Fix stream double free in phar #18953
+82
−0
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| --TEST-- | ||
| Phar: Stream double free | ||
| --EXTENSIONS-- | ||
| phar | ||
| --INI-- | ||
| phar.readonly=0 | ||
| --ENV-- | ||
| USE_ZEND_ALLOC=0 | ||
|
There was a problem hiding this comment.
|
||
| --FILE-- | ||
| <?php | ||
|
|
||
| declare(strict_types=1); | ||
|
|
||
| require __DIR__ . '/gh18953/autoload.inc'; | ||
|
There was a problem hiding this comment. You don't need all this autoloading stuff, nor the classes at the bottom. Executing the test without these things, with ASAN+USE_ZEND_ALLOC=0, reliably reproduces the bug. |
||
|
|
||
| // cleaning | ||
| @unlink("gh18953.phar"); | ||
| @unlink("gh18953.phar.gz"); | ||
|
Comment on lines
+16
to
+18
There was a problem hiding this comment. This shouldn't be needed because of the CLEAN section There was a problem hiding this comment. If last test failed without cleaning, this test will never success. So I unlink them here. There was a problem hiding this comment. A CLEAN section always runs, if it doesn't there are bigger problems with the test runner. Please remove it as asked previously. |
||
|
|
||
| // create a phar | ||
| $phar = new Phar("gh18953.phar"); | ||
| $phar->startBuffering(); | ||
| // add any dir | ||
| $phar->addEmptyDir("dir"); | ||
| $phar->stopBuffering(); | ||
| // compress | ||
| $phar->compress(Phar::GZ); | ||
|
|
||
| // this increases the chance of reproducing the problem | ||
| // even with this, it's not always reproducible | ||
| $obj1 = new NS1\Class1(); | ||
| $obj2 = new NS1\Class1(); | ||
| $obj2 = new NS1\Class1(); | ||
| $obj2 = new NS1\Class1(); | ||
| $obj2 = new NS1\Class1(); | ||
|
|
||
| echo "Done" . PHP_EOL; | ||
| ?> | ||
| --CLEAN-- | ||
| <?php | ||
| @unlink("gh18953.phar"); | ||
| @unlink("gh18953.phar.gz"); | ||
| ?> | ||
| --EXPECT-- | ||
| Done | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| <?php | ||
|
|
||
| spl_autoload_register(function ($class) { | ||
| $base_dir = __DIR__ . '/src/'; | ||
|
|
||
| $file = $base_dir . str_replace('\\', '/', $class) . '.inc'; | ||
| if (file_exists($file)) { | ||
| require $file; | ||
| } | ||
| }); | ||
|
Comment on lines
+3
to
+10
There was a problem hiding this comment. Can you not move this into the base test file? There was a problem hiding this comment. Not sure |
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| <?php | ||
|
|
||
| declare(strict_types=1); | ||
|
|
||
| namespace NS1; | ||
|
|
||
| use NS2\Interface1; | ||
|
|
||
| class Class1 implements Interface1 | ||
| { | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| <?php | ||
|
|
||
| declare(strict_types=1); | ||
|
|
||
| namespace NS2; | ||
|
|
||
| interface Interface1 | ||
| { | ||
| } |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks like the wrong solution. You're resetting the file pointer but
phar_copy_file_contentsalready used it.I believe the right solution is to:
phar_copy_file_contents/* save for potential restore on error */block that moves the file pointers as this recovery mechanism isn't implemented as far as I see.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's hard for me to understand why phar codes use
cfp, so I use this strange solution to avoid break other features.Also, there are many memcpys (like newentry <- entry here), dont know why, so I chose to not modify
phar_copy_file_contents