++++++++
9 files changed, 32 insertions(+), 7 deletions(-)
create mode 100644 tests/gh19688.phpt
diff --git a/php5/php_zip.c b/php5/php_zip.c
index 8d16d3b..8773944 100644
--- a/php5/php_zip.c
+++ b/php5/php_zip.c
@@ -1968,7 +1968,7 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /*
php_basename(Z_STRVAL_PP(zval_file), Z_STRLEN_PP(zval_file), NULL, 0,
&basename, (size_t *)&file_stripped_len TSRMLS_CC);
file_stripped = basename;
- } else if (opts.remove_path && !memcmp(Z_STRVAL_PP(zval_file), opts.remove_path, opts.remove_path_len)) {
+ } else if (opts.remove_path && Z_STRLEN_PP(zval_file) > opts.remove_path_len && !memcmp(Z_STRVAL_PP(zval_file), opts.remove_path, opts.remove_path_len)) {
if (IS_SLASH(Z_STRVAL_PP(zval_file)[opts.remove_path_len])) {
file_stripped = Z_STRVAL_PP(zval_file) + opts.remove_path_len + 1;
file_stripped_len = Z_STRLEN_PP(zval_file) - opts.remove_path_len - 1;
diff --git a/php7/php_zip.c b/php7/php_zip.c
index d962618..6363728 100644
--- a/php7/php_zip.c
+++ b/php7/php_zip.c
@@ -1896,7 +1896,7 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /*
basename = php_basename(Z_STRVAL_P(zval_file), Z_STRLEN_P(zval_file), NULL, 0);
file_stripped = ZSTR_VAL(basename);
file_stripped_len = ZSTR_LEN(basename);
- } else if (opts.remove_path && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
+ } else if (opts.remove_path && Z_STRLEN_P(zval_file) > opts.remove_path_len && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
if (IS_SLASH(Z_STRVAL_P(zval_file)[opts.remove_path_len])) {
file_stripped = Z_STRVAL_P(zval_file) + opts.remove_path_len + 1;
file_stripped_len = Z_STRLEN_P(zval_file) - opts.remove_path_len - 1;
diff --git a/php73/php_zip.c b/php73/php_zip.c
index eb2c5b6..63715e7 100644
--- a/php73/php_zip.c
+++ b/php73/php_zip.c
@@ -1899,7 +1899,7 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /*
basename = php_basename(Z_STRVAL_P(zval_file), Z_STRLEN_P(zval_file), NULL, 0);
file_stripped = ZSTR_VAL(basename);
file_stripped_len = ZSTR_LEN(basename);
- } else if (opts.remove_path && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
+ } else if (opts.remove_path && Z_STRLEN_P(zval_file) > opts.remove_path_len && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
if (IS_SLASH(Z_STRVAL_P(zval_file)[opts.remove_path_len])) {
file_stripped = Z_STRVAL_P(zval_file) + opts.remove_path_len + 1;
file_stripped_len = Z_STRLEN_P(zval_file) - opts.remove_path_len - 1;
diff --git a/php74/php_zip.c b/php74/php_zip.c
index f987056..17f5476 100644
--- a/php74/php_zip.c
+++ b/php74/php_zip.c
@@ -1884,7 +1884,7 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /*
basename = php_basename(Z_STRVAL_P(zval_file), Z_STRLEN_P(zval_file), NULL, 0);
file_stripped = ZSTR_VAL(basename);
file_stripped_len = ZSTR_LEN(basename);
- } else if (opts.remove_path && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
+ } else if (opts.remove_path && Z_STRLEN_P(zval_file) > opts.remove_path_len && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
if (IS_SLASH(Z_STRVAL_P(zval_file)[opts.remove_path_len])) {
file_stripped = Z_STRVAL_P(zval_file) + opts.remove_path_len + 1;
file_stripped_len = Z_STRLEN_P(zval_file) - opts.remove_path_len - 1;
diff --git a/php8/php_zip.c b/php8/php_zip.c
index 8129c15..d3516f8 100644
--- a/php8/php_zip.c
+++ b/php8/php_zip.c
@@ -1786,7 +1786,7 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /*
basename = php_basename(Z_STRVAL_P(zval_file), Z_STRLEN_P(zval_file), NULL, 0);
file_stripped = ZSTR_VAL(basename);
file_stripped_len = ZSTR_LEN(basename);
- } else if (opts.remove_path && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
+ } else if (opts.remove_path && Z_STRLEN_P(zval_file) > opts.remove_path_len && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
if (IS_SLASH(Z_STRVAL_P(zval_file)[opts.remove_path_len])) {
file_stripped = Z_STRVAL_P(zval_file) + opts.remove_path_len + 1;
file_stripped_len = Z_STRLEN_P(zval_file) - opts.remove_path_len - 1;
diff --git a/php81/php_zip.c b/php81/php_zip.c
index 8bc582d..7316643 100644
--- a/php81/php_zip.c
+++ b/php81/php_zip.c
@@ -1806,7 +1806,7 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /*
basename = php_basename(Z_STRVAL_P(zval_file), Z_STRLEN_P(zval_file), NULL, 0);
file_stripped = ZSTR_VAL(basename);
file_stripped_len = ZSTR_LEN(basename);
- } else if (opts.remove_path && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
+ } else if (opts.remove_path && Z_STRLEN_P(zval_file) > opts.remove_path_len && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
if (IS_SLASH(Z_STRVAL_P(zval_file)[opts.remove_path_len])) {
file_stripped = Z_STRVAL_P(zval_file) + opts.remove_path_len + 1;
file_stripped_len = Z_STRLEN_P(zval_file) - opts.remove_path_len - 1;
diff --git a/php85/php_zip.c b/php85/php_zip.c
index 604b403..4fcb66f 100644
--- a/php85/php_zip.c
+++ b/php85/php_zip.c
@@ -1742,7 +1742,7 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /*
basename = php_basename(Z_STRVAL_P(zval_file), Z_STRLEN_P(zval_file), NULL, 0);
file_stripped = ZSTR_VAL(basename);
file_stripped_len = ZSTR_LEN(basename);
- } else if (opts.remove_path && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
+ } else if (opts.remove_path && Z_STRLEN_P(zval_file) > opts.remove_path_len && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
if (IS_SLASH(Z_STRVAL_P(zval_file)[opts.remove_path_len])) {
file_stripped = Z_STRVAL_P(zval_file) + opts.remove_path_len + 1;
file_stripped_len = Z_STRLEN_P(zval_file) - opts.remove_path_len - 1;
diff --git a/tests/gh19688.phpt b/tests/gh19688.phpt
new file mode 100644
index 0000000..09513a9
--- /dev/null
+++ b/tests/gh19688.phpt
@@ -0,0 +1,23 @@
+--TEST--
+GH-19688 (Remove pattern overflow in zip addGlob())
+--SKIPIF--
+<?php
+if (!extension_loaded('zip')) die('skip');
+?>
+--FILE--
+<?php
+$dir = __DIR__ . '/';
+$testfile = $dir . '001.phpt';
+$zip = new ZipArchive();
+$filename = $dir . '/gh19688.zip';
+$zip->open($filename, ZipArchive::CREATE | ZipArchive::OVERWRITE);
+$options = array('remove_path' => $dir . 'a very long string here that will overrun');
+$zip->addGlob($testfile, 0, $options);
+var_dump($zip->getNameIndex(0));
+?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . '/gh19688.zip');
+?>
+--EXPECTF--
+string(%d) "%s001.phpt"
--
2.51.0
|
