Skip to content

Commit fa331a3

Browse files
remicolletremicollet
committed
Fix GH-19688: Remove pattern overflow in zip addGlob()
From php/php-src@901f71e#diff-7ee66c4f1536ac84dc5bbff1b8312e2eef24b974b3e48a5c5c2bcfdf2eb8f3ce
1 parent 9304660 commit fa331a3

9 files changed

Lines changed: 32 additions & 7 deletions

File tree

package.xml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,8 @@
2929
<notes>
3030
- compatibility with 8.5
3131
- Fix leak when path is too long in ZipArchive::extractTo(). (nielsdos)
32+
- Fix memory leak in zip when encountering empty glob result. (nielsdos)
33+
- Fixed bug GH-19688 (Remove pattern overflow in zip addGlob()). (nielsdos)
3234
</notes>
3335
<contents>
3436
<dir name="/">

php5/php_zip.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1968,7 +1968,7 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /*
19681968
php_basename(Z_STRVAL_PP(zval_file), Z_STRLEN_PP(zval_file), NULL, 0,
19691969
&basename, (size_t *)&file_stripped_len TSRMLS_CC);
19701970
file_stripped = basename;
1971-
} else if (opts.remove_path && !memcmp(Z_STRVAL_PP(zval_file), opts.remove_path, opts.remove_path_len)) {
1971+
} else if (opts.remove_path && Z_STRLEN_PP(zval_file) > opts.remove_path_len && !memcmp(Z_STRVAL_PP(zval_file), opts.remove_path, opts.remove_path_len)) {
19721972
if (IS_SLASH(Z_STRVAL_PP(zval_file)[opts.remove_path_len])) {
19731973
file_stripped = Z_STRVAL_PP(zval_file) + opts.remove_path_len + 1;
19741974
file_stripped_len = Z_STRLEN_PP(zval_file) - opts.remove_path_len - 1;

php7/php_zip.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1896,7 +1896,7 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /*
18961896
basename = php_basename(Z_STRVAL_P(zval_file), Z_STRLEN_P(zval_file), NULL, 0);
18971897
file_stripped = ZSTR_VAL(basename);
18981898
file_stripped_len = ZSTR_LEN(basename);
1899-
} else if (opts.remove_path && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
1899+
} else if (opts.remove_path && Z_STRLEN_P(zval_file) > opts.remove_path_len && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
19001900
if (IS_SLASH(Z_STRVAL_P(zval_file)[opts.remove_path_len])) {
19011901
file_stripped = Z_STRVAL_P(zval_file) + opts.remove_path_len + 1;
19021902
file_stripped_len = Z_STRLEN_P(zval_file) - opts.remove_path_len - 1;

php73/php_zip.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1899,7 +1899,7 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /*
18991899
basename = php_basename(Z_STRVAL_P(zval_file), Z_STRLEN_P(zval_file), NULL, 0);
19001900
file_stripped = ZSTR_VAL(basename);
19011901
file_stripped_len = ZSTR_LEN(basename);
1902-
} else if (opts.remove_path && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
1902+
} else if (opts.remove_path && Z_STRLEN_P(zval_file) > opts.remove_path_len && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
19031903
if (IS_SLASH(Z_STRVAL_P(zval_file)[opts.remove_path_len])) {
19041904
file_stripped = Z_STRVAL_P(zval_file) + opts.remove_path_len + 1;
19051905
file_stripped_len = Z_STRLEN_P(zval_file) - opts.remove_path_len - 1;

php74/php_zip.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1884,7 +1884,7 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /*
18841884
basename = php_basename(Z_STRVAL_P(zval_file), Z_STRLEN_P(zval_file), NULL, 0);
18851885
file_stripped = ZSTR_VAL(basename);
18861886
file_stripped_len = ZSTR_LEN(basename);
1887-
} else if (opts.remove_path && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
1887+
} else if (opts.remove_path && Z_STRLEN_P(zval_file) > opts.remove_path_len && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
18881888
if (IS_SLASH(Z_STRVAL_P(zval_file)[opts.remove_path_len])) {
18891889
file_stripped = Z_STRVAL_P(zval_file) + opts.remove_path_len + 1;
18901890
file_stripped_len = Z_STRLEN_P(zval_file) - opts.remove_path_len - 1;

php8/php_zip.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1786,7 +1786,7 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /*
17861786
basename = php_basename(Z_STRVAL_P(zval_file), Z_STRLEN_P(zval_file), NULL, 0);
17871787
file_stripped = ZSTR_VAL(basename);
17881788
file_stripped_len = ZSTR_LEN(basename);
1789-
} else if (opts.remove_path && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
1789+
} else if (opts.remove_path && Z_STRLEN_P(zval_file) > opts.remove_path_len && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
17901790
if (IS_SLASH(Z_STRVAL_P(zval_file)[opts.remove_path_len])) {
17911791
file_stripped = Z_STRVAL_P(zval_file) + opts.remove_path_len + 1;
17921792
file_stripped_len = Z_STRLEN_P(zval_file) - opts.remove_path_len - 1;

php81/php_zip.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1806,7 +1806,7 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /*
18061806
basename = php_basename(Z_STRVAL_P(zval_file), Z_STRLEN_P(zval_file), NULL, 0);
18071807
file_stripped = ZSTR_VAL(basename);
18081808
file_stripped_len = ZSTR_LEN(basename);
1809-
} else if (opts.remove_path && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
1809+
} else if (opts.remove_path && Z_STRLEN_P(zval_file) > opts.remove_path_len && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
18101810
if (IS_SLASH(Z_STRVAL_P(zval_file)[opts.remove_path_len])) {
18111811
file_stripped = Z_STRVAL_P(zval_file) + opts.remove_path_len + 1;
18121812
file_stripped_len = Z_STRLEN_P(zval_file) - opts.remove_path_len - 1;

php85/php_zip.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1742,7 +1742,7 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /*
17421742
basename = php_basename(Z_STRVAL_P(zval_file), Z_STRLEN_P(zval_file), NULL, 0);
17431743
file_stripped = ZSTR_VAL(basename);
17441744
file_stripped_len = ZSTR_LEN(basename);
1745-
} else if (opts.remove_path && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
1745+
} else if (opts.remove_path && Z_STRLEN_P(zval_file) > opts.remove_path_len && !memcmp(Z_STRVAL_P(zval_file), opts.remove_path, opts.remove_path_len)) {
17461746
if (IS_SLASH(Z_STRVAL_P(zval_file)[opts.remove_path_len])) {
17471747
file_stripped = Z_STRVAL_P(zval_file) + opts.remove_path_len + 1;
17481748
file_stripped_len = Z_STRLEN_P(zval_file) - opts.remove_path_len - 1;

tests/gh19688.phpt

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
--TEST--
2+
GH-19688 (Remove pattern overflow in zip addGlob())
3+
--SKIPIF--
4+
<?php
5+
if (!extension_loaded('zip')) die('skip');
6+
?>
7+
--FILE--
8+
<?php
9+
$dir = __DIR__ . '/';
10+
$testfile = $dir . '001.phpt';
11+
$zip = new ZipArchive();
12+
$filename = $dir . '/gh19688.zip';
13+
$zip->open($filename, ZipArchive::CREATE | ZipArchive::OVERWRITE);
14+
$options = array('remove_path' => $dir . 'a very long string here that will overrun');
15+
$zip->addGlob($testfile, 0, $options);
16+
var_dump($zip->getNameIndex(0));
17+
?>
18+
--CLEAN--
19+
<?php
20+
@unlink(__DIR__ . '/gh19688.zip');
21+
?>
22+
--EXPECTF--
23+
string(%d) "%s001.phpt"

0 commit comments

Comments
 (0)